Hiring guide to the
Information Security Profession
inTrOduCTiOn




      Welcome to the (ISC)2® Hiring Guide to the             infrastructure. Today, driven by legal and r...
TABLe OF COnTenTS




TABLe OF COnTenTS

What is Information Security? ...................................... 3-4
The Evol...
WHAT iS inFOrmATiOn SeCuriTy?




      WHAT iS inFOrmATiOn SeCuriTy?                          Information security involv...
WHAT iS inFOrmATiOn SeCuriTy?




Compliance – ensuring that all laws and industry
regulatory requirements, such as the He...
THe evOLving rOLe OF THe inFOrmATiOn SeCuriTy PrOFeSSiOn




      THe evOLving rOLe OF THe                              A...
THe evOLving rOLe OF THe inFOrmATiOn SeCuriTy PrOFeSSiOn




implement integrated security solutions at all
levels where p...
WHAT TyPeS OF JOB FunCTiOnS eXiST?




      WHAT TyPeS OF JOB FunCTiOnS eXiST?                   • IT Security Manager

 ...
WHAT TyPeS OF JOB FunCTiOnS eXiST?




                                     (8)
WHAT Are THe ideAL TrAiTS OF An inFOrmATiOn SeCuriTy PrOFeSSiOnAL?




      WHAT Are THe ideAL TrAiTS OF An              ...
WHAT Are THe ideAL TrAiTS OF An inFOrmATiOn SeCuriTy PrOFeSSiOnAL?




     Personal Attributes

     • A positive attitud...
WHAT Are TyPiCAL CAreer PATHS?




       WHAT Are TyPiCAL CAreer PATHS?                          Desired attributes for a...
WHAT Are TyPiCAL CAreer PATHS?




(iSC)2 CAreer PATH                                   testing and specialized concentrat...
CrAFTing A JOB deSCriPTiOn




       CrAFTing A JOB deSCriPTiOn                              If you are working with an e...
CrAFTing A JOB deSCriPTiOn




An information security manager’s job description       • Monitor compliance with the organ...
CerTiFiCATiOn requiremenTS




       CerTiFiCATiOn requiremenTS                           According to the 2006 Global In...
CerTiFiCATiOn requiremenTS




information security topics. It also requires the
candidate to possess five years of experi...
reCruiTing




       reCruiTing                                              roles that you are filling and knowledge of ...
reCruiTing




Another avenue of recruiting is to build a         Centers of Academic Excellence in Information
partnershi...
SCreening




       SCreening                                             Education Options/Requirements:

       Detaile...
SCreening




General Skills and Aptitudes:                       • Ability to effectively relate security-related
       ...
inTervieWing




       inTervieWing                                           Companies need to devote attention to selec...
inTervieWing




and articulate business value. If the information    Another good interview question can center
security ...
inTervieWing




       Also, identify what your candidate reads and the
       Websites they visit. Information security ...
reFerenCeS/SeCuriTy CHeCkS




reFerenCeS/SeCuriTy CHeCkS                            Test the candidate’s credibility by v...
CrAFTing And PreSenTing An OFFer




       CrAFTing And PreSenTing An OFFer                        One of the more accura...
CrAFTing And PreSenTing An OFFer




plain lose interest. There is an inverse correlation   It is also wise to discuss suc...
reTenTiOn




       reTenTiOn                                             term career goals and need for professional
   ...
reSOurCeS




reSOurCeS                                      Executive Women’s Forum
                                     ...
reSOurCeS




       International Information Systems Forensics   SANS Institute
       Association (ITFSA)              ...
Acknowledgements

  (ISC)² wishes to acknowledge the invaluable
 contributions of Joyce Brocaglia, president and
  CEO of ...
www.isc2.org/contactus
Upcoming SlideShare
Loading in...5
×

Hiring Guide to the Information Security Profession

4,855

Published on

Hiring Guide to the Information Security Profession

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,855
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
174
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Hiring Guide to the Information Security Profession

