In a keynote panel at Infosecurity Europe, heads of security outlined the challenges they face recruiting and retaining skilled personnel in what remains a competitive market. Career progression, the ability to develop new skills and a good work-life balance are all important factors.
Firms that achieve the right mix of these elements can still be attractive in the jobs market, even if they cannot match larger businesses’ salaries.
First of all, security leaders need to think about how they recruit. Skills such as communications, and the ability to develop within a role, can be more important than technical qualifications.
“I always think it is a good idea to hire, not based on criteria but on the type of person you want, and the job they are going to do,” said Sue Walnut, product director UK and Ireland at Vix Technology. “Think about the skills you are hiring for.”
“Part of the retention strategy, rather perversely, is to respect that it is time to move,” said Ian Spiller, CISO at Smart DCC. “If there is an opportunity for them to grow, and that’s not plausible [with you], then that’s fine.”
This is part of developing a mutual respect between staff and the business, he says. “On pay, we can’t pay the maximum, but we can provide a bit more of a family organization. That goes a long way to retaining people.”
Walnut added that looking to fill positions internally first helps because staff already have knowledge of the business, and it provides career progression. “You can’t put someone on a training course to be loyal to the business,” she said.
At technology firm Paddle, VP for infosecurity and enterprise technology, Jonny Herd, added that the best people for security roles are not always those who are already in the security industry.
“Don’t assume they need to be in cyber jobs to be doing security,” he said. “Look at IT people, or helpdesk people. We’ve a lot of people we hire there who go in a direction that allows them to move into security.”
Moving from IT into security is a well-trodden path, but Herd also sees devsec ops and building up security skills in the dev teams, as essential. The first team he built at Paddle was for application security, with areas such as privacy coming later. “You build a team for the problem that’s in front of you,” he said.
However, firms also need to retain staff. This means finding the right mix of pay, work-life balance and development opportunities. This can mean accepting that it is time for a valued team member to move on.