Another article about the growing skills gap and some ways to look at cause and solutions. We have posted about this before and focused a little more on developing a training model for keeping your employees. But based on this new discussion thread we wanted to follow-up on other elements of retention, specifically climate and experience.
Two of the causes commonly identified as contributors to the skills gap and identified in the Info-Security article is finding people who know what to look for and what to hunt for, the sheer amount of information to keep up to date on due to the ever-changing nature of the attacks, and having the experience to stay on top of everything. So after that really long sentence, let’s break down some ways to overcome this.
Before we get into that, a disclaimer. The article touched on it and we want to reinforce it. The attacks and issues facing the security industry mount every day. We will never get ahead because our resources will always be too small and for the simple fact that you can’t prevent what you don’t know about or what someone hasn’t developed yet. So let’s start with that acknowledgment. It does not mean that we just take our ball and go home, rather, it means we have to become flexible and adaptable. And we have to recognize that attacks will happen and they may be successful.
So what are some ways to address the skills gap that leads to inexperience that leads to mistakes that leads to breaches or security violations that leads to worse things. First and foremost, stop looking for the perfect candidate. The perfect candidate doesn’t exist. And if they did exist, we already know they are in such high demand they are likely to be directly hired into a position. Their network is so good they don’t need to be looking for jobs, the jobs come to them. So you can’t set your standards so high that you don’t evaluate potential. If your job posting is so littered with certifications and qualifications of what your perfect candidate is, then you eliminate those who may be just below the threshold or have the potential to excel beyond that position. Think of it like a negotiation – what is the perfect candidate and what is the minimum you are willing to accept. And write the description that way.
The biggest impact of searching for the perfect candidate is that you don’t fill the position and it costs you time and money while you are going through the process. We have all seen managers look and look for the perfect candidate. Some even ask their team for input on resumes. Every time he gets one that he likes, he sends out for comment and then selects some to interview on the phone. These are generally followed up with in person interviews. Finally, he calls the whole team in to do a team interview to match up how the interviewee would fit with the team. We love that he loves team chemistry and a good work climate. However, this process gets half-way through and another resume will come in and reset the process. What could be a one month process has now turned into four and there is still not a hiring action, which takes another 30-60 days potentially. And in the meantime the team, which is already stretched thin, is getting beat down and exhausted. Projects are getting delayed and the business suffers.
This doesn’t mean you take anyone who applies. Rather, set your baseline criteria and evaluate off of that. Contact their references and ask about aptitude to learn; figure out if they fit into your organization. Then set up an interview and focus on potential for learning and growth.
Second, you want to be sure you have the right climate and culture. If we accept the argument that the attacks are changing every day and that the environment is more and more challenging, then wouldn’t it be a good step to grow with that? What we mean is this – say a new attack is identified through the plethora of security publications or even through your very own security infrastructure. Wouldn’t it be a good idea to break it down and share the good word with your employees? Help identify trends and patterns and increase their knowledge. You don’t need a certification for that, you just need to be able to comprehend what is happening. Set up classroom discussions on it, map it out, war-game it and come up with a potential solution or ask for more help.
This therein lies the challenge of security certifications. They are very useful and are great to have, but how often do you have to get rectified? In that time, so much has changed that to believe just because you have a certification doesn’t make you the subject matter expert. You have to invest in those people through external training courses and certifications AND internal organizational security training. Individuals have to be able to grow in their position. And you have to foster that. You have to create a learning environment where some mistakes are not punished, rather they are learned from. You have to create a climate where individuals are comfortable raising process problems and recommending a solution. Through this you will identify issues and improve efficiencies that help bridge the gap. What’s the issue? Discuss the topic in more detail and then provide recommendations or solutions.
What are some internal organizational training thoughts:
- Regularly scheduled training days or weeks. Set time aside and make it clear that this is the place of duty for that time. It doesn’t have to be all day or all week, but you can plan it out a year in advance so everyone knows.
- Assign responsiblity for training. Make it an additional duty. This doesn’t mean that they do all the training and instruction, rather, it means they can set it up and organize it.
- Take suggestions. Have your employees recommend things they want to know about.
- Schedule Guest Speakers. Bring in those outside your organization to teach on a particular skill that you aren’t comfortable with.
- Take notes. If they are facilitated properly, you can get some great discussions that come out of these days and even some new processes. Assign a note-taker who can send out that information, especially if you have people absent.
- Review and accept feedback. Do a review afterwards and capture the good and the bad. Training can always be improved.
There is a growing skills gap and it feels like we will always be behind. That’s the rub with security unfortunately. But that doesn’t mean we have to take it and move on. Take the opportunity to develop and grow your own experts and professionals. Build a climate and culture that rewards growth and education. And train all to a standard.