No one today is immune to the cybersecurity talent shortage. Whether you’re a company or individual, you feel the pain of a shortage of good IT security staff members. Companies feel the pain of trying to maintain an adequate staff, who need to be educated enough to maintain the company's environment and to avoid the risk of breaches and regulatory non-compliance. As an individual, you feel the pain when the environments are not protected against attacks and breaches. This presents some very interesting topics that I intend to address in a three-part blog series. In part one, we'll tackle the question:
"How do we identify who would be successful in the IT security positions we need to fill?"
In part two, we'll explore how we can train cybersecurity talent to fill the missing void. Finally, in part three, we'll figure out whether just the IT security staff or all professionals are responsible for IT security in today's world. With the shortage of IT security professionals, companies are challenged to find experienced candidates. This is forcing them to hire less experienced employees to fill the need. Indeed, it's not always easy to identify whether a candidate has the necessary background and skills to be successful in an open position. After all, answering a technical question correctly or having a certification does not prove the person can understand and apply the skills necessary to meet the business and security needs of a company. How does a company identify and hire employees that will be successful? Who performs a technical interview? Management has to rely sometimes on technical employees who may or may not know how to interview another person for technical comprehension. The interviewer may not know how to formulate good technical questions or have the time to create and maintain a good list of interview topics. Some employees may not be able to objectively rate each interviewee based on their personal biases. What if you could remove the employee’s personal bias from the technical aspect of an interview? Could you reduce the employee's responsibility for having to formulate and maintain a good set of applicable technical security questions for the interview process? Recently, I was able to attend a SANS Conference where they presented one of their newest programs, the SANS CyberTalent Assessment Program. The CyberTalent Assessment program alleviates the need for companies to maintain their own technical interview questions. SANS CyberTalent Assessment has assessments for positions in information security, digital forensics, penetration testing, and application security. These assessments alleviate the need for your team to create and maintain applicable technical questions for the interview process. They also allow the hiring manager to get a good understanding of a candidate’s skill level and gaps. More information on SANS CyberTalent Assessment program can be found at www.sans.org/cybertalent/assessment-products.
