Across industries, the shortage of qualified cyber security professionals in both the U.S. and globally has become acute. More than a quarter of enterprises report that the amount of time it takes to fill key cyber security and information security positions is at least six months, according to the State of Cyber Security 2017 report from ISACA which canvassed 633 cyber security and information security managers and practitioners.
Meanwhile, on average, 59% of enterprises receive at least five applicants for each open cyber security position, but most of these applicants are unqualified, according to the ISACA study.
Although demand for cyber professionals far outpaces supply, “we believe that we can teach techniques,” said Mignona Cote, CISO PayFlex, Senior Director, Aetna Global Security. “What we can’t teach is intellectual curiosity and so this is our primary focus in interviewing professionals at all levels.”
One of the steps Aetna’s Global Security team has taken to promote a culture of curiosity is by seeking cyber candidates who are committed to life-long learning. “We seek to learn what skill or competency the candidate wishes to pursue. We then build a plan for them to learn that specific skill in a given role, enabling them to invest their time with our resources to master the skill,” states Cote.
This often includes immersing each candidate in industry-leading techniques for security management. Every security employee allocates 10% of their professional time to attempt to learn something new through a research project or a working group.
“We call this ‘play-time’ and every individual is responsible for managing their play-time.” The Global Security team also create new roles for employees when they are ready to learn new skills and functional areas. Each employee has a professional development plan where they choose the skills they wish to invest in and Aetna Global Security provides vehicles for them to learn and apply these skills.
Quenching a thirst for knowledge
Cote has found through her experiences that it’s best to focus on candidates and employees that have a desire to learn new skills instead of the background talents of workers in determining whether certain people have an aptitude for cyber security. For instance, one of Cote’s most successful recruits was a marine biology major.
IT professionals also often show a strong aptitude for cyber skills, said Cote. “IT professionals often make great cyber security practitioners given their practical experience with IT in the enterprise,” said Cote.
Cote’s role as a security leader also lends itself as an entry point into security for new cyber team members. This includes her involvement with policy management, education and awareness, and security assessment. “It’s a great way to show that non -IT person all the various aspects of security,” said Cote.
For peers that are looking for creative ways to address the cyber security skills gap, Cote offers the following recommendations: Know your people and build industry relationships. Spend time with your subject matter experts and give them the recognition and direction they need to continue growing in their roles. Keep your eyes and ears open for talent and create opportunities for them. Create the ability to develop non-traditional skill sets. And hire people where they live.
To discover additional cyber security staffing and leadership best practices shared by Mignona and other information security leaders at the 2017 New York CISO Executive Leadership Summit, click here.