Each time I think I’m getting to the heart of the challenges faced by those on all sides of cybersecurity recruiting, a further complexity raises its ugly head.
While I still think that job titles are horribly limiting, that job descriptions completely miss the point, and that the cybersecurity skill-gap misconception is mostly the fault of the organisations asking for help, there’s no getting away from the fact that cybersecurity recruiters are doing themselves no favours.
Many organisations don’t know what to ask for, and recruiters, while not really in the position to contradict them, do little to provide them what they actually need. Mostly because they don’t even KNOW what they need (they aren’t security people themselves), but they are never going to find out unless they have the right conversations.
No one is having the right conversations.
Let’s, for the sake of argument, assume that I am right in my assumptions, and that all of the following are not only the right way of doing things, they are actually in place:
- Job titles are replaced with functional descriptors and people are no longer pigeon-holed into a position defined by a name;
- Hiring job descriptions are replaced with a description of the functionality gaps that need filling; and
- There are a ton of people out there looking to fill cybersecurity positions.
What’s missing? Why would we still fail? Why wouldn’t organisations get decent candidates? Why would recruiters still fumble around trying to force square pegs into round holes, and why would it be so damned difficult for security folks to get a job they love?
I think the ‘root cause’ is that without robust risk management processes, there is simply no way an organisation can ever know what its ‘people gaps’ are.
I have written numerous times that it’s the risk assessment (RA) / business impact analysis (BIA) process followed by a security controls gap analysis that determines the functional gaps that need to be filled with adjustments to people, process, and/or technology. But how can organisations without existing qualified resources run the RA/BIA process in the first place?
If you’re like most organisations out there, you have; no security governance, limited to no security policies and standards, limited to no in-house security expertise, and limited to no senior leadership buy-in. Therefore your risk management capability is minimal (if it exists at all) and you have no one who can set the necessary process in motion.
I’m certainly not saying that a person who can do these things should be your first hire, because this a consulting gig. One that, if properly defined, will have a skill-set gap analysis as its final deliverable.
Without all of the following in place, it’s very unlikely you’ll ever hire the right people:
- SOME form of governance so that the business’s goals can be built into the operational security practices;
- A decent policy and standard set so that all business requirements can be translated into standardised baselines;
- Risk management process(es) that ensure security controls are in place to appropriately manage the existing people, process and technologies;
- A gap analysis process that determines what’s missing in terms of; 1) functional skill-set (people), 2) documented procedures (process), and 3) security control functionality (technology);
- A willingness to stop doing the things the way they have always been done.
So let’s say a consultant comes in and delivers 1. – 4. above, now what? Can they take these deliverables to a recruiting company and have them find a candidate? No, and why not? Because the recruiters have, themselves, asked their candidates all of the wrong questions:
- They have not asked the organisation for their desired deliverables from the candidate(s), nor do they have any idea of what the operational functions they will be fulfilling are – at a level low enough to matter anyway;
- They have made no effort to determine how much the delivery of the functions / deliverables is worth to the organisation – i.e. junior or senior resources?;
- Few recruiters ask what candidates can do, they ask what they’ve done – that’s what a CV is, your historical accomplishments, not your plans to improve yourself;
- Few recruiters ask candidates what they want, they ask where they’ve been – a CV is designed to find you more of the same, not [necessarily] what you’re looking for;
- Almost every recruiter treats both jobs posts and candidates as commodities, and not the unique entities they are – a good recruiter could/should be a career-long partner, not a used car salesman.
…and the lists go on.
It’s not the recruiters fault that organisations are the majority root cause of all of their mutual woes; How can they possibly fill a position when the requesting organisation has no idea of the required deliverables, or of the functions necessary to achieve them?
But I’ve yet to see a recruiter try to do something about it. They lament the difficulties and do nothing but work on the symptoms. They do the same thing day-in day-out and never ask the experts for help.
Most organisations are prepared to pay 10 – 15% of a position’s annual salary to a recruiter to find good candidates. But instead, why not:
- hire a security expert / consultant to perform a risk assessment and controls gap analysis;
- agree projects to bring the security program up to appropriate standards;
- perform a second gap analysis to determine the functional skill-set necessary to stabilise the ‘new’ security program;
- work with a consultant to operationalise the security program;
- as a final deliverable to the contract, have the consultant write a functional job description for a permanent employee or outsourced staff augmentation.
Organisations are already prepared to spend money on a recruiter and on a full-time employee, why don’t they spend that money on much more experienced experts who will fully define the needs now, and for the future.
You quite literally have nothing to lose.
[If you liked this article, please share! Want more like it, subscribe!]