The General Data Protection Regulation (GDPR) will go into effect on 25 May 2018, and will have an important impact on business operations around the world. Data protection is at the heart of any business, encompassing everything from employment and emails to commercial contracts and corporate restructuring. Since this legislation will apply to most companies doing business with the EU, as we consider the impact these changes will have on business, the increased need for talent must be at the top of the list.
A recent study indicates that businesses will need to add at least 28,000 Data Protection Officers in the EU alone to support the GDPR. While this is an enormous amount of new talent to bring into the market, the real issue is brought into sharp focus through the current state of Cyber Security Workforce Trends and Challenges for 2017. ISACA, the International Information Systems Audit and Control Association, indicates that 55% of organisations take more than three months to fill their current open cyber positions. In addition, 30% of companies in the EU are completely unable to fill their open cyber security positions.
Although we are navigating through already troubled cyber talent waters, it is important to understand that many companies affected by the GDPR will be required to hire, appoint or contract a Data Protection Officer (DPO). Let’s get started with what a Data Protection Officer looks like. While there are differing opinions on the specifics of the position description, here are some general guidelines to follow when searching for yours:
- Experts in data protection regulations
- Industry specific knowledge in accordance with both the size of the data processor or controller, as well as the sensitivity of data being processed
- The ability to inspect, consult, document and log file analysis
- Ensure that technical and operational groups comply with procedures
The Data Protection Officer will be responsible for raising awareness of data privacy as well as implementing, monitoring, documenting and applying policies and procedures, and verifying compliance. This will also be the person responsible for notifying data protection authorities in the event of a data breach. Essentially, this will be an expert in privacy and data protection with the ability to truly understand and balance the risks for data processing.
A very important factor to consider as you plan your GDPR programme is the protected status of an internal (employee) Data Protection Officer. In other words, the GDPR prevents dismissal for performance of related tasks, with the aim of ensuring there are no penalties for ‘whistle blowing’. While this protection will insulate against retaliation terminations, it can also tie the hands of employers when navigating through a ‘bad hire’ situation. This caveat may ultimately create more opportunities for law firms or specialty consulting firms offering Data Protection Officer services.
Of course, the best approach to cyber security is to prevent hacks, attacks and breaches before they happen. Prevention requires a strong cyber security team, which will expand with the new regulations. The GDPR’s intent is to ensure compliance and raise awareness of data privacy and protection. We will very quickly need to determine HOW we are going to attract the right talent to our organisations.
Here are a few tips to consider as you recruit for your Data Protection Officer (or any other cyber talent, for that matter):
A Breed Apart
The best cyber security professionals think like the criminals they oppose. That enables them to anticipate what hackers might try, and to identify weak points in system defences. You likely won’t find their CV on CareerBuilder or LinkedIn, so you’ll need to leverage your best networking skills and hardcore power-searching techniques. Consider utilising industry specific job boards such as ISSA, SANS or InfoSec Connect. If your quarries think like a criminal, you have to think like Sherlock Holmes to track them down. Don’t email them a link to apply, as they will not click on a link from an unknown source (and neither should you). Send them a PDF with instructions for connecting with you.
It’s Not a Posting, It’s a Pitch
The demand for such professionals means they’re constantly hearing from recruiters. InformationWeek’s DarkReading.com cites new research by Enterprise Strategy Group and the Information Systems Security Association, indicating that about half of cyber security professionals are contacted by a recruiter at least once a week. If you post a standard HR job description of duties and requirements, it will wash out amongst all the other background noise.
In today’s market you have to court talent, and that is especially true of cyber security professionals. Don’t think of it as a job posting, think of it as a sales pitch. Resist the ingrained habit of listing what your company needs, and focus instead on what will engage the interest of your target audience.
Appeal To The Hot Buttons
In general, cyber security professionals want to:
- Take on intriguing work that is varied and unique. Let them use their devious creativity to your company’s advantage.
- Stay current with the ever-evolving threat landscape. If you’ve got the coolest technology, executive buy-in and a penchant for innovation, your pitch should highlight those perks.
- Do more than just scratch the surface – offer them opportunities not only to look under the hood, but also to take some deep dives into your systems. Give them the authority to make a true impact on your organisation.
- Have the option to work remotely. Your organisation may cling to traditional models, but if virtual options give you an edge in the talent war, then it’s time to loosen up.
Keep Your Social Media Buzz Fresh
This is good general recruiting advice, but definitely important for this group. The content doesn’t have to be about job openings (although you should push those out, too). Instead, think of social media as digital pheromones that make your company attractive. Blogs and tweets help establish your company as a thought leader, enhancing your brand. They also increase the likelihood that hard-to-find candidates will stumble across your company.
Share great insights and ideas your team has, and be sure some of your efforts target the cyber security community — it’s not ALL underground. Join cyber security forums and GDPR discussion groups, for example. Encourage your existing cyber security talent and ranking IT leaders to write blog posts and white papers on the topic.
There are specific qualities to look for in cyber security candidates, but you can’t run an effective search if you focus only on screening people out. The pool’s just too small. Given that security threats are constantly evolving, a degree probably isn’t as important as current experience. Or consider recruiting recent graduates to work with your Data Protection Officer by offering the opportunity to gain valuable hands-on experience (an ounce of future planning never hurt!) Another tactic: instead of asking for five to seven years of experience, ask for three to five and highlight the opportunity for career growth.
You can try retraining existing IT staff, but keep in mind that success in cyber security takes a certain mindset. Ideally, you have a system administrator who can channel her inner cyber risk analyst and ask, “What would I do if I wanted to get past our own security measures?”
Another strategy is to promote outreach programmes that engage new hires, women and minorities. According to the Wall Street Journal, big banks such as J.P. Morgan Chase and Citigroup are getting results through programmes targeting different groups. Some have even started ‘re-entry’ programmes to attract women who took a career break to care for dependants or others. Getting involved with organisations such as the Women in Security special interest group within ISSA International, or the International Consortium of Minority Cyber Security Professionals (ICMCP), will help you.
Take a long, hard look at your organisation. Even if there is no active discrimination, lack of diversity can make cyber security departments look like good ol’ boys’ clubs, further discouraging members of under-represented groups from pursuing careers in this space.
Keep in mind that of the employed population, the National Cyber Security Institute reports that women make up only about 20 per cent of that profession, while African-Americans, Hispanics and Asian-Americans combined make up only 12 per cent. While this data is pulled from the US, the preliminary numbers out of the EU do not appear to be any more promising.
Since the best approach is to prevent the hacks, attacks and breaches from occurring in the first place, talent leadership needs to be a big part of your GDPR programme. However, as you are aware, talented cyber security professionals are in serious short supply. They’re a bit of a unique beast, so you’ll need a recruitment approach for engaging cyber security talent that’s different from the ones you’re using with other positions — even other IT positions.