Your brain is not in your suit

Andreas Dannert

President of ISACA Melbourne Chapter

We often are asked to think outside of the box. Are organisations innovative enough when it comes to the employment market when there is a shortage in skilled security experts? And what do I mean by 'your brain is not in your suit'? Let me explain.

According to some late figures published by ISACA as part of their Cybersecurity Nexus, program the security industry is facing a higher and higher demand for security professionals, which can’t be met and the situation is unlikely to improve over the years to come.

This is and will be an issue given the increased complexity of cyber threats and the need for experienced professionals that can think on their feet and can assist organisations in reducing their risk. Organisations need to look for alternatives to make up for the skills shortage to keep their risk exposure at desired levels. So what are the options?

Naturally, richer organisations might start competing with poorer ones by increasing the salary of professionals that have the desired experience and knowledge. This is certainly not in the interest of organisations that are looking for every opportunity to reduce costs. It has also been proven that salary is not a deciding factor when it comes to attracting individuals to an open position and various studies have been undertaken on the topic. (There is a very interesting blog post on Buffer Social that sums it up nicely.) While this one is unfortunately not referring to existing studies it paints a clear picture.

The other option is to improve security processes and infrastructure in a way that allows you to automate and mitigate security operations. But the idea of working smarter, not harder can only be exploited to some degree, especially when it comes to an area where it is mind versus mind (i.e. who is smarter, the attacker or defender?)

Another option is to think about long term strategies and to build the expertise required by hiring inexperienced individuals, fresh from uni, and training them up. But organisations risk loosing these individuals once they have acquired the skills that are in high demand in the market, especially the younger generations, who value their freedom of choice higher than being loyal to their employer.

This leads us to the point I am trying to make. Hiring security managers, HR departments and recruitment firms need to think outside of the box and come up with more innovative ideas. This even might require a partial change of corporate culture.

When I attended Ruxcon, one of Australia’s computer security conferences, last year I was listening to a presenter that usually teaches security classes at the University of New South Wales.

The presenter was sharing some of his best students’ experiences when it came to applying for jobs towards the end of their studies. A lot of them came back from job interviews and said that they didn’t want the job. When asked for the reasons, their replies were “they asked me to wear a suit”. As a business owner faced with either hiring a great expert in a T-shirt for the same salary as one in a suit that might only be half as good I know what my choice would be.

I always would pick expertise over looks, assuming the person is well enough groomed not to be smelled from one mile against the wind.

While not wanting to argue the finer details here, the point is that organisations really need to look at improving their hiring methods, since looks are not the only issue that could stop your organisation from either finding the right candidate or not. With the current generation entering the market there are other factors as well, like flexible working hours, leave times, work locations and so on.

By adjusting some of our very conservative views of these I believe that organisations can overcome some of the issues they are currently facing in hiring the right individuals and therefore gaining competitive advantages. There is a reason that Google is attracting top talent and one of the highest rated employers in the world.

Let’s look at each of the points individually that would allow your organisation to overcome a market shortage in security experts.

Given my blog posts title I would like to start with dress code. Is it really important for non-people in non-client facing roles to dress in a particular way? Do we overemphasise this by making it hiring criteria? Can we change corporate culture to be more diverse and acceptable to different dress codes? I think we can and have to when there is a shortage in supply of skilled experts. Organisations might even find that it opens them up to more opportunities then they thought of when it comes to their workforce as a whole.

Job satisfaction is another point that needs to be looked at. Based on studies undertaken concerning employee satisfaction we know now that salary will not necessarily sway a candidate to take a job or be happy with it. In fact, job satisfaction is much more important to individuals then salary.

This might be a conundrum while competing in a capitalist market, but if we can just agree that the currency is job satisfaction or a group of other factors rather than just monetary compensation we should be able to adjust by identifying individuals that are capable and most interested in a particular role then a higher salary. And just in case you were wondering, I am not arguing that we won’t have to pay individuals, since they still have to pay their bills.

Work location is the other criterion that we could adjust to help increase the number of individuals we gain access to be hired. Is it really necessary to have individuals in-house performing certain functions while at the same time we are looking for every opportunity to off-shore (i.e. off-shoring is OK, but working from home is not)? Or, is it more our insecurity in not being able to estimate the effort of certain tasks and hence thinking that physical access to our employees gives us greater control?

Leave times and working hours is another factor that we can and should adjust to in order to have access to a larger workforce pool. Is a 40-hour week for streamlining your business really the golden standard or can we arrange more flexible working hours on an individual basis?

The last one I want to address is HR competency. Too often I have talked to managers looking for skilled individuals only to be disappointed by the pre-filter processes and the inability of HR departments to identify the right candidates for a particular role.

The root causes to this phenomenon are unclear to me, but some of it I would contribute to the fact that HR departments often work process X and assume that it is working for each employment group without having to have a deeper understanding of what is actually required. Hence, they dismiss job applicants because they wrote Y in their CVs, but the job description asked for X, not knowing that Y and X are the same. In this scenario not the person most suitable for the job will be identified, but the one that knows best what the current HR filters are that will be applied to their job application.

Quintessence of this is that we need some thinking outside of the box in the short term to identify the required security experts and contribute to building up appropriate resources and skills in the long term to satisfy the ever increasing demand when it comes to experts in cyber security.

Show Comments