Information Security must rethink its approach to talent for the digital era. Leading CISOs are building "unicorn" teams to expand the talent pool, finding indirect ways to meet existing demand, and maintaining close oversight of the entire talent selection process.
Enabling digital transformation requires CISOs and security leaders to make significant changes in almost all aspects of talent management, including planning, recruiting, and development. In particular, CISOs must focus on building “unicorn” teams (not “unicorn” people), fulfilling security talent needs through alternative approaches to hiring, and owning talent management (rather than relying on HR).
Main Outcomes
Information Security continues to struggle with a series of talent challenges exacerbated by digitization. These include new skills requirements for the digital age, heightened difficulty finding and retaining staff, and increased organizational demand for security services.
CISOs should build unicorn teams, rather than searching for unicorn individuals, by creating a portfolio of requisite skills for the Security function and finding talent to fill gaps.
CISOs should find ways to fulfill security activities without hiring new external talent, such as by devolving administrative work outside of Security or using automated solutions for repetitive, low-complexity tasks.
CISOs need to recognize that talent management is their job, not HR’s, because CISOs are best situated to understand the talent needs of their function. This realization causes leading CISOs to take ownership over each stage of talent management, while consulting HR as a valuable partner.
Talent Challenges Introduced by Digitization
Digitization creates new talent challenges for Security and exacerbates old ones.
Almost all organizations are in the midst of digital transformation—the increasing use of digital technologies to enhance and transform products, channels, and operations. This change brings both tremendous business opportunity and significant disruption. For Information Security, digitization magnifies existing talent challenges and introduces new ones. Our research pinpointed three key talent challenges Security faces in the digital era.
#1: Digitization Requires New Security Roles and Skills
Digitization requires a wider range of security roles that entail new skills and knowledge. The digital era transforms business models, including changes to products, channels, operations, and the workforce. These changes alter how organizations expect security to be delivered and, in turn, the skills Security staff need to be successful.
A common example of digital transformation is the shift from waterfall development to agile. Security practices that work well with waterfall development (e.g., stage-gate risk assessments, lengthy code reviews) fail in an iterative, agile environment. Information Security functions must rethink how they manage risks in an agile world and plan for new security roles and skills key to success.
Research reveals over 30 new and emerging security roles CISOs plan to add to their function, many of which reflect the increasing importance of cross-functional aptitude and new digital capabilities. The table below shows examples of new and emerging security roles:
Role | Description |
Sales Support | Explain the company’s security efforts to external customers, build and modify controls in response to external customers, and otherwise support the sales process. |
Customer Understanding | Research and conduct focus groups with external customers to identify and improve security features. |
OT Security Specialist | Design and maintain security for operational technology and supporting technology. |
Counterespionage Analyst | Identify, confuse, or impede attackers through activities such as creating honeypots and tarpits, disseminating misinformation, coordinating with law enforcement for takedowns, and reverse[1]engineering malware |
Security Service Manager | Manage and oversee the end-to-end delivery of security services to the business. |
Metric Coordinator | Gather, aggregate, and report security metrics to support other security staff, function management, and external reporting needs. |
Security Strategist | Set the security strategy and inform company strategy by considering the entire ecosystem of data, IT systems, regulations, security practices, cyber threats, and business trends. |
Role Description Sales Support Explain the company’s security efforts to external customers, build and modify controls in response to external customers, and otherwise support the sales process. Customer Understanding Research and conduct focus groups with external customers to identify and improve security features. OT Security Specialist Design and maintain security for operational technology and supporting technology. Counterespionage Analyst Identify, confuse, or impede attackers through activities such as creating honeypots and tarpits, disseminating misinformation, coordinating with law enforcement for takedowns, and reverse engineering malware. Security Service Manager Manage and oversee the end-to-end delivery of security services to the business. Metric Coordinator Gather, aggregate, and report security metrics to support other security staff, function management, and external reporting needs. Security Strategist Set the security strategy and inform company strategy by considering the entire ecosystem of data, IT systems, regulations, security practices, cyber threats, and business trends.
#2: It’s Even More Difficult to Hire and Retain Security Staff
Digitization exacerbates the global shortage of security talent. The unemployment rate for cybersecurity specialists is effectively zero, which explains why it takes an average of 130 days to fill open Information Security positions. Furthermore, the number of unfilled cybersecurity positions is expected to reach 3.5 million globally by 2021—up from one million in 2016.
Security leaders also struggle to retain effective and high-performing security staff. For example, the percentage of staff with less than five years of experienced increased by seven points just between 2016 and 2017. As a result, many leaders now head Information Security functions where openings go unfilled and teams remain understaffed for months on end. In fact, many Security functions remain in a vicious cycle of high turnover and slow hiring, which further accentuates the need to rethink Security’s approach to talent.
