You can look through hundreds of resumes, be overwhelmed by the array of alphabets after a candidate's names, and throw your hands up in response to the dribble of technical jargon and acronyms - and at the end of the day still not have a clue what to look for when it comes to identifying a successful information security candidate. Don't worry - you're not alone. In this ever evolving world of skills and needs, finding that right hire can feel like finding the proverbial needle in the haystack. Like other critical roles in your organization, a mistake here can have dramatic consequences to your company.
Here are a few hints to help as you embark on your next information security hire, starting with understanding your needs and clearly identifying the position.
What does information security mean to me?
One of the biggest information security hiring mistakes can happen long before the first interview - not clearly defining the role being filled. Start by detailing the goals and objectives that the role is expected to accomplish:
- Is the role operational or strategic?
- Management or delivery?
- Compliance or operations?
- Centralized or business unit specific?
- Tied to an application or general to the enterprise?
- Will the person be focused within a small team or reaching out to business unit leaders?
- Are there internal and external communications expectations?
The answers to these questions will go a long way in helping qualify potential candidates.
A more subtle variable is the role of information security within the organization and its direct and indirect reporting relationships. This role could interact with the chief information officer, chief security officer, chief risk officer, IT audit, general counsel and multiple business units - not to mention executive management and the board of directors. Once again, by understanding what is expected, key candidate strengths and capabilities can be defined and assessed.
The value of professional certifications
Let's face it; some professions are simply easier to qualify candidates than others. If you're looking for a certified accountant, the qualifier is "CPA," for attorneys its passing the bar and becoming board certified. When you're looking for information security candidates, the list of acronym-laden certifications can be almost overwhelming, but more importantly, misleading. Similar to detailing the expectations of the role, it is important to understand what is expected from a certification. A candidate that has successfully completed a vendor-based certification program may be able to demonstrate the ability to implement a specific security technology, but that capability may not be applicable to developing corporate information security standards and policies. Similarly, a candidate achieving a CISSP or CISM demonstrates the ability to assimilate a baseline of information security knowledge, pass a rigorous examination, and have an initial foundation of experience. While important, these certifications provide, at best, a landscape of general information security understanding.
The key is to set the proper expectations of the certification value. While it can help narrow the field of candidates, it cannot provide a guarantee of the candidate's capabilities. Experiences are a key component to understanding the candidate's abilities. The next challenge is to identify the types of experiences that are relevant.
A hackers place in an enterprise organization
It's been said, "The way to build a better safe is to hire a safe cracker to design the new safe." So a natural question that gets asked is, "Does it make sense to hire information security people that admit to hacking?" This always seems to turn into an interesting debate. There may be legitimate efforts where someone with experience in hacking could seem appropriate. The challenge is that, while not intending to be malicious or criminal, hacking activities can infer questionable judgment or a willingness to ignore certain conventions.
More importantly, many of the technical skills that used to be harnessed by a select few individuals are now more readily available in the marketplace. The concepts of root kits, buffer overflows, cross site scripting and SQL injection are now commoditized into tools and are explained in great detail in publications. As these skills become more commonplace, the benefit of hiring candidates with direct hacking experience becomes diminished, and thus less desirable. Further, organizations may need deeply technical knowledge for some processes, but these skills may not be able to be fully utilized. Focusing on other skills for full time hires and looking to outside help for deeply technical and experienced attack and penetration testing could be a prudent approach.
Importance of understanding a candidate's background
If not defining the role well is the most critical component of successful hiring, performing detailed background and reference checks may be the next most critical area. Too often, hiring decisions are made by someone's "gut feel."
Areas that should be mandatory would include the following:
- criminal checks, including misdemeanor offenses
- confirming government clearances
- confirm employment history
- talk with at least three previous employers (direct manager) or independent character references (e.g., not a relative or personal friend)
The key is to not rush through the process. References will provide tremendous insight and benefit when considering candidates. For some organizations, it may be beneficial to check references at the beginning of the process, as this will save a lot of time in the interview process. Another key component is gathering enough background data - in many cases it is recommended to go back at least five years.
Standing at the corner of business and technologyFar from its days as a young, brash twenty-something, information security is more accountable to the business, wears a suit to work, and is being integrated as a function of every business process within a company - not just a back-office afterthought. An effective information security professional has to be able to blend technological skills with business acumen. Looking for capabilities beyond the keyboard will help identify candidates with a blend of security technology and an understanding of business priorities. Fortunately, these skill sets are becoming more available as companies better understand and invest in risk management endeavors.
Hiring an information security person in this evolving and dynamic career field can be a challenge, but with a little time focused on the position and the process, it may improve the odds in finding the "right" person for your organization.- Fredric Cibelli and Kevin Richards are both senior managers with Ernst & Young, LLP, and are members of the Information Systems Security Association.
Note: The opinions in this article are the opinions of the authors and do not represent the opinions of Ernst & Young, its partners, principals and affiliates or the ISSA.