Good help can be hard to find, especially in the field of information security, which has suffered a shortage of qualified talent in the past few years. Companies are finding it harder to fill vacancies to manage and protect their networks from outside threats with experienced individuals.
It may be tempting to hire one of the few available cybersecurity experts who apply, but you need to be sure of their experience and qualifications.
Who You Need in a Cybersecurity Role
It's important to carefully define what type of position you need filled. Small businesses may not always have the resources to staff a fully-equipped IT department to manage their network security, and need to rely on a handful or even just one expert to take on that responsibility.
According to Cyber Degrees, a cybersecurity position can undertake several responsibilities including:
- Determining the most effective ways to protect endpoints and the network from attacks.
- Responding to breaches and other emergencies.
- Assessing security risks by performing vulnerability tests, risk analysis and interviewing staff on security preparedness.
- Researching and preparing for new security threats.
- Provide reports to management.
- Compose cost estimates for necessary security expenses to management.
Depending on the makeup of the rest of your IT department, you may also require them to fulfill other IT-related duties. Standard education requirements for a cybersecurity specialist is usually a bachelor's degree in computer science or related field. There are also several certifications to look out for or that you may want to require, one of the most popular being Certified Information Security Manager (CISM).
Some specific skills such a position should possess include knowledge and understanding of secure coding practices, firewall protocols, intrusion detection/prevention protocols, SQL and other security frameworks. [Interested in a job in infosec? Check out our best information security certifications.]
Just as important as their technical skills and knowledge, you need someone who understands the needs of a small business, said Andrew Rinaldi, partner with Launch Security.
"Ideally [you want] someone who has worked in or with other small businesses, not someone who is trying to bring midmarket or enterprise level cybersecurity thinking or solutions to a small business environment," Rinaldi said.
Another quality to look for is someone who approaches cybersecurity as an ongoing posture and not a one-time project. Cybersecurity is something that needs to be consistently tended to and improved over time, he said.
A competent cybersecurity expert will take a layered approach to security, not just with technology, but on the interpersonal level with the rest of the company, Rinaldi said. Promoting ongoing education for employees on the subject is a great resource and indicator of a real expert.
Where to Find Cybersecurity Talent
Since the talent pool is scarce and demand is high, you're going to have to actively search for talent and get the word out. Simply posting the open position on a job listing site or your own website isn't likely to net the most qualified applicants, if any.
According to Infosec Institute, these types of postings are likely net inexperienced candidates who would be suited for an entry-level position with a larger firm, but small businesses who need an applicants that have had hands-on experience in the field and need to fill many shoes will need to be more proactive. It's a competitive field where the demand is in favor of the employees, who likely field offers from multiple companies.
Infosec Institute suggests that some of the best places to search for talent include universities, training courses and public events. Making connections with local universities information technology programs can pay off, allowing you to attend career fairs and talk with senior students ready to graduate. You can often find students who have accrued more than enough experience during their time with the university.
Questions to Ask Applicants
Once you've selected some applicants to interview there are some questions to help you determine if they possess the qualities described above.
Describe your experience with other, similar businesses and what were the results?
Also ask if they've dealt with a cyberattack or incident and how the situation was handled, Rinaldi said.
Is there a singular, simple solution for our cybersecurity?
"Find out if they fundamentally believe there is a silver bullet solution to handling cybersecurity — which there is not, and if that is the indication, move on to the next option," Rinaldi said.
What is your plan for keeping everyone in the organization a strong, smart cyber-defender?
"While technology is important, so is building a cyber-smart culture through ongoing education, training and testing," he said. "And to do that effectively, you also need to have the right policies, procedures, and plans in place."