  1. 1. Hiring guide to the Information Security Profession
  2. 2. inTrOduCTiOn Welcome to the (ISC)2® Hiring Guide to the infrastructure. Today, driven by legal and regulatory Information Security Profession. It’s no secret that compliance and the desire to maximize global it’s not easy to find qualified experts to protect commerce, hiring first-rate information security your organization. As the world’s largest body staff is critical to mitigating risks that can destroy of information security professionals, with more a company’s reputation, violate privacy, result in than 54,000 certified members in 135 countries, the theft or destruction of intellectual property, (ISC)2 wants to help HR professionals, recruiters and, in some cases, even endanger lives. and hiring managers understand the scope of We hope this hiring guide, compiled with this burgeoning profession and lessen the pain significant contributions from Alta Associates, of obtaining the best and brightest information will shine some light on the significance of this security staff. relatively new profession, as well as offer tips on The information security profession is expanding ensuring your security staff is filled with talented rapidly. The 2006 (ISC)²/IDC Global Information and qualified professionals. Security Workforce Study (GISWS) showed You can also find more tools at the online that the number of professionals worldwide will (ISC)² Hiring Center at www.isc2.org/HRCenter. increase to slightly more than 2 million by 2010, Best of luck in your recruiting efforts! a compound annual growth rate of 7.8 percent from 2005 to 2010. Eddie Zeitler, CISSP Executive Director It wasn’t always this way. Twenty years ago, the (ISC)2 field of information security was in its infancy, and companies often brushed off threats to their (1)
  3. 3. TABLe OF COnTenTS TABLe OF COnTenTS What is Information Security? ...................................... 3-4 The Evolving Role of the Information Security Profession .............................................................. 5-6 What Types of Job Functions Exist? ........................... 7-8 What are the Ideal Traits of an Information Security Professional? ...................................................... 9-10 What are Typical Career Paths? ......................................11 Crafting a Job Description ..........................................13-14 Certification Requirements ........................................15-16 Recruiting ..............................................................................17-18 Screening ..............................................................................19-20 Interviewing ....................................................................... 21-23 References/Security Checks ............................................ 24 Crafting and Presenting an Offer .......................... 25-26 Retention ................................................................................... 27 Resources ............................................................................29-30 (2)
  4. 4. WHAT iS inFOrmATiOn SeCuriTy? WHAT iS inFOrmATiOn SeCuriTy? Information security involves protecting information and information systems from Governments, military, financial institutions, unauthorized access, use, disclosure, disruption, healthcare and private business today amass modification, or destruction. The purpose volumes of confidential information about their of information security is to ensure that all employees, customers, products, and financial information held by an organization, regardless status. Most of this information is now collected, of whether it resides on a computer hard drive processed and stored on computers and servers or in a filing cabinet, is maintained with: and transmitted across networked systems. Confidentiality - ensuring that information is Should such confidential information fall into the accessible only to those authorized to have access; hands of outsiders, such a breach of security could lead to lost business, lawsuits, reputation damage Integrity - safeguarding the accuracy and and even bankruptcy. Protecting confidential completeness of information and processing information is a common sense requirement these methods; days, and in most cases is also a legal requirement. Availability - ensuring that authorized users have access to information and associated assets when required; and (3)
  5. 5. WHAT iS inFOrmATiOn SeCuriTy? Compliance – ensuring that all laws and industry regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPPA) for healthcare providers and Sarbanes-Oxley (SOX) for publicly traded companies, are met. The objective of an information security policy is to minimize damage to the organization by preventing and controlling the impact of security breaches. Information security provides the essential protective framework in which information can be shared while ensuring its protection from unauthorized users. (4)
