Information security managers need to be more than technicians, guide says

Federal agencies should no longer seek information security managers who are simply good technicians, but rather hire security mangers who can communicate how the concept fits into their overall strategic plan, according to a hiring guide released this week by a leading security certification company.

The best candidates can communicate to senior executives what return they can expect from investing in information security practices, technology and training, said Sarah Bohne, director of communications and member services for ISC2, a firm that has trained and certified more than 50,000 IS professionals. Security managers also should be able to serve as a liaison between executives and end users. "These jobs are very complex and very demanding," Bohne said. "Recruiters need to be sensitive to that fact and look for someone with that balance of technical skills and the ability to communicate."

ISC2 this week released its free "Hiring Guide to the Information Security Profession," which provides industry tips and trends to help agencies identify and recruit the best people to safeguard their data. Much of the guide is devoted to changing the view that information security professionals are strictly technicians.

"When I first got into business, the HR people wanted to exclusively push people with deep technical backgrounds at information security positions," said Lynn McNulty, director of government affairs for ISC2. "These people were not always the best choices. What you want is someone with a variety of skills that can communicate with management."

The need to find the right candidate only will become more urgent. The number of information security workers will increase to more than 2 million by 2010, according to the 2006 ISC2/IDC Global Information Security Workforce Study.

Of course, candidates for these positions must be qualified. According to the guide, one way to identify qualified applicants is through industry certifications, such as the certified information systems security professional designation, which is issued by ISC2. More than 85 percent of managers consider certifications important hiring criteria, according to the study.

But soft skills such as the ability to show the rationale for security and an understanding of a company's business operations and mission are becoming just as important. "As the field of information security evolves, companies are searching for a new breed of professional who possesses business and technical acumen," said Joyce Brocaglia, founder and CEO of Alta Associates, an executive recruitment firm.

McNulty said agencies should look for information security managers who have the ability to articulate the business case for security and understand how it fits into the organization, as well as the ability to be an educator, salesperson and marketer. "We're finding that it's a significant challenge and one that demands a variety of skills -- some technical, some policy, and the ability to write and communicate," he said.

According to the guide, the two most common career paths are working as security technologists or security managers. For technologists, ISC2 recommends a deep understanding of multiple technologies, expertise in a particular subject matter in the technical domain, and the desire to be part of the daily task of technical upkeep and monitoring.

For managers, ISC2 says agencies should look for someone who has a broad understanding of multiple technologies, the management and presentation skills of an executive, specialized knowledge and the desire to take a broader role in managing risk.

The hiring guide emphasizes that information security professionals are in high demand from government and the private sector and usually find jobs within a few weeks. Organizations must act quickly and have a plan to secure the best talent.

The guide offers tips on everything from writing a job description to crafting an offer, noting that information security professionals function on higher salary scales than general IT workers.

Other tips from the hiring guide include:

  • Partner with your human resources office to streamline the hiring process and consider engaging a recruiter who specializes in information security.
  • Look for knowledge of network systems and security protocols, security software programs and best practices in developing security procedures.
  • The interview is important. Develop a set of evaluation criteria and have each interviewer focus on a different aspect of the candidate. Devote some attention to selecting and preparing the interviewers.
  • Test the prospect's credibility by verifying academic and professional credentials, professional background and personal references.
  • Look at credit reports as an indication of financial problems that may influence misdeeds. Some things to look for are a record of multiple collections, civil judgments, bad debts, charge-offs, a tax lien or repossession.
  • If possible, include a performance-related bonus or commission unrelated to the base salary.
  • Consider opportunities for the candidate to network or further their education by working on innovative projects, writing papers, attending conferences or attaining certifications.
  • Develop formal career paths for your best and brightest managers to help retain them. Encourage opportunities in training and education.
  • Encourage opportunities in training and education.
Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Federal IT Applications: Assessing Government's Core Drivers

    In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.