Here is a short report called “Ingredients for hiring a good information security professional”. Perhaps most notable is the advice to define the job well:
One of the biggest information security hiring mistakes can happen long before the first interview – not clearly defining the role being filled. Start by detailing the goals and objectives that the role is expected to accomplish:
– Is the role operational or strategic?
– Management or delivery?
– Compliance or operations?
– Centralized or business unit specific?
– Tied to an application or general to the enterprise?
– Will the person be focused within a small team or reaching out to business unit leaders?
– Are there internal and external communications expectations?
The answers to these questions will go a long way in helping qualify potential candidates.
A more subtle variable is the role of information security within the organization and its direct and indirect reporting relationships. This role could interact with the chief information officer, chief security officer, chief risk officer, IT audit, general counsel and multiple business units – not to mention executive management and the board of directors. Once again, by understanding what is expected, key candidate strengths and capabilities can be defined and assessed.
At first glance this might seem blatantly obvious to any hiring manager. You must know the position well to find the right match. However, the field is relatively young and evolving rapidly so I would argue that definition of the position is even more vital than expressed by the authors. And by that I mean people need to assess exactly where and how in the organization they will operate and what levers they will be expected to know how to push and pull.
There are few organizations or widely-accepted references available that define what exactly a good information security role should look like a year or two from now. And even the good ones struggle to map emerging technology (biggest risks?) to old control language — what do we do about ubiquitous wireless networks when we are required to harden the “perimeter”? This sort of issue always gets me thinking about the speed at which skills become obsolete: is a TV expert someone who can rebuild your television set, or someone who can help you estimate the best time for replacement and pick out a new one with the right feature set/value ratio?
Software security still feels like it is in the primitive state of men hunched over soldering irons and circuit boards, but it will not be long before the assembly lines speed up, the quality/cost model shifts, and the role of security fundamentally changes to address the new (most relevant) risks. That might seem a bit esoteric, but I used to manage a group of engineers who literally de-soldered and rebuilt CRT displays. Similarly, I now hear about positions where security is to be a strategic and business-oriented practice (a fine blend of politics, economics, and polisci) instead of a hands-on firewall wrangler position or a patterns/exceptions expert.
The market for security talent certainly seems to be expanding as more businesses realize information is flowing everywhere all the time and they need to do something about the risks, even if they are not sure exactly what. The dearth of good role-models, templates and examples provides interesting opportunities for leadership, with many more changes ahead.