It takes more than technical know-how to be an essential part of an IT security team, reports Greg Masters.
One might think that a net increase of 13,000 information technology jobs in February is a sign of healthy growth in the field, but a comparison to previous employment numbers from the Bureau of Labor Statistics (BLS) paints a more complex picture.
While the numbers prove conclusively that February was the best month since last September in terms of job growth for IT professionals, there is something a bit unsettling about performance over the last three months of the year, David Foote, CEO and chief research officer at Foote Partners, a Vero Beach, Fla.-based IT analyst firm and research organization, said in a report.
Joyce Brocaglia, CEO, Alta Associates
“Only 7,533 jobs were added on average in this period compared to 11,533 jobs per month in the first nine months,” he wrote. While he pointed out that a three-month span is insufficient for a true analysis of labor numbers, still, the February results indicated “volatility and uncertainty in the marketplace for U.S. tech jobs.”
Foote’s conclusion was that companies are cautious about hiring on full-time staff for technology-enabled solutions they are experimenting with. Rather, the call is going out to consultants and contingency workers to fill roles. This way, enterprises can remain flexible as they develop their security implementations.
To stay competitive, enterprises must scale quickly, Foote said. This means positions are being added in areas that prove effective – such as cloud, Big Data, mobile or digital technology –because the outlook shows these professionals having an impact for a long time.
“What will drive new job creation in 2017 will be hiring in niche areas – such as Big Data and advanced analytics, cybersecurity and certain areas of applications development and software engineering, like DevOps and digital product development,” he said.
Other experts point to the growth of the cloud as a determining factor in opening a wide berth between jobs to fill and candidates skilled enough to fill them. The move to the cloud and evolving threats have transformed the skill requirements for IT departments, exasperating the skill shortage, says Rajiv Gupta (right), CEO, Skyhigh Networks, a global cloud access security broker with U.S. headquarters in Campbell, Calif. “With the prevalence of cloud services, IT professionals are more valuable if they can understand user need, educate employees on risk and balance the needs of security with business,” he says.
Many customers his firm works with have set aggressive timelines to eliminate most or all their datacenters, he explains. “A CISO empowering an efficient, secure company-wide cloud migration can have a significant effect on their organization’s business.”
As companies build out their software development programs, IT security will move to a front-office role and work directly with application teams to deploy solutions more efficiently and without compromising sensitive data, says Gupta, adding that more than two-thirds of IT professionals believe communication with non-IT departments and executives will become more or much more important in the next five years.
Gone are the days that companies are searching for CISOs based on their technical competencies alone, says Joyce Brocaglia (left), CEO of Alta Associates, a Flemington, N.J.-based boutique executive search firm specializing in cybersecurity, IT risk management and privacy. “The CISO role is now valued as a bridge for business enablement, so these leaders need to demonstrate collaboration and influencing skills with business stakeholders, be able to effectively and succinctly present to the board, interact with regulators and have the capability for the development of an overall risk strategy for their companies.”
As if that’s not enough, she adds, those in this role need to have a combination of true leadership skills, the gravitas and capabilities to build consensus, influence culture and be an evangelist for their programs internally and externally.
Considering by 2020 there is expected to be 1.5 million unfilled cybersecurity positions, Brocaglia – also the founder of the Executive Women’s Forum – says the gap will never be closed by ignoring half of the population, women. She points to “The Women in Cybersecurity Study,” co-authored by the Executive Women’s Forum on Information Security Risk Management & Privacy and (ISC)2, which was released in March. “It is an eye-opening report on the stagnation and underrepresentation of women in cybersecurity,” she says.
Highlights of the report show:
- Women are underrepresented in the cybersecurity profession at 11 percent, a number that has been stagnant since reported in 2013.
- Women have higher levels of education than men, with 51 percent holding a master’s degree or higher, compared to 45 percent of men, yet hold fewer positions in management.
- Globally men are four times more likely to hold C and executive level positions, and nine times more likely to hold managerial positions than women.
- 51 percent of women report various forms of discrimination in the cybersecurity workforce, compared to 15 percent reported by men. Women report higher levels of discrimination, as they rise in an organization with 67 percent of C level women reporting discrimination.
- In 2016, women in cybersecurity earned less than men at every level
- Women who feel valued in the workplace have also benefited from leadership development programs in greater numbers than women who feel undervalued
- Women who receive sponsorship and mentorship are more likely to be successful.
Since 2002, the Executive Women’s Forum on Information Security Risk Management & Privacy (EWF) has been committed to addressing the issues highlighted in this report by delivering programs and events that help women to succeed, says Brocaglia. “So I’m not surprised to see that this study reflects what women have been telling us for the past 15 years: That they are most successful and feel most valued when they are given access to thought leaders, mentorship and leadership development programs and provided a safe and trusted environment to interact.”
