Security talent management for the digitization era

Stiff competition for talent and a limited pool of security specialists make information security staffing a perennial challenge. Complicating this is the fact that security has not yet adapted to its changing role as organizations digitize. Now more than ever, information security leaders need to understand the new business environment and adapt how they hire, compete for and manage talent for the digital era.

+ Also on Network World: High-demand cybersecurity skill sets +

Digitization is transforming organizations’ products, channels and operations. While this change comes with the potential for higher profit margins through enhanced efficiency, it also brings an increase in the number and variety of advanced threats, board oversight and regulatory compliance issues.

At the same time, business partners and third parties are managing more enterprise technology, leading security to devolve operational responsibility for executing security controls to the rest of IT. These changes are shifting security’s role from an operations-focused one to one that governs, influences others and helps business leaders make strategic (rather than risk or technical) decisions.

High-performing information security teams are doing three things differently to manage their talent in this new environment.

1. Hiring for competencies rather than technical skills. Technical acumen is now table stakes for the security team and is insufficient if it is not coupled with an understanding of business context and the ability to effectively influence others. In response, high-performing security functions focus on hiring for the competencies most relevant to employees’ work rather than demographic attributes or security skills—an approach that CEB research shows increases new-hire quality by 26 percent. (Disclosure: I am employed by CEB.)

CEB research also found that “soft skills” such as business-results orientation, decision making, influence and organizational awareness are the top competencies that drive security staff performance. To develop those types of competencies in existing staff, progressive information security functions revisit past risk decisions to explain the non-security context and business needs. Security leaders consistently discuss decisions and the rationale behind them in forums with senior staff to teach them how to manage future decisions themselves.

2. Changing the way they compete for talent. Technology companies, consultancies and government agencies often top the list of potential employers for experienced security consultants and young graduates, leaving other organizations struggling to find talent. But even when companies do manage to hire the right people, they struggle to keep them in seat. CEB data shows that 37 percent of high-performing information security staff intend to look for a new job within a year of being hired.

To combat employee dissatisfaction, the best information security functions shape and embrace their organizations’ employee value propositions (EVPs). An effective EVP forms applicants’ perceived value of being employed by an organization and represents a social contract between the organization and the employee. With a clear EVP, applicants get a sense of the positive attributes of working for an organization, such as development opportunities, rewards structure, work-life balance and integrity—attributes that CEB research shows security staff value more than compensation. The most effective IT recruiters are also familiar with the EVP of their competitors and are able to clearly articulate to candidates how their organization compares.

3. Evolving the way work is managed. The rising importance of information security has fueled widespread demand for security professionals. In 2015, security budgets continued to grow at more the double the rate of overall IT budgets, and with them the projected head count. But unfortunately, the uptick in demand is greater than the supply of qualified candidates. In fact, CEB data indicates that it takes CISOs on average 130 days to fill an open position, and they aren’t confident they will be able to fill all of the positions they have available.

To deal with the reality that there are more security jobs than there are qualified applicants, security teams need to be organized and managed for maximum efficiency. Information security professionals can become mired in process-oriented tasks, which diminishes their ability to perform other, often more important, roles, such as information risk management and security architecture.

To address this challenge, high-performing functions are moving their generalist process tasks from specialized technical and business-facing talent to administrative staff that is more readily available. One company calls this the “rule of thirds” because they have found that one-third of the security team should be administrative staff—a much higher fraction than has been the case traditionally.

The information security function will continue its rise to prominence in the organization as companies digitize. To successfully compete for, retain and engage security talent in the digitization era, IT leaders need to revise their existing talent management practices—or else they risk undermining the successful execution of the overall business strategy.