Information security managers need to be more than technicians, guide says

Federal agencies should no longer seek information security managers who are simply good technicians, but rather hire security mangers who can communicate how the concept fits into their overall strategic plan, according to a hiring guide released this week by a leading security certification company.

The best candidates can communicate to senior executives what return they can expect from investing in information security practices, technology and training, said Sarah Bohne, director of communications and member services for ISC2, a firm that has trained and certified more than 50,000 IS professionals. Security managers also should be able to serve as a liaison between executives and end users. "These jobs are very complex and very demanding," Bohne said. "Recruiters need to be sensitive to that fact and look for someone with that balance of technical skills and the ability to communicate."

ISC2 this week released its free "Hiring Guide to the Information Security Profession," which provides industry tips and trends to help agencies identify and recruit the best people to safeguard their data. Much of the guide is devoted to changing the view that information security professionals are strictly technicians.

"When I first got into business, the HR people wanted to exclusively push people with deep technical backgrounds at information security positions," said Lynn McNulty, director of government affairs for ISC2. "These people were not always the best choices. What you want is someone with a variety of skills that can communicate with management."

The need to find the right candidate only will become more urgent. The number of information security workers will increase to more than 2 million by 2010, according to the 2006 ISC2/IDC Global Information Security Workforce Study.

Of course, candidates for these positions must be qualified. According to the guide, one way to identify qualified applicants is through industry certifications, such as the certified information systems security professional designation, which is issued by ISC2. More than 85 percent of managers consider certifications important hiring criteria, according to the study.

But soft skills such as the ability to show the rationale for security and an understanding of a company's business operations and mission are becoming just as important. "As the field of information security evolves, companies are searching for a new breed of professional who possesses business and technical acumen," said Joyce Brocaglia, founder and CEO of Alta Associates, an executive recruitment firm.

McNulty said agencies should look for information security managers who have the ability to articulate the business case for security and understand how it fits into the organization, as well as the ability to be an educator, salesperson and marketer. "We're finding that it's a significant challenge and one that demands a variety of skills -- some technical, some policy, and the ability to write and communicate," he said.

According to the guide, the two most common career paths are working as security technologists or security managers. For technologists, ISC2 recommends a deep understanding of multiple technologies, expertise in a particular subject matter in the technical domain, and the desire to be part of the daily task of technical upkeep and monitoring.

For managers, ISC2 says agencies should look for someone who has a broad understanding of multiple technologies, the management and presentation skills of an executive, specialized knowledge and the desire to take a broader role in managing risk.

The hiring guide emphasizes that information security professionals are in high demand from government and the private sector and usually find jobs within a few weeks. Organizations must act quickly and have a plan to secure the best talent.

The guide offers tips on everything from writing a job description to crafting an offer, noting that information security professionals function on higher salary scales than general IT workers.

Other tips from the hiring guide include:

  • Partner with your human resources office to streamline the hiring process and consider engaging a recruiter who specializes in information security.
  • Look for knowledge of network systems and security protocols, security software programs and best practices in developing security procedures.
  • The interview is important. Develop a set of evaluation criteria and have each interviewer focus on a different aspect of the candidate. Devote some attention to selecting and preparing the interviewers.
  • Test the prospect's credibility by verifying academic and professional credentials, professional background and personal references.
  • Look at credit reports as an indication of financial problems that may influence misdeeds. Some things to look for are a record of multiple collections, civil judgments, bad debts, charge-offs, a tax lien or repossession.
  • If possible, include a performance-related bonus or commission unrelated to the base salary.
  • Consider opportunities for the candidate to network or further their education by working on innovative projects, writing papers, attending conferences or attaining certifications.
  • Develop formal career paths for your best and brightest managers to help retain them. Encourage opportunities in training and education.
  • Encourage opportunities in training and education.
Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by Brocade

    Best of 2016 Federal Forum eBook

    Earlier this summer, Federal and tech industry leaders convened to talk security, machine learning, network modernization, DevOps, and much more at the 2016 Federal Forum. This eBook includes a useful summary highlighting the best content shared at the 2016 Federal Forum to help agencies modernize their network infrastructure.

  • Sponsored by CDW-G

    GBC Flash Poll Series: Merger & Acquisitions

    Download this GBC Flash Poll to learn more about federal perspectives on the impact of industry consolidation.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by Aquilent

    A DevOps Roadmap for the Federal Government

    This GBC Report discusses how DevOps is steadily gaining traction among some of government's leading IT developers and agencies.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.

  • Sponsored by CDW-G

    Joint Enterprise Licensing Agreements

    Read this eBook to learn how defense agencies can achieve savings and efficiencies with an Enterprise Software Agreement.

  • Sponsored by Cloudera

    Government Forum Content Library

    Get all the essential resources needed for effective technology strategies in the federal landscape.


When you download a report, your information may be shared with the underwriters of that document.