The point, says Brocaglia, is that corporations need to take meaningful actions in attracting, developing and retaining women in cybersecurity. And, she emphasizes, that directive needs to come from the top and hiring managers need to make the diversity of their teams a priority. She is proud of the fact that her firm filled 60 percent of its searches in 2016 with minority candidates and 40 percent were filled with qualified women executives. “This proves that building diverse cybersecurity teams is, in fact, an obtainable goal, given the right partner and right commitment to diversity hires.”
Domini Clark (left), a principal at Blackmere Consulting, an executive recruiter for the technical and cybersecurity industry, agrees that cybersecurity professionals of all types are growing in demand, and the reason, she says, is well-founded.
“It can be easy to think of cyberattacks as something that only happens to other companies. Unfortunately, a more realistic view is not whether if it will happen, but when it will happen to your organization.”
The fact is that cyberattacks are on the rise, she explains, pointing to PwC’s “Global State of Information Security Survey 2016,” which stated that, across all industries, there were 38 percent more security incidents in 2015 than in 2014. “It doesn’t just happen to giant corporations like Yahoo!, Sony and T-Mobile,” says Clark, also a director of strategy at IT security recruiter, InfoSec Connect. “SmallBizTrends.com claims that 43 percent of attacks on businesses target small business. Large or small, it can cost you plenty.”
The average total cost of a single data breach was $7 million – up from $5.4 million in 2013 – according to the 2016 Ponemon Cost of Data Breach Study. More than half of these costs are related to lost business due to customer churn related to reputation concerns following a breach.
“The best approach to cybersecurity is to prevent the hacks, attacks and breaches, and you need a strong cybersecurity team to do that for you,” says Clark, adding that the specific titles of roles that are growing in demand include: CISO, application security engineer, application security architect, cyberthreat intelligence analyst, information security architect, and incident response manager. However, she adds, “this is hardly an exhaustive list.”
Scott Laliberte (left), managing director and leader of global IT security and privacy practice at Protiviti, a global consulting firm with more than 70 offices in over 20 countries, agrees that all cyber-related skills are in demand right now due to the significant increase in the threat and awareness of cyber risk. These skills range from cyber governance and related soft skills to technical skills, such as penetration testing, hardware/ IOT security, industrial control system security, secure development and code review, network security, identity and access management, etc., he says.
Wils Bell, a cybersecurity recruiter at SecurityHeadhunter.com, agrees that all skills appear to be in demand, depending where a company is with their cybersecurity platform. There are two particular attributes that he looks for in a good candidate. “One being an understanding of business, if you will, and the other someone who can think outside the box.”
Michael Potters (right), the CEO of Glenmont Group, a Montclair, N.J.-based executive search firm, points to a number of skills currently in demand for IT security professionals. The requirements obviously change position to position, he points out, but he offers some of the common skills listed on a few of his firm’s job descriptions, including monitor and respond to security events escalated by Level 1 security analysts; use endpoint products (various) to identify malicious activity; provide technical expertise of security tool deployment and implementation; the ability to work at speed, under pressure; to make decisions in real time and with reliable accuracy; able to work in a global environment and drive change; security certifications (CISSP, CISM, GIAC certs); and working knowledge of much of the cyber software used in the space.
Not just tech know-how
But, Potters says that it’s not just technical know-how that is required. He looks for candidates who have the ability to speak and understand terminology, especially those related to cybersecurity assurance, the ability to validate effectiveness of current controls and identify potential gaps, and those with good attention to detail, strong analytical, quantitative and investigative problem-solving abilities. Additionally, he likes to see a prospective hire who exhibits qualities like tenacity and who provides mentoring to other members up and down the organization.
Laliberte too says it takes more than technical know-how to be an effective member of the team. “Besides technical knowledge, a love of learning and thirst for new challenges are key attributes of successful candidates,” says Laliberte. Typically, candidates who enjoy puzzles and brain-teaser-type games do well in this the field, he says.
But, perhaps even more attractive to hiring personnel are candidates with the ability to communicate issues in non-technical terms that business people can understand. “This is a key attribute in attaining leadership positions in this field,” says Laliberte. “Finding a candidate that has a balance of strong technical skills, business acumen and communication aptitude is extremely rare, but those candidates will go very far.”
However, he explains, not every candidate exhibits potential leadership skills – and that’s ok. “We also need team members with strong technical skills in multiple areas.” Also extremely important, he says, are a strong work ethic, a love of learning and the ability to work in teams.
