This series will explore five tips and one bonus tip for acquiring security talent in a landscape that currently has unquenchable demand and not even close to enough supply. So should you just shut down your security effort until the tide turns and you can find what you need? Your Board will buy into that won’t they? Yeah right! So what do you do? Glad you asked. This article will explore practical tips for getting fat on security talent during this brutal situation; a famine that is bound to continue for at least the next two years.

Tip #2: Develop a security strategy and then communicate it

Chances are strong that your security program implementation will not be mature when you are looking for talent, thus why you are probably looking for help in the first place. However, you should still have a security strategy that is well organized that can take you from point A to B before building an appropriate team. If you do not have a strong plan for implementing security at your organization, then why is someone with talent going to want to come work with you? They won’t.

To a candidate, it is blatantly obvious when an organization has no plan. It is demonstrated through poor job descriptions, or the inability to answer probing questions of the candidate. Questions like “do you have a documented security mandate?” Making things worse, the crappy candidates won’t ask these questions, because they do not know what they are doing, and they might even take the job.

Then what happens is that the organization will get into what I have termed “The Security Talent Toilet Bowl Effect.” This is where the organization keeps hiring and losing security professionals because they never have a plan for knowing what they need. In addition, they hire the wrong folks along the way. This creates a swirl of resources in and out of the organization.

This constant flux does not go unnoticed by those with talent, and many organizations go on the ban list in our community, without even knowing it. Here’s a quick litmus test: Has your organization had the same role on Dice.com or similar within the last year? Sorry…chances are you’re doomed. DUDE, JUST BUILD A STRATEGY FIRST PLEASE. In fact, if you show me the time stamped roles on Dice.com or similar, I will send you a complimentary copy of CISO Handbook. Give it to your board, on me, and trust me, I am not doing this so you want me to come work for you. I don’t. I just want to do my part in this security game, as I am sure you do too.

As always, please provide your feedback to Mike.Gentile@cisoshare.com or @MikeGentile03 on Twitter; I always read them.