Sweeping transformations aren't the only area where organizations need change agents. Here's how to find and nurture people who are eager to make incremental changes every day.
How one CIO thinks outside the box to fill cybersecurity jobs
Federal Reserve Bank of Boston CIO Don Anderson shares his hiring strategies for cybersecurity talent
Strong security organizations have a solid understanding of the business and its goals and know their role in making those goals a reality. They’re also creative and think outside the box when they build their team – something we’ve been doing successfully at the Federal Reserve Bank of Boston.
Qualified cybersecurity individuals are scarce and difficult to hire in today’s competitive climate. When we do find them, we fit them into traditional cybersecurity roles including reviewing alerts, reviewing compliance reports, and analyzing malware.
[ Read also: Hiring security gurus: 3 strategies to find scarce talent. ]
For other roles – in vendor management, project management, and as security analysts, for example – we are more likely to look outside traditional security backgrounds, and hire folks with degrees in economics, math, or even history.
Strong negotiators wanted
What’s important to us in building our team is finding people with strong negotiation skills who could double as consultants. Often the skills that hardcore security or technology talent have are too black and white; We need people who are comfortable with ambiguity and working in that gray space. Those who are skilled at finding a win-win often do well and are more valuable to the organization.
We also look for talent who can positively impact our organization. As part of our team, they have an opportunity to solve complex problems and must be comfortable working around people. They need to show an interest in learning about the organization and our goals and have the intellectual horsepower to learn our security policy.
When we hire from outside security, we like to see how people run. There are some who look at a security program and know how to match it up against a business need. Others just don’t have it in their DNA though, and revert to either a “Yes, you can do it” or “No, you can’t” mindset with “No” as the default answer.
Law enforcement and audit pros bring skills
We’ve been successful in building our team this way, but it hasn’t always been easy. Sometimes you know immediately that someone will be a great fit, and other times it takes two or three months to see that it just won’t work out.
Some of our most successful hires already exist in our organization as federal law enforcement officers. Many of them are pursuing master’s degrees and law degrees and move from the physical security world to cybersecurity with ease. We’ve also been successful in moving folks from audit and even IT interns into security.
All this is reflective of the transformation that IT organizations are going through. You don’t necessarily need someone that’s a hardcore security person; you need someone who can have a conversation, talk about business goals, and work with the business to get things done.
[ Want expert advice from your peers on leading IT culture change? Get our free eBook, The Open Organization Guide to IT Culture Change. ]