As job offers for Chief Information Security Officers (CISO) and assistant CISO roles multiply, it is evident that companies still struggle to recruit the ideal candidate with all the necessary cybersecurity skills. A perfect match remains rare in the market.
Given the mounting pressure from regulations and their upcoming enforcement, the challenge for human resources seems to be twofold.
How can organisations attract and retain junior profiles in their information security teams? What methods should be adopted to effectively integrate these new recruits?
To find out, discover 7 tips for securing your recruitments and valuing these new employees within your company.
1. Don’t Limit Yourself to Information Security Profiles
Certain technical skills are prerequisites for the CISO role: information systems modeling and design, knowledge of standards and regulations, and management of systems and networks. However, it’s important to remain flexible when evaluating candidates.
According to ISC2, a non-profit organisation specialising in professional training, up to 4 million cybersecurity professionals would need to be recruited to meet business demand. The CISO role requires not only technical knowledge but also excellent pressure management, intuition, and foresight in decision-making despite the criticality of the situation.
That’s why, if you encounter a candidate whose profile doesn’t exactly match your expectations, first assess their willingness to learn and their adaptability. A motivated candidate who is eager to train can prove to be a valuable asset in the medium term.
2. Assess Your Cybersecurity Needs
Before considering recruitment, it is advisable to first assess your cybersecurity needs. By clearly defining the responsibilities, you provide visibility and credibility to your job offer, attract potential candidates, and clarify the scope of their future responsibilities. This preliminary step is essential for drafting the job description.
Know that a candidate spends less than a minute reading a job offer before deciding whether to apply. By clearly specifying the role and expectations associated with the position, you increase your chances of attracting the right profiles and avoid mismatches. Recruiting a professional with five years of experience on a technology solution that has been out for only two years is an unfortunate but not uncommon mistake.
The clarity and precision of your job description are not only recruitment tools but also reflect your seriousness and the actual working environment of your future employee.
3. Make your new recruit a liaison for the IT security team within your company.
Cybersecurity is no longer the sole responsibility of the CISO. Therefore, when onboarding a new junior employee in the IT security team, it is essential to take the time to introduce them to the various departments and key collaborators.
This approach aims to provide them with a comprehensive understanding of the company’s internal workings while establishing their identity within the organization. To achieve this, introduce them during meetings, explain their role and the projects they will be involved in, with the goal of facilitating their integration and collaboration with other members of the company. Like you, your new team member should, at their level, act as a representative of the IT security team.
4. Share Your Vision of Cybersecurity with Them on a Daily Basis
Cybersecurity is not limited to a single method or approach. That’s why, from day one, it is essential to share with your new colleague the decisions you have made in the past and the key considerations they need to integrate into their daily routine. By conveying your vision, they will adopt the same approach as you, thus avoiding any discrepancies.
Additionally, to benefit from the collective intelligence of your team, encourage a culture of questioning among your colleagues. In the field of cybersecurity, being overconfident can be dangerous—hence, it is beneficial for both the CISO and the new recruit to challenge each other’s ideas.
As a junior team member, even if they lack your experience, they can still bring theoretical ideas learned during their training that may prove valuable. Communication should be two-way: listen as much as you share. Your junior collaborator will not only answer your questions but may also raise new topics that could enrich your approach and discussions within the team.
5. Prioritize their tasks
The responsibilities of a CISO are numerous. In this regard, it’s common for a new hire to get sidetracked with secondary tasks. Your role as a CISO is to clearly define their priorities within the organization to guide them effectively.
A commonly observed situation involves managing relationships with third parties. Although this is considered an important topic in information security management training, it might be identified as a non-priority in your company. This choice may be due to budget constraints or a security policy that does not view it as an urgent issue to address.
The CISO is responsible for teaching these differences and managing priorities. Having a clear approach and framework will allow the new team member to focus on the most urgent tasks and thrive in roles that will be beneficial.
6. Invest time in mentoring to gain more later.
Given the accumulating tasks, it is not uncommon for a CISO to have too little time to dedicate to junior staff.
However, granting too much independence to the newcomer may lead them to engage in projects that do not add value.
Given this dilemma, what solution should be adopted?
An effective strategy is to establish a regular reporting system. Initially, it could be weekly, and then shift to a bi-weekly frequency as your employee develops their skills and autonomy. By maintaining these touchpoints, you keep track of your employee’s skill development, identify their strengths and weaknesses, and strengthen your relationship with them while enhancing the collective intelligence within your team. They are no longer just an assistant; they influence and play a role in the company’s decisions.
Keep in mind that without follow-up, the new hire may feel neglected and consider other career opportunities, especially within the first 90 days. This situation would be counterproductive as it would force the company to invest time and money again in the recruitment process.
As the African proverb goes: “Alone, we go faster; together, we go further.”
7. Train him on management tools and methods
If your goal is to make your assistant an extension of the CISO, you will need to train them on the appropriate tools and methodologies for managing cybersecurity. This could include teaching them to use frameworks like NIST V1.1 or explaining the reporting process.
Tools like Tenacy can play a key role in making cybersecurity management simpler and more automated, allowing for standardized practices. The platform facilitates compliance management through standards such as ISO 27001, DORA, and 3CF, eliminating the need for manual reporting spread across Excel files.
By training your colleague to use Tenacy, you not only free them from the tedious tasks of manual reporting but also allow them to focus on more strategic and rewarding missions, even as they work on developing their skills.