This series will explore five tips and one bonus tip for acquiring security talent.

In a landscape that currently has unquenchable demand and not even close to enough supply. So should you just shut down your security effort until the tide turns and you can find what you need? Your Board will buy into that won’t they? Yeah right! So what do you do? Glad you asked. This article will explore practical tips for getting fat on security talent during this brutal situation; a famine that is bound to continue for at least the next two years.

Tip #1: Know Your Environment:

Just as in any of the articles we write, it is always best to start by understanding why.So why is it so hard to acquire the right people right now? It is an easy situation of supply and demand. We will start with demand.

Security Demand

I wrote my first book CISO Handbook with a team of peers (friends) at an organization in which we worked together in 2003. It was based on techniques for security program development that we developed through our previous consulting and leadership backgrounds, but more importantly through a real implementation at a leading insurance organization. We firmly believe we were only able to implement such a comprehensive program because our leader at that organization was Micki Krause. Some of you may recognize the name, as Micki Krause was one of the most influential, and ahead of her time security leaders around. In hindsight, I now firmly believe that without the stewardship of Micki, and though I think these techniques were practical, we would have never been as successful as we were in 2002. Especially considering that most organizations were not even scratching the surface on security at that time (more on this later).

After all the fun of the publishing process, CISO Handbook was released in 2005. Our team then quit our day jobs a couple weeks after publication, hung our consulting shingle on the door and eagerly awaited all the consulting gigs that were bound to come our way. And we waited…and waited….and waited. What we learned quickly, or painfully perhaps, is that the modern organization was not even close to ready to implement a security program development methodology in 2005, as illustrated in the CISO Handbook. Nor were they ready in 2006, 2007, 2008, 2009, 2010….2011? Nope….2012? Wait, something is changing.

Just like in dating in security, my timing blows too. We were way off in terms of when organizations were going to get serious about security. But I am happy (or scared perhaps, too) to confirm, they are now ready, and all trying to implement a security effort at the exact same time. This belief is solidified by the unbelievable traffic we now get to CISOHandbook.com, or that the CISO Handbook is selling better than ever before, seven years later. Or in terms of personal experience, that I get 5-10 calls per week still for employment opportunities.

On a side note, the next big question for our team is whether the next generation of concepts to CISO Handbook, which were released in CISO Soft Skills in 2008, will follow the same path to prosperity? It sits in the millions in terms of popularity rank at Amazon right now; all the while my consultancy made a lot of money leveraging the concepts it employed. We shall see, I guess we have till around 2015 to find out.
Supply

So if you do the math in terms of years organizations have really been taking security seriously, for the most part the majority of security professionals really have not even had the possibility to be exposed to a mature security effort. This has limited their ability to acquire the right skills or even have exposure to witnessing the right way to do things. Hey, even Luke Skywalker needed to see the way of the force first hand by Yoda before he could control it. I digress. So yeah, these professionals have their CISSP, but we all know what that means in terms of being able to execute the required skills needed by an organization for security today. Sorry ISC2.

Conclusion

In the end, you have every organization in the United States or world for that matter looking for resources that know how to perform the elements of a security program, and you have a lot of folks who were trained improperly (CISSP), and who have never been exposed to how to how to really build a program. In other words, there is way too much demand and not even close to enough supply, all at the same exact time.
With that said, where is the tip in all this you might ask? Well, the tip is quite simple. As a security leader or manager, you need to understand this situation and that if you don’t act accordingly, your security effort is going to die in this famine. This means you need to do things like the following:

1. When you go to your board or funding entity, you need to bring this situation up, and let these people know (set expectations, for you formal folks) that this could slow down your ability to execute, even if they fund your projects.
2. Be wary of using historical metrics for things like headcount or salary averages, because our security landscape is in a high state of change, which will highly impact the reliability of these metrics for use in making decisions.
3. Understand that you are at a disadvantage in terms of negotiating to acquire the folks that you need. It is like people who have been trying to sell their house the last 3 years. If they don’t grasp reality, their house is not going to sell. Same situation here, you need to be creative and understand your situation, and then you can make things happen. In fact, just operating with this realization in mind will put you ahead of most of the other organizations that a candidate is most likely considering.
4. Follow the other tips in this articles.

As always, please provide your feedback to Mike.Gentile@cisoshare.com or @MikeGentile03 on Twitter; I always read them.