#3: Demand for Security Expertise Is Exceeding Capacity in Many Enterprises
The demand for security expertise in the enterprise is growing rapidly, placing pressure on Security functions to exponentially scale their availability and capacity to deliver. Factors that drive this exponential demand growth include incrementally larger breaches in the news, massive investments in digital transformation, and widespread adoption of agile development methodologies. These trends collectively force Information Security to do more with existing staff while planning for shifting talent needs in the future. Hiring more staff doesn’t remain viable for long.
Rethink Security’s Approach to Talent
Leading CISOs build unicorn teams, use alternative approaches to fulfill security activities, and take ownership over talent management rather than relying too much on HR.
To succeed in the digital era, CISOs must fundamentally rethink prevailing assumptions on security talent. The following three insights show how leading CISOs are rethinking their overall approach to talent for the digital era.
Insight 1: Build Unicorn Teams, Not Unicorn Individuals
To overcome the challenges posed by new skill requirements and scarce talent, CISOs must shift their views on what comprises an effective workforce. Namely, leading CISOs prioritize building a portfolio of skills required to accomplish their mission over hiring a portfolio of roles traditional to Information Security.
The Shortcomings of Role-Based Talent Management
The role-based approach poses three challenges: first, hiring for existing roles may overlook the need for new or emerging security skills; second, traditionally defined security roles are difficult to fill because talent demand exceeds supply; third, it leads CISOs to pursue unicorn people.
The search for these unicorn people—individuals with an ideal combination of skills—focuses Security on talent that is hard to find, hire, and retain. Such an approach is largely unrealistic. In San Francisco, for example, CEB TalentNeuron TM data reveals that the supply of data scientists shrinks as requirements are added (Figure 1). The city has 22,000 people who are familiar with Python and have three to seven years of experience. This number drops to 6,200 who also know SQL. Add in Hadoop, machine learning, and a doctoral degree and the market shrinks to just 60 individuals—11 of whom are looking for a job. This example illustrates how unrealistic job requirements artificially limit Security’s talent pool.
Talent Pool Size and Requirements
Data Science Labor Market, San Francisco
Figure 1: Talent Pool Size and Requirements
Leading CISOs fundamentally rethink their talent requirements. Rather than search for unicorns, leading CISOs build unicorn teams—individuals that together create teams with every desired requirement—by identifying a complete set of security skills and competencies the Security function needs and expanding the talent pool from which Security recruits.
Build Unicorn Teams by Defining a Complete Set of Security Skills and Competencies
To bypass the need for unicorn people, leading CISOs define a complete set of security skills and competencies the function needs. This exercise lets CISOs build and hire unicorn teams, even in the absence of unicorn people. The emphasis in this method shifts away from defining roles as a list of required skills for each hire and instead prioritizes fulfilling Security’s aggregate needs as efficiently as possible.
Competency: The mix of knowledge, skills, and abilities required to deliver a desired objective
Knowledge: An individual’s familiarity with information, facts, or descriptions acquired through experience or education
Skill: An individual’s proficiency at performing a learned activity
Ability: An individual’s innate proficiency at and potential to perform a specific behavior at a higher proficiency
To pursue this approach, deconstruct current and emerging security roles into a set of skills and competencies across Security activities. This exercise reveals a complete set of security skills and competencies the function needs and helps the CISO recruit talent that plugs talent gaps. This formal exercise lets CISOs shift their focus from hiring unicorn people to building unicorn teams that span a complete set of skills and competencies necessary for success across Security activities, and it expands the pool from which they can hire.
Insight 2: Fulfill Security Activities Without Externally Hiring New Talent
CISOs often cite recruiting challenges as the primary cause for persistent talent gaps within the Security function. But recruiting external talent is not always the best solution to filling Security’s talent gaps; leading CISOs use creative ways to accomplish Security objectives without necessarily hiring more highly technical—and thus expensive and hard to find—talent.
In particular, leading CISOs cite five indirect approaches to meeting talent needs:
1. Create Administrative Roles That Make Existing Staff More Productive
Information Security typically recruits new staff as the volume of work that must get done exceeds existing staff capacity. Leading CISOs, however, recognize that offloading nonessential, administrative work from key security staff boosts productivity and reduces the need to rely on recruiting to meet demand for security services.
For example, consider an Information Security function with four incident response analysts. If that team is at 95% of its total work capacity and demand on their time is increasing, Security may seek to hire another incident response analyst. However, there’s another option: Information Security could instead hire a lower-cost administrator to handle administrative and process work for the incident response team (e.g., incident logging, incident communication). This approach lets the incident response team focus more time and attention on the technical aspects of their job, boosts the team’s productivity, and places less pressure on Security to quickly hire another incident response analyst.
2. Devolve Administrative Work Outside of Security
Over time, Information Security functions often take on tasks and responsibilities outside their core mandate or that overlap with the broader IT function. Leading CISOs look for opportunities to devolve Security work to other functions or teams within the broader organization. For example, Information Security may hand off tier 1 incident response, basic control maintenance (e.g., patching), and basic event monitoring to IT. This creates more capacity for Information Security staff to focus on more specialized tasks without the need to hire more people.
