Information security managers need to be more than technicians, guide says

Federal agencies should no longer seek information security managers who are simply good technicians, but rather hire security mangers who can communicate how the concept fits into their overall strategic plan, according to a hiring guide released this week by a leading security certification company.

The best candidates can communicate to senior executives what return they can expect from investing in information security practices, technology and training, said Sarah Bohne, director of communications and member services for ISC², a firm that has trained and certified more than 50,000 IS professionals. Security managers also should be able to serve as a liaison between executives and end users. "These jobs are very complex and very demanding," Bohne said. "Recruiters need to be sensitive to that fact and look for someone with that balance of technical skills and the ability to communicate."

ISC² this week released its free "Hiring Guide to the Information Security Profession," which provides industry tips and trends to help agencies identify and recruit the best people to safeguard their data. Much of the guide is devoted to changing the view that information security professionals are strictly technicians.

"When I first got into business, the HR people wanted to exclusively push people with deep technical backgrounds at information security positions," said Lynn McNulty, director of government affairs for ISC². "These people were not always the best choices. What you want is someone with a variety of skills that can communicate with management."

The need to find the right candidate only will become more urgent. The number of information security workers will increase to more than 2 million by 2010, according to the 2006 ISC²/IDC Global Information Security Workforce Study.

Of course, candidates for these positions must be qualified. According to the guide, one way to identify qualified applicants is through industry certifications, such as the certified information systems security professional designation, which is issued by ISC². More than 85 percent of managers consider certifications important hiring criteria, according to the study.

But soft skills such as the ability to show the rationale for security and an understanding of a company's business operations and mission are becoming just as important. "As the field of information security evolves, companies are searching for a new breed of professional who possesses business and technical acumen," said Joyce Brocaglia, founder and CEO of Alta Associates, an executive recruitment firm.

McNulty said agencies should look for information security managers who have the ability to articulate the business case for security and understand how it fits into the organization, as well as the ability to be an educator, salesperson and marketer. "We're finding that it's a significant challenge and one that demands a variety of skills -- some technical, some policy, and the ability to write and communicate," he said.

According to the guide, the two most common career paths are working as security technologists or security managers. For technologists, ISC² recommends a deep understanding of multiple technologies, expertise in a particular subject matter in the technical domain, and the desire to be part of the daily task of technical upkeep and monitoring.

For managers, ISC² says agencies should look for someone who has a broad understanding of multiple technologies, the management and presentation skills of an executive, specialized knowledge and the desire to take a broader role in managing risk.

The hiring guide emphasizes that information security professionals are in high demand from government and the private sector and usually find jobs within a few weeks. Organizations must act quickly and have a plan to secure the best talent.

The guide offers tips on everything from writing a job description to crafting an offer, noting that information security professionals function on higher salary scales than general IT workers.

Other tips from the hiring guide include:

• Partner with your human resources office to streamline the hiring process and consider engaging a recruiter who specializes in information security.
• Look for knowledge of network systems and security protocols, security software programs and best practices in developing security procedures.
• The interview is important. Develop a set of evaluation criteria and have each interviewer focus on a different aspect of the candidate. Devote some attention to selecting and preparing the interviewers.
• Test the prospect's credibility by verifying academic and professional credentials, professional background and personal references.
• Look at credit reports as an indication of financial problems that may influence misdeeds. Some things to look for are a record of multiple collections, civil judgments, bad debts, charge-offs, a tax lien or repossession.
• If possible, include a performance-related bonus or commission unrelated to the base salary.
• Consider opportunities for the candidate to network or further their education by working on innovative projects, writing papers, attending conferences or attaining certifications.
• Develop formal career paths for your best and brightest managers to help retain them. Encourage opportunities in training and education.
• Encourage opportunities in training and education.