Hiring (and retaining) data security talent is one of the toughest jobs today, especially after a slew of high-profile data breaches that have driven demand and salaries sky-high. Robert S. Allen, chief security officer at CNA, a major commercial insurance carrier, is tackling that challenge by making sure his company has an attractive story to tell job candidates. Allen has global responsibility for information security and physical security, which provides a holistic view of operational risk.
What information security positions have you recently filled?
We've filled multiple positions recently--without protracted hiring sequences. Our success is based on reputation, visibility in the industry and promoting our team environment, which includes a mix of on-the-job training and learning opportunities. It's a compelling combination to job candidates.
Are certifications important? Has that changed?
The bar has been raised. Certifications are important, but that's a base requirement. We are interested in what a candidate has learned, their learning approach, and how they will fit with the team and our culture.
I'm a fan of the communication style assessment, which helps us to understand the potential fit and communication strengths. Someone with the best security technology skills, but with poor communication and adaptive ability, will be very limited today, because we interact a lot with our business partners.
Experience within teams solving security problems tied to process outcomes is also of great importance.
In the future, I think we'll be working more closely with HR to use psycholinguistics, not only to improve hiring practices but also to improve our understanding of the insider threat. How well do you know your employee and contractor base? What's your approach to proactively identifying areas of concern? It all ties together.
How do you close the deal on a candidate who has other options?
The CISO role is akin to being a marketer in areas such as controls, data stewardship--and that extends to hiring. Sell the team that a candidate will be joining. Sell the learning opportunities and the entrepreneurial nature of security.
With IT security professionals in the driver's seat, what are they looking for?
They want to know whether the CISO is a leader who can navigate the changing landscape and frame the company's commitment to security overall.
CNA is a business insurance carrier. We exude a professional business culture; that includes wearing a suit and tie every day and, similar to Yahoo, we do not promote working from home. From the outside looking in, you may think we have some disadvantages when trying to attract top security talent, especially millennials.
On the flip side, we have a dynamic security team with great chemistry that values collaboration. In addition, we're in the technology insurance segment and have outstanding rapport with our underwriters and risk-control professionals--even rotating security staffers into business roles.
We have a lot more to offer than many companies where the security group is separate from the business.
Given the high demand for security professionals, what advice do you have for hiring managers?
Focus and play to your strengths. What's your elevator pitch to candidates? Do you have a compelling story, both for security and for your company?
Phil Schneidermeyer is a partner with Heidrick & Struggles, where he specializes in recruiting CIOs and CTOs.