3.Use Automation to Handle Repetitive, Low-Complexity Tasks
Automating security operations and governance activities where possible reduces Security’s reliance on staff to conduct certain tasks and scales without the need to hire exponentially more people. Common examples of security automation include:
Automating repetitive security tasks, such as firewall monitoring, spam filtering, and event logging; and
Offering APIs, code libraries, and other forms of self-service that embed security into developer workflows.
4.Outsource for High-Demand Activities That Security Cannot Cover in the Short Term
Outsourcing is a useful strategy to quickly fill talent gaps and can even support long-term strategic workforce planning. Outsourcing gives quick access to skills or competencies Security may need but doesn’t yet have. In addition, outsourcing can integrate into long-term planning in a few ways:
Use outsourced talent to upskill and train in-house talent.
Fill immediate needs with outsourced talent to focus recruitment on new, emerging needs.
Outsource commoditized activities to focus in-house talent on company-specific or highly specialized tasks.
5.Use Internal Talent Sharing to Access New Skills and Expertise
Accessing new skills or competencies does not always require hiring new talent or outsourcing. Leading CISOs look for opportunities to share talent between functions (e.g., IT, Legal, Internal Audit, Privacy) in ways that benefit all participants.
Insight 3: Talent Management Is Security’s Job, Not HR’s
Leading CISOs and Security managers own talent decisions from start to finish because Information Security is best situated to identify and understand its own talent needs. While HR is a valuable partner in talent management, it is not the sole owner of talent outcomes within Information Security. Rather, HR should be viewed as a valuable source of information for frameworks (e.g., competency models), templates (e.g., job descriptions), and expertise (e.g., EVP statement) that aid Security’s talent management efforts. In addition, Security leadership must be mindful that HR can inadvertently reduce Security talent management effectiveness in places where HR does not fully understand the current security talent environment.
For example, consider Security talent recruiting. Many HR functions have misconceptions on security talent that actually harm or delay recruiting efforts. This means CISOs and Security hiring managers must actively own talent management while working to debunk common HR misconceptions.
HR Misconception Reality Certifications are required for many security roles and are useful criteria for filtering applicants. Security certifications do not strongly correlate to actual staff performance; overlooking candidates without certifications unnecessarily reduces the talent pool. Compensation ranges for Security roles can be based on ranges used for generalist IT roles. Security professionals often command higher salaries than IT generalists due to the short supply and high demand for security talent. Job listings for common Security roles are standardized and can be reused without any changes. Leading CISOs build unicorn teams with staff that have complementary skill sets; Security recruits for different skills as the need arises— even within common roles. Security talent is best recruited from traditional sources (e.g., large job fairs, online job markets, major universities). Most organizations compete for the same talent; Security should look in nontraditional places to expand the talent pool. Security job listings should focus primarily on technical skills. Four competencies—business results orientation, decision making, influence, and organizational awareness—are the strongest predictors of Security staff performance. Security applicants are most interested in compensation and the role’s technical requirements. Security applicants are receptive to employee value propositions that highlight the comparable benefits of working at the organization beyond compensation.
HR Misconception | Reality |
Certifications are required for many security roles and are useful criteria for filtering applicants. | Security certifications do not strongly correlate to actual staff performance; overlooking candidates without certifications unnecessarily reduces the talent pool. |
Compensation ranges for Security roles can be based on ranges used for generalist IT roles. | Security professionals often command higher salaries than IT generalists due to the short supply and high demand for security talent. |
Job listings for common Security roles are standardized and can be reused without any changes. | Leading CISOs build unicorn teams with staff that have complementary skill sets; Security recruits for different skills as the need arises— even within common roles. |
Security talent is best recruited from traditional sources (e.g., large job fairs, online job markets, major universities). | Most organizations compete for the same talent; Security should look in nontraditional places to expand the talent pool. |
Security job listings should focus primarily on technical skills. | Four competencies—business results orientation, decision making, influence, and organizational awareness—are the strongest predictors of Security staff performance. |
Security applicants are most interested in compensation and the role’s technical requirements. | Security applicants are receptive to employee value propositions that highlight the comparable benefits of working at the organization beyond compensation. |
Owning talent management can seem like an unnecessary burden on the CISO, but Security often has better knowledge than HR in areas like Security compensation, hiring strategies, and internal skills development. While Information Security should not own all aspects of talent management, sustained commitment vastly improves the strategic planning, recruitment, and development processes, with tangible long-term benefits to the function.
Conclusion
Information Security must rethink its approach to talent for the digital era. As digitization transforms organizations, it also exacerbates talent challenges facing Information Security functions.
Fortunately, Security leaders have begun implementing novel strategies for overcoming talent challenges. CISOs build unicorn teams to expand their talent pool, find indirect ways to meet existing Security demand, and maintain close oversight of the entire talent selection process. Many organizations are already seeing the benefits from re-orienting their perspective on talent; future hurdles will dictate that the rest follow suit.