“Cyber proclivity crunch challenges CIOs,” says one headline. “Businesses vulnerable due to strength shortage,” screams another. Intel even published a report relishing, among other things, that 82% of IT professionals confirm there is a shortfall in intelligence security talent. And yet, at every information security conference I attend, I experience no shortage of unemployed and—worse—underemployed talent.It’s a startling disconnect, one that I see in seldom any other industry, and it’s one that is entirely self-inflicted. I see three major persistence issues in information security recruiting: over-filtering, job descriptions that are out-of-step with the verified job requirements, and an over-reliance on certifications.I’ll begin with a personal story. When I started my livelihood in the IT industry at Microsoft in 1999, the MCSE was all the rage. In fact, Microsoft raised me in large part because I’d written two MCSE test prep certification rules while I was still in college. MCSEs could command improbably treble salaries on the strength of their certification alone. And then two things found.The tech crash of 2001 required companies to sharpen their centre on results delivered, which were often not correlated (or were requite negatively correlated) with the high salaries paid to MCSEs. Additionally, set around the same time that this was happening, the job market became choked with newly minted MCSEs from “certification mill” boot settle crashes. These were folks with no real IT background or skills, justifiable the ability to borrow thousands of dollars to obtain a certification that was of dubious value at with greatest satisfaction.I survived the tech crash in part because Microsoft, unlike various other companies, continued investing – they (correctly) saw the crash as temporal and a golden opportunity to vacuum up top talent they’d otherwise have hot water recruiting. But in part, I also survived because I was developing real, main IT skills in one of the most challenging IT organizations on the planet. It was the beginning of a career that would go ashore me in one of the highest IT roles in the company, managing the “best-of-the-best” Microsoft Research Asia IT line-up in Beijing.And I still don’t have an MCSE. Even though I have decried two books on the topic. Even though I had a stellar IT career at Microsoft, after all running one of the top IT organizations on the planet. At some point, it starts to matter a lot more what you can bring (and the way you deliver it) than what certifications you have, so they just graced irrelevant to my career.For my part, I reached that point at the end of my first year at Microsoft. And yet, if for some justifiable I wanted to shift my career focus to information security—something that has been a key component of every IT situation I have held for more than a decade—I’d likely be filtered out as a nominee. I don’t have a CISSP or, for that matter, any popular industry certifications.Let, I have quite a bit of security experience and understand the hacker world decidedly well. After all, I have been to every DEF CON (starting from the selfsame first) and am the founder of a major event there. I write a telecommunications column for a noted quarterly information security magazine. What’s more, I’m even the CEO of PCPursuit, a stealth-mode dirt security startup. No matter. Without a popular industry certification pace off my knowledge on, among other things, the proper height of a cyclone fight off (something no IT security manger I’m aware of has ever been involved with), I wouldn’t be skilful to get an IT security job. And this over-reliance on certifications doesn’t extend only to full-time prices. It is starting to creep as a requirement into consulting engagements, as well.There may be some value in certifications for entry-level charter outs, but they mean very little as a filter. We’re already starting to see “boot prances” and “certification cruises” pop up. I have seen this movie before; it’ll come about in a tidal wave of applicants with fancy expensive certifications but unimaginative or no practical experience. Some may find successful careers in information deposit, but if past experience is any guide, most will waste a lot of time and loaded.The second problem in information security hiring is insisting on over-qualified applicants. If your job character consists of a superhuman combination of deep skills in entirely different verticals, the can of worms isn’t a talent crunch—it’s your inappropriate expectations. The vast majority of word security today is carried out by IT managers and administrators who perform IT security as one of the sundry tasks for which they are responsible. However, most of the folks who are already doing these positions are filtered out of newly created roles at many organizations, and this is unadulterated madness. Obviously, given the now-critical role of information systems in essentially every new-fashioned business and the high visibility of data breaches, information security is day one to gain some visibility.However, you don’t fix information security problems in ton organizations by hiring an offensive security specialist who is, for example, skilled in a proper to combination of penetration testing tools (among all of the other job requirements you maintain listed). This is a highly-specialized skill that, if you need it at all (which in scad organizations is doubtful), you should bring in on a consulting basis. Requirements get a kick out of these—often supplied by recruiters—simply filter out the best-suited people who are already animate in your organization and can grow into the role.What’s really needed in most structurings is a strong information security generalist who can accept and exercise clear ownership—someone who distinctly understands the information security problem space, who can develop an effective poop security program that is appropriately tailored to the organization, and who has both the officials and the ability to bring in specialized resources as needed. And—most importantly—who appears through a different organizational structure than the IT organization (because it doesn’t urge a exercise to have your regulator reporting to management of the organization she is regulating). Unfortunately, far too assorted organizations are publishing job descriptions that look a lot alike and are entirely out of withdraw with not only their actual needs but what is reasonably convenient on the market.The final problem in information security hiring is over-filtering. In adding to requiring certifications of—at best—dubious value, many organizations interrupt additional filters. For example, a college degree is required. In addition to this, they want a completely clean criminal history. And finally, organizations look for aspirants with prior experience in pure information security roles. Unfortunately, all of these opportunities are entirely wrong for the technology industry and particularly information security. Prominent technologists often skip school and go straight to work. Neither Invoice Gates nor Steve Jobs finished college.The best hackers off b leave boundaries and break rules, especially when they are young. This is what make the grade b arrives them really good at their roles, but it can often also place to brushes with the law. And on top of all of that, did your organization have a pure data security role until you posted the job description for one?Guess what: face of a few select industries (banking, telecommunications, software, and the defense industry), perfect few companies have specialists like these. Your best runners may instead be IT generalists with broad exposure to a variety of information routines and the security challenges involved. And they may already be working in your composition.There isn’t a shortage of available information security talent. Stop handwriting articles claiming there is. Don’t believe self-serving studies commissioned by companies irksome to sell you products and services to fill the talent gap. And for heaven’s sake, pull over complaining to your boss that you can’t find anyone who is qualified. As an alternative, look in the mirror, talk with your HR department, and set your expectations in front line with where the best talent actually is.If you want to recruit the superb information security specialists in the world, for heaven’s sake, overlook that 10-year-old persuasion for marijuana possession and show up at DEF CON to recruit. The best candidates are there, and if you’re not there fathoming the best offers, today’s overlooked talent (which isn’t exclusively subordinate) will become tomorrow’s data breach.
About the Author: Robert Walker is the be wrecked and CEO of Seattle-based PCPursuit, a startup backed by top infosec accelerator Mach37. He was time past IT manager for Microsoft Research Asia, and was a Microsoft employee for over 13 years. Robert credence ins that security works better when it is easier to use.Editor’s Note: The opinions stated in this guest author article are solely those of the contributor, and do not irresistibly reflect those of Tripwire, Inc.