IT shops need to improve the way they hire and retain information security professionals, as demand for the job is set to reach a fever pitch in the industry, according to Adam Winnington, director of technical services at Toronto-based Source 44 Consulting Inc.
Speaking to attendees at Tuesday’s SC Congress Data Security Conference and Expo in Toronto, the security hiring guru said regulatory demands and the trend of many industry veterans leaving for more lucrative auditing and risk management jobs has led to a shortage of security professionals throughout North American and Europe. He pointed to various U.S. and U.K.-based government reports, which call for the need for thousands of security people that have specialized skills to work in cyberspace.
“You have to keep your (security) employees, because now the government is going to try luring them away too,” Winnington said.
In order to keep security professionals happy, Winnington advised IT leaders to figure out what their staff wants to accomplish in their career and feed into that.
“Some just want to work with new technology and you can put them in the backroom, slip them a pizza every once and awhile and they’ll stay on-board,” he said. In addition to guiding your security experts on a career path that interests them, investing in training programs and providing incentives for employees that take these courses can be a huge benefit to the company.
He added that working in a few extra perks, such as extra vacation time and one day a week where they can dive deeply into personal projects, can be useful to retain staff.
Winnington said internal “tool masters” can assist and mentor incoming staff and new graduates, which helps keep training costs down. “Give these tool masters a few extra thousand dollars and than let them train everybody else,” he said.
For companies looking to find new security pros to hire, Winnington said that he looks for candidates that have been “scarred” with a few years of desktop support experience. “Their first instinct is usually to help users, so it’s something I look for,” he said.
Other skills to look for include candidates with a broad base of offensive and defensive hacking skills and the ability to communicate well in a team environment.
“If your mom doesn’t understand what you’re talking about, the manager probably won’t as well,” he said.
Winnington advised IT leaders looking to hire new graduates to craft very specific job ads that focus on the primary aspects of the position. Skills that support and back up the rest of the team should be a secondary consideration, he added.
According to a survey of 376 U.S. organizations that are members the IBM user group SHARE, only eight per cent of responding hiring managers would rate IT graduates as “well-trained” and “ready-to-go.”
The study found that nearly four out of 10 respondents cite IT hires as not sufficiently prepared to perform their jobs within their companies, with 44 per cent of those surveyed concerned about “noticeable gaps” in the skills of recent graduates.
For Winnington, the best way to deal with new graduates is to pay attention to what courses they took throughout their university or college degrees and how those skills can help fill in security gaps at your organization.
“But I’m not a big fan of certifications,” Winnington said. “You should build a lab with a simple setup, put together a scenario and test them. If they can troubleshoot in an interview setting, they can handle your customers.”
– With files from Michael Cooney, Network World U.S.