Career Advice Tuesday – Why Info Sec Position Go Unfilled
May 15, 2012
Dear Infosecleaders Readers-
Below you will find the unedited version of my latest article for Tech Target/Search Security – Information Security Magazine. The article is designed to shed some light as to why companies have such a difficult time in filling information security roles.
Let me know what you think.
Why Information Security Positions Go Unfilled
While the national unemployment rate has been steadying between 8-9%, information security professionals have been enjoying newfound prosperity. Until recently, the information security function primarily held importance to industries whose success and market perception were tied directly to their customer’s trust, like financial services, and the federal government. Due to a unique combination of technological innovation, increased regulatory scrutiny, external threat, and social activism, corporations in industries who have traditionally ignored information security, have began to realize that the development of a competent information security function is a worthwhile and necessary investment.
When companies recognize that they are going to make this type of organizational commitment, their first order of business is to find competent information security talent to bridge their talent gap to address these issues. However, finding and attracting competent information security professionals to a new position is a lot more difficult than it appears. Companies quickly learn that the same strategies and processes that they apply to filling more generic business and technology roles, do not necessarily translate to the recruitment of information security professionals. It is important for organizations and information security leaders to comprehend why information security positions go unfilled, so that they can make the proper adjustments to attract and hire this talent is a reasonable time frame.
The primary impediment to filling information security positions is geography. In many cases, the talent and skills alone would be difficult to find, however the need for an employee to based in a certain location significantly impacts the depth of the candidate pool. For example, although the NY Metro area is filled with companies, positions based in locations like Long Island, Central New Jersey, and Southern Connecticut will greatly reduce the candidate pool due to commuting time. Conversely, there are many information security professionals who would not want to incur the additional cost of commuting into Manhattan. In the past, companies were much more amenable to relocating candidates to fill positions, however the economic events and the housing bubble has greatly reduced the ability for people to relocate or companies willing to subsidize these costs. In general, companies relocation packages have become less encompassing, saddling the candidate with additional expenditures if they decide to accept an opportunity and relocate. In these instances, the candidate can simply not afford to accept the position, even though it aligns with their career plan and professional development.
The next major component in the breakdown of a recruitment process is in the area of compensation. When corporations are determining the compensation value of their job openings they traditionally consult specialized market research firms that provide them with this information. This compensation information generally equates to what the candidate, with the skills, already in the position should be paid. While this should serve as a good baseline, it does not take into consideration the recruitment premium that an information security professional, currently performing a similar role at a similar organization would need to leave the comfort of their existing environment. For example, if a Senior Information Security Architect is earning “X” in their current role, the market data may be correct and instruct you to price the position at “X”. However, in order to be successful in attracting the Senior Security Architect to your team, your will need to price that position at “X + 10- 20%” In addition, many times compensation packages neglect to address existing financial and non-financial benefits associated with tenure at a current employer. Because money is fungible, financial benefits are more easily replaceable, however non-financial benefits are often more difficult to address. Information security professionals can place greater value on vacation time, flexible work hours, and telecommuting, and may be unwilling to relinquish these benefits. Corporate human resource policies may not allow you the flexibility to provide alternatives for these privileges.
An additional compensation based reason that information security positions go unfilled is due to internal equity. Internal equity is the belief that any new employee’s compensation cannot be significantly more than their functional or organizational peers. It is the information security leader’s responsibility to both address this within their teams and to educate their human resources staff about the uniqueness of the skill combinations that they are attempting to recruit.
Before any major recruitment initiative, the information security leader must partner with human resources and perform a market based assessment of the skills and functions already performed by current information security team members. The question that should be asked is, “If I had to replace that person, what would I have to pay them?” In addition, the information security leaders should be aware of the value of their employee’s skills in the market place, and be proactive in their approach to aligning their compensation with both their internal contributions and external value.
In addition, it is common place for human resources teams to align information security compensation with other technical functions like network engineers, systems administrators, or software developers. It is essential for information security leadership to sit down with human resources and articulate to them why the skill combinations associated with the roles that they are attempting to fill are more complex and scarce, than these technical resources. The information security leader should have a great deal of incentive to win this argument, because if the compensation packages are insufficient, positions will remain open for long period of time or will be filled with substandard talent.
While these factors contribute to unsuccessful recruitment processes, the primary reason that positions go unfilled is the failure of the information security leader (hiring authority) to think like the candidate that they are attempting to attract. All information security leaders at one time had to interview for a job. It can be assumed that when they contemplated their last job change, they created a list of criteria that become key factors in their decision making process. Some of these factors will include the commitment of the organization, the level of responsibility associated with the role, the career path for the position, professional development opportunities, title, and compensation. In summary, most likely they changed positions because the new opportunity represented increased opportunity and personal satisfaction. Often, information security leaders forget their own motivations, and ignore the fact that their applicant pool are driven by similar forces.
One of the biggest mistakes is that hiring managers only focus on their organizational “need” as opposed to taking into consideration what the applicant “wants”. When information security leaders begin designing their job descriptions, it is essential that they understand the appeal of the opportunity and what types of candidates it will attract. When they conduct their interview process, they should be taking into the consideration the candidate’s point of view, and determine if the position and the environment can serve as the framework for their candidate to accomplish their professional goals and develop their information security career. By viewing the position form the candidate’s perspective, information security leaders will find themselves prepared to communicate the merits of the position during a recruitment process, which should make a positive impact on the candidate’s interpretation of the career opportunity.
One of the best way to evaluate leadership is by the caliber of the people with whom they surround themselves. Attracting top information security talent to your team can be both time consuming and frustrating. Building an effective recruitment strategy, addressing potential obstacles, building organizational partnerships and understanding the motivations of your future employees are key ingredients to efficiently filling your information security openings.