During the 16 years that I have been recruiting for information security, IT audit and technology risk professionals, I have had the privilege of interviewing hundreds of companies and thousands of practitioners. This has given me a rare perspective on their motivations, successes, failures and the evolution of our industry from a career development standpoint. As a close observer of the industry’s ebbs and flows, I understand the security talent market and how it impacts both clients and candidates.
Not a day goes by when I am not either reading or asked about the current challenges around security talent supply and demand. Questions primarily focus on "How do we solve it?” "How do we get more people into the field?" and "How can companies be more effective in their recruiting?"
These are all valid questions, and they certainly reinforce the perception that security pros have unlimited options. However, they do not acknowledge the risks and downsides associated with increased talent demand.
High demand comes with a few downsides. While we are aware of the talent shortage for security professionals, there is another side to the story that is not being addressed. As new companies strive to build security programs, their lack of experience can create career pitfalls for practitioners.
Every week I talk to at least one security professional who feels they were bait and switched. By this I mean they took a job that on surface looked like a great opportunity, only to find they lacked real authority or had been set up to fail.
In many cases, the company may have had good intentions but lacked the critical components for a successful security program, such as executive sponsorship, clear objectives, long-term vision, a commitment to change, budgetary support, and headcount. In other cases they had no intention of actually building a sustainable program. Some simply needed a stopgap measure to meet an audit requirement. Some reacted to the media and customer fears by doing some window dressing. Others were so broken that they acted out of desperation.
This means that it is more important than ever for security professionals to be objective when making a career move. As paranoid and skeptical as security professionals are reputed to be, most are optimists at heart with a strong idealistic streak; two qualities required to do such a difficult and sometimes thankless job. So as hard as it may be, security professionals need to contain their enthusiasm when interviewing for that dream job and look at the position realistically.
Often, challenges are directly related to a company's lack of understanding around security roles, qualifications, and compensation. This is exacerbated by broken or inefficient recruiting practices, something I learned as an internal talent acquisition team member for a Fortune 50 technology company.
An overwhelming majority of organizations do not appreciate the competitive nature of the security job market, and even if they do, internal processes hold them back. Most internal recruiters are generalists who rarely have the knowledge to accurately assess skills or fit. And just as often, corporate compensation guidelines are behind the market. This can lead to an inability to land talent, or at best, delay the offer process while exceptions are granted.
Now that you are aware of some of the pitfalls, the question is "What do I do about it?" The short answer is that security professionals need to take a hard look at the opportunities they are considering. That means assessing the overall opportunity with the same rigor used to identify critical security threats. It starts with asking the right questions, interpreting the answers and managing expectations.
In my next blog post I will outline strategies on how to ask the right questions, better assess opportunities and recognize the red flags that could spell disaster.