Blackmere’s Clark agrees with much of this assessment, but offers an additional asset to look for. “The best cybersecurity professionals have two primary skills outside of technical knowledge: communication/social skills and the ability to think like the criminals they oppose.”
Without question, the ability to communicate and influence change in an organization is key to the success of both the individual as well as the entity they support, she says. “The ability to think like a ‘bad guy’ enables security professionals to anticipate what hackers might try, and to identify weak points in system defenses. This ability is sometimes lovingly referred to as the ‘evil bit’ (as in bits and bytes) which seems to be coded into the personalities of many industry superstars.”
Potters says the best candidates are both “the smartest person in the room” and “someone who know that they are never smart enough.”
What he means by this, he says, is these job seekers have to have the knowledge and skill sets to lead change in an organization and the confidence in their knowledge to go toe to toe to the stakeholders in an organization that do not particularly want to hear or be told to do what needs to be done to protect an organization.
“The not-smart-enough bit is because there has to be an insatiable drive to learn in an industry that changes daily as very few areas are this dynamic,” Potters says. “Those that continue to learn and stay in front of the knowledge curve are always valuable to their organization and the industry.”
Bell, who has been a cybersecurity recruiter for 15-plus years, considers the perfect applicant to be someone who is very flexible.
The ideal candidate is passionate about their work, says Blackmere’s Clark. “Technology isn’t just something they do for work, it is also a hobby and they are constantly staying in touch with what’s new in the industry.” Regardless of which facet of security they work in, from application security to the NOC to sales, security drives them and it’s clear in everything they do, Clark points out. “The trick is that many of our ideal security candidates do not approach life in the shadows online,” she says. “You won’t find their résumé on CareerBuilder or LinkedIn, so you’ll need to leverage your best networking skills and hardcore power-searching techniques.”
If your quarry thinks like a criminal, she says you have to think like Sherlock Holmes to track them down. “Don’t email them a link to apply – they won’t click on a link from an unknown source (and neither should you). Send them a PDF with instructions for connecting with you.”
A good team member
And, being a good team member is an essential part of the mix as well. That means, Bell says, someone who can work well with others and is not a prima donna. “Someone who is open to mentoring others,” is another attribute he looks for in potential hires.
As far as what he considers to be the attributes that best define a good team member, Potters says, “One thing that is often brought up is ‘we need someone that has the ability to park their ego at the door.’ Most companies want someone who they are comfortable sitting around the table with for the next five years. Try to show that in your interview,” he advises.
“Also let them know that you love to mentor and to be mentored,” he says, adding that that’s the equivalent to getting a trainer along with the other skill sets that you are being considered for.
In addition to having the technical skills to perform the job, the very best team members approach their work differently, and they have a unique set of expectations, says Blackmere’s Clark. “They want to do intriguing work that is varied and unique – let them use their devious creativity to your company’s advantage,” she says. These candidates want to try new tools and techniques to keep up with the ever-evolving threat landscape. “If you’ve got the coolest technology, you should highlight that,” she advises.
Further, these potential hires want to do more than just scratch the surface, Clark says, so she advises offering these people opportunities to not only look under the hood, but also to take some deep dives into the systems and code of your organization.
Another asset of the job these candidates seek is the ability to work remotely. “Your organization may cling to traditional models, but if virtual options give you an edge in the talent war, it’s time to loosen up,” she says.
Finally, Clark says these players want to know that the organization appreciates and values their contribution – like other employees in your company. “If you don’t have a proactive recognition and rewards program in place, now’s the time,” she says
When pressed to define what makes a good team member, Laliberte says good team members have no ego. “This field changes so rapidly that no one can know it all,” he says. “Recognizing that you do not have all the answers and can learn from everyone else around you is important. One or two egos in a group changes the entire dynamic and stifles a culture of innovation.”
If you’re recruiting and want to be successful at attracting qualified and talented cybersecurity team members, be prepared to approach the salary negotiation process differently, says Clark. Cybersecurity professionals know what they’re worth, and it’s pretty high in the IT pay bands, she says.
The gap between supply and demand is daunting, she adds, pointing to a recent Cisco report showing between 500,000 to one million unfilled cybersecurity positions in the U.S. “And that gap is expected to grow,” she says. “You may be reluctant to pay market value, but if your competitors will pony up, you’ll be stuck on the wrong side of the firewall.”
Further, while the purse strings are loose, be sure to include professional development opportunities, such as ongoing training and conference attendance, Clark advises. “Not only will it give you an edge in the talent market, but it also will ensure your cybersecurity staff stays current. Threats are constantly evolving and what your people learned last year is already outdated. No one can afford to leave their company assets vulnerable.”