  6. 6. THe evOLving rOLe OF THe inFOrmATiOn SeCuriTy PrOFeSSiOn THe evOLving rOLe OF THe A secure organization requires seasoned inFOrmATiOn SeCuriTy PrOFeSSiOn professionals who can create and implement Years ago, the majority of people responsible a program, obtain support and funding for the for protecting information assets entered the program, and make every employee a security field without a formal background or education conscious citizen, all while adhering to necessary and obtained their experience in broader regulatory standards. In addition, it requires a disciplines, such as information technology (IT) or team of technical practitioners to implement the engineering, transferring into information security policies set by the security manager. only as the need arose. Today’s information security professionals work Unlike two decades ago, many younger closely with HR, legal, audit, IT and other areas professionals in today’s sophisticated cyber world of business to mitigate risk throughout the have information security in mind from the organization. Many are now called upon as critical beginning, pursuing college degrees in information contributors to business-decision making. security, information assurance, or a related In the face of these daunting challenges, the role discipline such as computer science. They also of the professional has changed dramatically over likely have a working knowledge of network the past few years. The successful professional systems and security protocols, security software must now quickly and securely respond to programs and implementation, and best change, whether brought on by external and practices for developing security procedures internal threats, or by customer demand for new and infrastructure. goods and services. The professional must also (5)
  7. 7. THe evOLving rOLe OF THe inFOrmATiOn SeCuriTy PrOFeSSiOn implement integrated security solutions at all levels where people, processes and technologies intersect, and ensure they support the objectives of the organization. Although having qualified information security professionals on staff is a necessity for organizations of all industries and sizes, it is especially important to those who have critically sensitive information, such as financial, healthcare or insurance entities, or those who have to comply with strict legal or regulatory mandates. (6)
  8. 8. WHAT TyPeS OF JOB FunCTiOnS eXiST? WHAT TyPeS OF JOB FunCTiOnS eXiST? • IT Security Manager In the early days of information security, an • Certification & Accreditation Specialist organization hired a single “security engineer” • Risk Manager who was an adjunct to the IT department and focused on network security and security • Compliance Officer administration. The position required an The scope of traditional security roles has also understanding of network protocols, firewalls expanded. The early role of security engineer and network vulnerabilities. now has expanded to include numerous areas Today, with the increasing dependence upon the of specialization, such as identity and access virtual world in every corner of business and management, vulnerability management and society, the requirements and job functions of the application security. These positions require information security profession have exploded. extensive technical backgrounds, as well as Security-specific roles include: business risk analysis so the security controls appropriate to the specific organization can • Forensics Specialist be developed. • Security Architect • Chief Information Security Officer • Information Assurance Manager (7)
  9. 9. WHAT TyPeS OF JOB FunCTiOnS eXiST? (8)
  10. 10. WHAT Are THe ideAL TrAiTS OF An inFOrmATiOn SeCuriTy PrOFeSSiOnAL? WHAT Are THe ideAL TrAiTS OF An perceptions. The best security policies won’t inFOrmATiOn SeCuriTy PrOFeSSiOnAL? be effective without buy-in from all employees; While the information security profession • The ability to articulate business value. has become too complex for any one set of Professionals must know their audience and specific skills, there are general attributes that talk in a language they understand; are important to consider when seeking a professional. A few of these ideal traits include: • Understands and manages risk. Security professionals must tailor their security postures Skills and Competencies to the specific needs and risk appetites of • A track record of developing information the organization; security and risk management solutions; • Ability to build strong relationships with the • A keen understanding of technology and the key stakeholders of the organization, including ability to leverage this knowledge to implement legal, HR, audit, physical security, PR, and risk effective security solutions; managers; and • An understanding of the industry, the company’s • Ability to see the overall security needs of an place in the market, relevant regulatory and legal organization. Even in more traditional network requirements, and how they can add value; security roles, organizations need professionals who can interpret technology in a way that’s • Solid communications skills. These include the useful and in line with its business and risk ability to influence employee behavior and management goals. (9)
  11. 11. WHAT Are THe ideAL TrAiTS OF An inFOrmATiOn SeCuriTy PrOFeSSiOnAL? Personal Attributes • A positive attitude. While professionals need a healthy dose of caution, the professional should emphasize the power of defense, rather than the negatives or costs of vulnerability; • Commitment to ethics. To be effective, a professional must always tell the truth and never exaggerate about what can and can’t be done; and • Embraces the need to stay current in the latest security and technology knowledge. (10)
  12. 12. WHAT Are TyPiCAL CAreer PATHS? WHAT Are TyPiCAL CAreer PATHS? Desired attributes for a security technologist may include: An information security professional can come from many different, non-security disciplines. • Deep understanding of multiple technologies Indeed, many exemplary professionals began • Subject matter expertise in a technical domain their careers in technology and went on to learn security. Although professionals typically have • Desire to remain part of technical technology backgrounds, increasingly they are also implementation and monitoring side of security coming from risk assessment areas with strong Desired attributes for a security manager project management experience. may include: The two most common job paths available to • Broad understanding of multiple technologies information security professionals are the security technologist or the security manager/strategist. • Executive management and presentation skills Some professionals enjoy meeting the day-to-day • Particular knowledge of a business line technical challenges of the security technologist or product role and will remain there throughout their careers, although even this role is increasingly requiring the • Desire to manage broader risk issues “soft skills” of business knowledge, communication and collaboration. Others acquire the management skills needed to bridge the gap between an organization’s technical and business priorities. (11)
