I recently attended a gathering of Wall St CISOs, one of whom referred to the “negative unemployment” in our industry. I thought this was a great phrase, and I’ve found it’s a quick way to get across some quite deep points about current security.
At first, it just sounds cute, but in practice, it’s about as cute as the Oil Crisis. Bad guys have figured out how to make money by attacking our weak defenses. We’re scrambling to catch up. The C-Suite and the board are more accommodating than they have ever been – something to do with the recent dismissal of the Target CEO, I shouldn’t wonder. We know we need people, so we go to hire them, and what do we find? Bad resumes.
Have you found it easy to hire the talent you need? If so, lucky you – feel free to drop hints in the comments section (or just gloat – your peers tell me they aren’t having it so easy).
It makes for an ugly choice. Do we hold standards high, waiting for people with the right skills to come along? Or do we hope to train people new to the field? As I look around, I can see our discipline soaking up some people of – how should I put it? – marginal aptitude. I’ve seen this before – I remember the go-go days of the late 90’s, when Silicon Valley start-ups sucked in all kinds of people with no business working in such environments. When that went all pear-shaped, it wasn’t so bad – sure, some stock options suddenly lost a zero or two in value, but it’s not really fair to whine about that. Watching the same thing happen in corporate IT security is a much scarier proposition.