Risk Management – Security Qualified Candidates

Get the WebProNews Newsletter:

[ Business]

All companies have a risk tolerance, some companies have a higher tolerance for risk than other companies do, many follow few lead.

Those risks that a company is willing to take, either bet the company, or smaller risks like bet the product help define the potential of a company in survival, either as leader, follower or failure.

There are five key risk areas in IT projects that were identified by Baccarini, Salm, and Love in 2004. These are personnel shortfalls, unreasonable project schedules, unrealistic expectations, incomplete requirements, and late delivery of software. How project mangers work within the confines of these five risk areas will help determine the success or failure of an information security project. This series of articles takes a look at all five risk areas, and proposes solutions to them.

Risk management in IT Security is an important part of the process of ensuring projects work and the result will be used. While this is just one school of thought in the entire systems delivery life cycle (SDLC), the understanding of risk, and the risk inheritance amongst various products used is really important in understanding how security technology will be used, can be used, or not used (leading to security failure).

For the most part all of us have heard of these top five, in detail though how we address them is how we handle risk, and how we accept risk in regards to an IT project. The first one on the list, personnel shortfalls has been all over the news. We are constantly inundated with the concept that 150,000, 200,000, or more IT positions cannot be filled because there are not enough graduates, or not enough trained people to fill those positions. All the trade magazines and web sites have at least one article a month on this subject, and highlight the issues, as well as the complaints that there are not enough qualified candidates out there.

The answer to this is “no there are not enough qualified candidates, and that is a risk for any IT project including IT Security.” Qualifications though have to be defined against what the project entails. There may be many technically qualified candidates, but on the social side of the company, there are not enough. The other side holds true here as well, they may be socially experienced but not technically qualified enough for the position. The company and the candidate need to work out what are the Must Have, nice to have, and not really required skills, then both candidate and company have to be honest in their assessment of what the job requires. There is no use hiring a just out of college student with no hands on for a highly complex project, then getting angry at the hire because they don’t have the skills required to do the job. However, that is something that does happen with stunning regularity.

Companies, certification authorities, and Universities have both been trying to address the issue by providing incentives, cost reduction strategies like grants and scholarships. The real issue with formal education and certificates is that they work mostly on the theoretical level. Rarely out side of the technical schools are there any hands on experience if all they have is the degree or the certificate.

If the candidate has, actual experience in the technology that the project needs the choice of a good candidate becomes clearer. However, no one really addresses the issue of discriminating between warm body hiring and really finding the excellent outstanding candidates that company’s desire. The other problem is finding enough entry-level jobs outside of the military where people can be developed and trained according to company standards. All these then heterodyne into the “not enough skilled candidates for the job” or “personnel shortfalls” that are experienced by companies that have a high-risk high requirement product or project that needs to be completed.

The hard part for the security person who is shopping for a job is not only finding the place that works for them, but also working through the positions that are “Always Open” at a company. While a company may bemoan the idea that they cannot find the right people for the project, the “always open” never to be filled positions that litter academic, healthcare and technology company web sites is a disillusioning factor for the job seeker. The job may sound cool, but if there is no intention to hire those people who fill out the information for the job, and never are called, eventually give up in trying finding a job with that company.

If the company then develops or creates a legitimate job opening, no one will know, or the costs of finding someone get more expensive because a recruiter needs to find someone for them. While there may be legitimate open positions, and legitimate people to fill them, it has become a game of “whack a mole” to find a good job in the IT industry. Trying to then work through the hiring process, where days of round table interviews, questionnaires, profiles, and otherwise really puts the person seeking the job at risk.

The problem on the other side of the fence is that the company wants to make sure that they hire quality people that will work well in the corporate environment. To fix all this, the company needs to reduce the steps in the hiring process, have legitimate job openings, and still make sure they get quality candidates to fill the position. The job seeker needs to deflate the 8 in 10 resumes are inflated statistics, be honest, and understand that not all jobs are jobs the seeker is qualified for. Management will still whine that there are not enough people to fill positions, and job seekers will whine that no one is hiring. Nevertheless, ensuring that quality people are the ones that get through the gate to fill those thousands of open positions will work in the longer run.

The catch 22 situation that we have created in regards to hiring good quality people is systemic in the way that both jobs and seekers are created. Everyone wants the same thing, in that the company wants a person who is happy, dedicated, works hard, and does good things. While the job seeker is looking for a place, they will be happy, rewarded for being dedicated, wants to be rewarded for working hard, and has the ability to do good challenging things.

Resume inflation, and job description inflation (there is a classic one that was at Amazon in 2002 that has been discussed a lot in my circle. They wanted 10 years of Windows, Linux system administration, database administration, solid programming in C or C++, scripting, and security competencies as well as a high level degree, and all for 70K a year, the unrealistic expectations lead to many people abandoning wanting to work at Amazon for the time being). Both companies and candidates need to be more realistic, while 1 in 100 might have many exceptional well developed skills in place, most candidates are going to be normal humans that can do one thing really good, and many things ok.

Personnel short falls are going to happen; key people are going to leave. The project manger needs to sit down and work out contingency plans in case key people go, or key people cannot be hired in. There are options to this, outsource, hire a contractor or three, or otherwise bring the skills in house and reduce risk by pushing that risk onto someone else or some other company.

Not all companies are good at bringing a project home regardless of the issue, and that needs to be factored into the human equation as well. There are many ways to work through the process of personnel shortfalls. Project mangers, management and senior sponsoring management sometimes need to be creative in working out the solution that will best work for their company in addressing that requirement. As well, work out the solution for personnel shortfalls as the project matures or moves along in the development stages.



Add to Del.icio.us | Digg | Reddit | Furl

Bookmark WebProNews:

Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security
, and is an active participant in the
ITtoolbox blogging community.

Risk Management – Security Qualified Candidates
Comments Off on Risk Management – Security Qualified Candidates
Top Rated White Papers and Resources

Comments are closed.

  • Join for Access to Our Exclusive Web Tools
  • Sidebar Top
  • Sidebar Middle
  • Sign Up For The Free Newsletter
  • Sidebar Bottom