Pre-requisite requirements for hiring by Human Resources may cause the best people not being considered for jobs in security.
Speaking to IT Security Guru, Cyber Security Challenge CEO Stephanie Daman said that there is often an issue where a company will have a hiring policy and if a person doesn’t fit with a qualifications minimum but has the right skill set, they may not be seen.
“The problem is two-fold: there are people with the underlying skills but HR does not recognise this as the people do not have the right qualifications and while they may have the right skills but not the qualifications that are specified,” she said.
“Also at every stage, there are people who do not understand the importance of particular skills and the youth of our profession. There has got to be a better approach as security people do not fit within a traditional way of education sometimes and once this is an older industry, the traditional ways of hiring will work.”
Amar Singh, chair of the UK Chapter security group of ISACA, said that he “100 per cent agreed”, and said that this issue is huge as job descriptions are written too objectively and they need to be more subjective.
“This is especially the case when you start off as HR has to know what you need for the job and they objectify it,” he said.
“HR has made it objective and the tough part is certificates are put in, but you never get the role filled. There needs to be a balance of subjectivity and objectivity and sometimes a job is senior level and it needs a narrative of it, reports to and from but managers don’t want to put it down as once it is written it is set in stone.”
James Lyne, SANS instructor and global head of security research at Sophos, said that the bigger issue is standardisation where people want skills and certifications and know what skills they need; but it is not a case of “one size fits all”.
“Many certifications are about proven knowledge and not experience, and the problem has been that employers require experience, but it should be on capability and should focus on educating people outside the organisation on what a security role looks like,” he said.
“There is a perception of security being a role rather than being multiple roles, and there is a challenge in managing roles and certifications. There are a lot of skills out there; the biggest thing that education requires is multiple paths for experience, capability and certifications. Employers need to use all three and being in a talent deficit, the functions in security don’t get this yet.”
Asked if this problem can be overcome, Damon said: “We are getting there. It is just an old process that is not helped by this sector moving too swiftly as universities try to keep up to speed with cyber security, which is going faster than any curriculum and businesses have to look at it that way too.