The security talent shortage and your leadership opportunity

Instead of focusing energy on a perceived lack of talent, invest your leadership in solutions that develop the workforce we need today and in the future

01 reframing

Reframing the talent shortage

“Identify your problems, but give your power and energy to solutions.” -- Tony Robbins

Much is written about a talent shortage in the security industry. The theme weaves into presentations. We discuss it in the hallways, on podcasts, and when we get the chance. Many offer examples of their challenge to hire someone -- as evidence that we face a global crisis.

Is the shortage real or not?

The purpose of this slideshow is to challenge the blind acceptance that we have a problem. We need to stop using it as a convenient excuse. The scapegoat for why things haven’t improved. “If we only had more qualified people.”

Here are some considerations for why this is your opportunity to lead.

02 no shortage
Yasuyuki Hirata (Creative Commons BY or BY-SA)

What if I told you there was no shortage?

Lee Atwater is credited with the phrase “perception is reality.” It seems to be at work when it comes to available talent in the security industry.

What if the shortage is only a perception?

I make that precise case in “Why the perception of a security talent shortage is really a leadership opportunity.”

No question security is top of mind for more businesses. The interest and subsequent demand is growing. Pressed for a solution, the easy approach is a blunt request for more people. Qualified people.

While there is more, that starts the cycle that creates the illusion we have a dire lack of talent.

03 shortage
jchapiewsky (Creative Commons BY or BY-SA)

Why some people think we face a shortage

Security leaders suddenly tasked with growing their team put out requests on social media, call their contacts, and reach out to recruiters. Then they wait. They wade through resumes. They fret over descriptions, fumble through interviews, and try to find the right candidate.

Or maybe they just can’t find anyone. When asked, they gleefully respond to the myriad of surveys going around that their biggest challenge is finding qualified professionals.

Those surveys reinforce the perception. They let people off the hook. After all, if everyone has a problem finding talent… it’s not their fault.

04 linkedin reveal
A Name Like Shields Can Make You Defensive (Creative Commons BY or BY-SA)

What LinkedIn reveals

Check out the presentation “LinkedIn Information Security Talent Pool Research” Cory Scott shared at Black Hat. Interesting because it evaluates information available through LinkedIn instead of collected survey information. The security blog has additional information (look for August 7, 2015 here).

It breaks down concentrations, current demand, migration, and the current pathways to enter the security field.

A quick read suggests the state of the current problem is overblown. We have more people employed in the field than jobs posted. A clear signal demand is high. It does come with a warning that we need more people to meet that rising demand.

05 talent
Rafael Castillo (Creative Commons BY or BY-SA)

Shortage of talent or lack of people?

On Twitter, Ben Jackson (@innismir) pointed out “The "body" gap is independent of the "talent" gap.”

That forces us to question whether we need more people, more talent, or more talented people. Further, do we we lack the actual talent? Or do we constrain the talent we have? Worse, are we overlooking the talent in front of us?

Do you even know what’s available to you?

What if security leaders invested the time to explore their surroundings to consider the best way to exploit them? In most cases, they’d find different technology, teams, and people available to help them.

06 asking
Jim Larrison (Creative Commons BY or BY-SA)

What are you asking for?

When finally granted the approval to add people to your team, what are you asking for? Are you searching for people in short supply? Or even people that don’t exist?

A common concern expressed by job seekers is the demand for extensive experience and certification for entry-level positions and pay. College students seeking internships to gain the experience cite similar frustrations.

If we have a shortage, why are we turning people away?

What are you offering to the people interested in your team? In turn, how much experience do you seek? Why? Is it realistic?

07 qualified
Michael Davis-Burchat (Creative Commons BY or BY-SA)

How to find qualified people for your security team

Here are some thoughts on How to find qualified people for your security team. Perhaps counterintuitive, as a first step, look for ways to avoid hiring people. Improve your tools and processes. Push what you can to other people -- especially if they can do the work better, faster, and cheaper.

When you decide you actually need to hire someone, take the time to distill to the competencies you seek. Focus first on the mindset and attitude necessary for success. The qualities harder to teach. Then identify the skills needed for success.

08 hr

Your hidden gem: partnering with HR

Hiring the right people is a process. No need to reinvent the wheel. And security is not so complicated and unique that no one else can help.

The key to your success might be how effectively you partner with HR (some thoughts here).  

Start by learning about their approach, including constraints. Ask how you can contribute to their success (which drives yours). Find a way to work together to evaluate candidates. This is especially important as you shift from skills-based to competency-based hiring. Develop a way to share information. Refine the process.

09 developing talent
Erik Drost (Creative Commons BY or BY-SA)

Developing your talent

What about the people you already have? How are you developing them for the roles? What about people in your organization with an interest in joining your team?

What are the competencies your team needs for success?

Is there a pathway for development? Is it published, shared, and used? Consider how to develop the talent available to you. If they already know the company -- a big benefit -- then what is the next best step for them to improve their security capability?

10 keeping talent
Daniel Hansen (Creative Commons BY or BY-SA)

Keeping your talent

Most people consider it easier to keep talented team members than to hunt for new ones. What are you doing to keep the talent you have?

While money is sometimes a factor, people actually evaluate their situation on more. They look for transparency. They seek a sense of purpose. A way to voice their insights and experience. An opportunity to grow and develop.

A common mistake of management is trapping highly talented people in positions that serve the team, but not the individual. Feeling stuck, those people eventually look for a place to grow.

11 inefficiency
Jon Candy (Creative Commons BY or BY-SA)

Disrupting the inefficiency of security staffing

Sometimes we need to question everything. Do we really need full-time employees? Is it worth searching, hiring, and training people?

What if you could find and hire the skills you needed, when you needed them?

That’s the goal of newcomer Stealth Worker ( They want to change the way companies get the help they need.

An interesting take on the marketplace. Is this a disruptive solution that meets your needs?

12 moneyball

Is it time to get a little moneyball in security?

Billy Beane, general manager of MLB's Oakland A's arrives at the gala presentation for the film 'Moneyball' at the 36th Toronto International Film Festival September 9, 2011.

What’s the best measure of success for a security practitioner?

The book (and movie) Moneyball explores how Billy Beane used the evidence available to him in a different way to build a successful baseball team.

Are we ready for that sort of approach in security? What are the best indicators for success? Maybe this is the pathway to find, attract, and retain the people we need.

13 future
Carsten Tolkmit (Creative Commons BY or BY-SA)

How are you contributing to the future?

Security is at an interesting crossroads. At a time when everything is changing, the realization of the importance of security is increasing. That increases pressure on us to improve our efforts -- while trying to do more. Often with less.

To capitalize on the leadership opportunity, stop calling it a gap. Whether talking about the steps to take or the people you need, it’s not a gap. Others facing similar challenges of finding, grooming, and retaining talent ( a near universal problem) see it as an excuse.

The solution, then, is about a blend of people, process, and technology. Sounds oddly familiar. But it means reconsidering the tools and techniques. Pushing security to the edges. Allowing others to assume the responsibility. Often, they want it.

Are you ready to lead the change security needs?

Copyright © 2015 IDG Communications, Inc.

Related Slideshows