Winning the war for cybersecurity talent strategy
Talented information security professionals remain the linchpin of a successful cybersecurity program. Several employment surveys have found that security skills continue to be in high demand, and some high profile security jobs can command salaries over $200,000 per year. Thirty five percent of organizations surveyed are unable to fill open security jobs according to ISACA’s State of Cybersecurity: Implications for 2015 survey.
“There’s a huge war for cyber security talent,” commented Angela Heise, vice president, commercial markets at Lockheed Martin. Best known for its military hardware and spacecraft, Lockheed Martin has developed a strong reputation for managing security threats and meeting the high security requirements of the military. Based on that reputation, the company now provides security services and support to many companies in the Fortune 500 including energy firms, financial companies and utilities.
A major part of Lockheed’s security success comes down to the organization’s talent strategy. “When I bring a new security analyst into Lockheed, they have the opportunity to rotate through several groups: Lockheed’s internal security unit, the group serving government clients and work with our commercial clients,” Heise shared. “We empower our security staff by giving them a say in the tools they use and help them develop their careers,” she continued. Diversity and cross-generational cooperation is another opportunity. “I see a lot of organizations that tend to prefer hiring highly experienced security professionals. I prefer a diverse approach that includes bringing new graduates into the organization who can learn from and share with our experienced professionals,” Heise says.
The CIO’s view on cybersecurity: best practices for IT leaders
When a security incident occurs, the CIO and/or CISO is expected to lead a solution. While the need for emergency response to security incidents is ever present, leading organizations have adopted a proactive strategy. Threat detection and managing third parties are key practices for CIOs and IT managers to use.
“The best CIOs and executives we work with use several monitoring strategies to address cyber security risk,” shared Carolyn Holcomb, Partner and Leader of the Risk Assurance Data Protection and Privacy Practice at PricewaterhouseCoopers (PwC). “In managing vendors and third parties, the best approach is to request a SOC2 report where an independent party conducts a thorough assessment of security, privacy or other points,” says Holcomb. SOC2 is an internal controls report defined by the American Institute of CPAs that address security, availability, processing integrity, confidentiality and privacy matters.
“If a SOC2 approach is not feasible, there are two other alternatives: using a right to audit clause in the contract and questionnaires,” Holcomb says. The right to audit clause enables an organization’s auditors and/or security professionals to review the vendor. The least expensive and least robust option is to send a questionnaire to the vendor to ask about their security practices and technology. The questionnaire approach tends to provide the least detailed information compared to the other approaches.
Sign up for CIO Asia eNewsletters.