* Follow up to June's article “Cybersecurity Education and Training (the devil's in the detail)”.“Cybersecurity Education and Training (the devil's in the detail)”.
For the past month or two, I'd been thinking about writing a piece to help organisations when they are developing a cybersecurity team and facing the task- “We need to hire a security person!” It sounds like an easy fix – right? Not so, I'm afraid. So what does a “security person” do? I've been working for over 30 years in “security” and the best answer I can come up with is “Learn, Think, and Communicate. Then Do”. “Not very helpful”, do I hear you say?
Maybe this will help a little more – Rafeeq Rehman, a gentleman that I've been following on social media for many years, produces and regularly updates a mind map called InfoSec Professional Responsibilities (What do Security Professionals really do?) (1) (latest updated May 2021). I use this document regularly as a “shopping list” when I'm reviewing my own professional development plan. It outlines almost all of the tasks that a security professional might do, but the catch is, not all security professionals can do all of these tasks (which is why large corporations employ multi-disciplinary teams covering many skill sets).
So for small and medium businesses, this is what I think are the key considerations for building their Cybersecurity Team:
The WHY relating to “We need to hire a security person!” will give you the answer to this. For example, if the organisation's objective is to move from on-premises to Cloud based infrastructure (and that's “why you need a security person”), then you might be looking for someone with experience of Risk Management, Security Architecture, Business Enablement (Cloud) with a smattering of IDAM and SecOps. Desirables might include Project Mgmt, Legal & HR (partner contracts & data management).
Don't forget: If you don't need some skills long-term (e.g. only for the duration of a project or for a specific task), then it's much easier (and much cheaper in the long-term) to buy-in specialist skills on a fixed term contract. (3)
Footnote: Last evening I read a LinkedIn post by Daniel Cuthbert, Head of Cybersecurity Research at Banco Santander, where he claims ”There isn't a cybersecurity/IT skills shortage. There is a shortage of modern interview skills.”
Following up on this statement with my very favourite Head of Recruitment today, she informed me that she tends to focus on “cultural fit” along with demonstrated aptitude and ability to learn, over existing technical skills (which can be easily learned). Don't forget, when you're hiring a cybersecurity person, you want them to be able to enjoy their work, reach their full potential, and contribute to the success of your organisation.