The continuing jobs crisis regarding the availability of quality IT security professionals can be summed up with an old adage: Penny wise, pound foolish. That's because workers in the field are in greater demand than ever before, but companies often don't invest in them until after a crisis strikes.
According to specialized recruiters, the talent dearth – especially true in the private sector – lies with a general failure to make security an utmost priority within organizations to develop and retain skilled experts charged to protect the family jewels. Sadly, corporations usually wait until they're hacked and then overpay for outside consultants, rather than prepare proactively in-house for the real possibility – let's say inevitability – they might be a target for a major breach. Experts with whom we spoke concur that better recruitment at the university level may improve the future situation, which these days increasingly includes going overseas for qualified candidates. Moreover, it behooves the industry to promote IT security as a hot, well-paying career to young computer/mobile.
According to specialized recruiters, the talent dearth lies with a general failure to make security an utmost priority to develop and retain skilled experts charged to protect the family jewels. Unfortunately, corporations usually wait until they're hacked and then overpay for outside consultants, rather than prepare proactively in-house for the real possibility – or more accurately, inevitability – they might be a target for a major breach. Experts by and large concur that better recruitment at the university level may improve the future situation, which these days increasingly includes going overseas for qualified candidates.
Moreover, it behooves the industry to promote IT security as a hot, well-paying career to young computer/mobile enthusiasts before they even graduate high school and, ideally, instill that philosophy within education curricula as early as possible.
Besides revamping upper-and-lower education, Adam Malanaphy (left), managing director of Montclair, N.J.-based IT recruitment firm Glenmont Group, believes solving the shortage will take a change in public perception of the information security job market. “One way to bring this issue into the limelight is to pressure politicians to highlight the demand for skills in information security,” he says. Introducing specialized courses at STEM high schools is an initial step that will pay off in the future, says Malanaphy, whose firm is actively working on around 125 open positions, of which about 20 percent are in information security.
In order to satiate the more immediate need, Malanaphy advises making available more certifications at U.S. colleges and universities, with special emphasis on guidance departments to understand the viability of the job market. “Internal recruiters should focus their time on key universities offering advanced degrees,” Malanaphy says. He admits that at his firm the focus is not on recent grads, but on candidates who are currently working in these positions. Education and experience are not equal in the real world.
“When a society becomes too focused on passing a test, as opposed to actually doing stuff, then you have a real problem,” says Lee Kushner, president of LJ Kushner & Associates, a Freehold, N.J.-based executive search firm specializing in the information security industry. “Information security is more of a learned skill. Certified is not qualified. That is really the wrong way of looking at this problem.” Kushner squarely places the blame on HR departments that historically have not given information security the respect it deserves – and absolutely requires at this juncture. He's seeing HR departments combining roles – choosing from applications, security, engineering, development and architecture – into one position.
“The people capable of doing all those things generally outstrip compensation,” he says. “They're in high demand. Talented people have a lot of choices.”
Instead, corporations should be patient when recruiting talent in the same way corporate leadership programs recruit MBAs from grad schools, Kushner advises. Corporations recruiting for information security need to put grads into a path that earn X, then 18 months later 20 percent more, and in 36 months plus, another 20 percent. “And they should be telling the new hires ‘we're going to train you in a whole bunch of different disciplines with security compliance and regulation and stuff like that, and you're going to become a fabric of our company,'” he says.
Such a pitch would be enticing to somebody seeing that kind of runway, says Kushner (left). But, he cautions, treating IT security professionals the same way they do lawyers or accountants could upset the internal HR applecart. “Companies don't understand the value of talent and the resource,” he says. “They put IT security into general HR buckets. That's the problem. Companies don't have the mechanism to get out of that kind of thinking.”
Jeff Snyder, president of SecurityRecruiter.com, of Woodland Park, Colo., agrees with Kushner that companies are going to have to build talent from within. “This means that they need more strategic talent acquisition programs that focus on a job candidate's aptitude and talent rather than focusing on a job candidate's particular skills at the moment,” Snyder says. “Education supports experience. Education without experience is not of great value.” Too, upper management must be alerted to – and address the need – of compensating security talent, which will ultimately help the organization's bottom line.
“What needs to happen first is that critical infrastructure companies need to step into the current century and recognize that they need to devote budget to information security,” Snyder says. “Only after senior executives recognize the need to support information security strategy, can talent be addressed. As long as information security is thought of as a piece of IT, salaries will never rise above the level of a security professional's peers in IT.”
Jeff Combs, principal of J. Combs Search Advisors, which recruits information security and IT risk management pros, believes that higher salaries may not be the overriding factor in finding and keeping talented security people. “Money is only part of the equation,” he says. “Companies need to provide a security-supportive culture, an opportunity to do meaningful work and career growth opportunities.”
The ramifications of such skills shortage can impact the nation's critical infrastructure, Combs believes. “It means that U.S. companies will always be playing catch up when it comes to the global technology arms race. Lack of a supported, well-staffed security program, which includes recruiting efforts, will lead to more companies and their customers being affected by significant security breaches, brand risk and loss of intellectual property.
Get them young: Filling IT positions
Nearly all IT security recruiters agree that one way to tackle the lack of qualified professionals is to find and nurture talent at a young age. So we asked a recently retired high school teacher what he thought about the prospects of getting whiz kids to think about computer careers other than programming video games. Chuck Goodman, who taught computer science at the Manhattan Center for Science and Mathematics, believes it's a great idea to offer a computer course focusing on security. His former East Harlem school, once beset by drugs and dropouts, within four years of its creation was considered one of the public school system's best turnaround examples. Goodman would open the school's four computer laboratories at 7 a.m. and it would remain packed into the evening.
“We don't allow games on the computers, games don't get you into college,” Goodman told The New York Times in 1986. Today, the need for skilled computer technicians is even greater, he believes, because of the sophistication of hackers, who clearly have an understanding of the inner workings of computers. “That's how these bad guys get in. They know where the holes are,” says Goodman, who wrote the NYC Board of Education's first treatise on computer viruses 20 years ago. Recent high-profile hacks, such as those hitting Target and Home Depot, should be enough incentive for today's bright high school students to realize that there are well-paying IT security jobs ahead, he adds.
Viewpoints: Value of certsWe talked to two security experts at Verizon Enterprise Solutions and while each earned a CISSP certification from (ISC)2, they both had a slightly different take on the value of certifications.
“People in my area are working on very practical day-to-day security skills,” says Fawaz Rasheed, managing director, global security solutions engineering at Verizon Enterprise Solutions. “So I would say if they are looking at adding on a certification they pick just a couple of very targeted certifications such as the hands-on training from GIAC or the CISM or CISA from ISACCA. Of course, as you get into the second level and move into management, the security certifications tend to level off, which is why I'm going for a master's in business information technology at DePaul University in Chicago.”
Maureen Kaplan, managing director and chief operating officer, global security at Verizon Enterprise Solutions, agrees for the most part with her colleage, but has a slightly different perspective. “What I have found is that taking a different course that may not be directly related to the job may give you an opportunity to uncover emerging technologies and look at your company's security in a different light and then be able to relate to our customers in a different way.” – Steve Zurier