  13. 13. WHAT Are TyPiCAL CAreer PATHS? (iSC)2 CAreer PATH testing and specialized concentrations. (ISC)2 members are at the forefront of today’s dynamic (ISC)2 provides a career path for information information security industry. Look for one of security professionals from the beginning of their these credentials when you make your next career until retirement. We offer a unique blend hiring decision. of certifications, advanced education, rigorous (12)
  14. 14. CrAFTing A JOB deSCriPTiOn CrAFTing A JOB deSCriPTiOn If you are working with an experienced external recruiter who specializes in information security, A common misconception that still exists in many this is the time to get them involved in the HR departments is that information security is process. A knowledgeable recruiter can advise part of information technology. In fact, because of you on competitive salary ranges for the role expanding business requirements, the information and assist with the creation of the job description. security profession has splintered into many different facets beyond IT and offers specialization Getting the recruiter involved this early in the in process, auditing, policy, compliance and other process lays the groundwork for a successful topics. As with many fields, even a position with partnership by creating a common understanding the identical job title in two departments of the of the role and responsibilities and consistent same company can have different requirements. messaging to potential candidates. The key to developing a solid job description for the information security field is to ensure the hiring manager has an in-depth conversation with the HR department. Regardless of the level of the position, this initial discussion should help the hiring manager focus on what the organizational chart looks like, where this position sits, its roles and responsibilities, how the position relates to the larger organization, and expectations for success. (13)
  15. 15. CrAFTing A JOB deSCriPTiOn An information security manager’s job description • Monitor compliance with the organization’s may include: information security policies and procedures among employees, contractors, alliances, and • Develop and oversee implementation of the other third parties; organization’s information security policies and procedures; • Monitor internal control systems to ensure that appropriate information access levels and • Oversee implementation of the organization’s security clearances are maintained; information security policies and procedures; • Perform information security risk assessments • Ensure unauthorized intrusions, access and and ensure auditing of information security tampering are prevented, and detect and processes; remediate security incidents quickly; • Prepare the organization’s disaster recovery • Ensure the most effective and appropriate and business continuity plans for information security technology tools are selected and systems; correctly deployed; • Monitor changes in legislation and accreditation • Provide information security awareness training standards that affect information security. to all employees, contractors, alliances, and other third parties; (14)
  16. 16. CerTiFiCATiOn requiremenTS CerTiFiCATiOn requiremenTS According to the 2006 Global Information Security Workforce Study, 85 percent of security In the requirements area, in addition to the hiring managers worldwide believe in the education and experience level you are seeking, importance of information security certifications it’s important to determine the professional as a hiring criterion. Employee competency and certification that best validates a candidate’s quality of work remain the top reasons that suitability for the position. If you are seeking a employers and hiring managers continue to place security technologist, a vendor certification that emphasis on security certifications. Company matches your organization’s particular technology policy and regulations are becoming critical environment, such as certifications from Microsoft reasons as well. or Cisco, might be desirable. For security management positions, the industry’s A vendor-neutral certification to ensure gold standard certification is the Certified the security technologist understands the Information Systems Security Professional overarching principles of effective security and (CISSP®), also from (ISC)2. The CISSP was can communicate well with security management developed by information security pioneers in the is also desirable. These include certifications early 1990s and is the first and most respected such as the Systems Security Certified security credential on the market. It tests the Practitioner (SSCP®) from (ISC)2® broadest knowledge of any information security and the GIAC from SANS. certification with a six-hour exam on its CISSP CBK®, a regularly updated taxonomy of global (15)
  17. 17. CerTiFiCATiOn requiremenTS information security topics. It also requires the candidate to possess five years of experience in at least two domains of the CBK, obtain endorsement by a certified (ISC)2 professional, subscribe to the (ISC)2 Code of Ethics, and complete annual continuing professional education requirements to remain certified. Other professional security certifications include the Certified Information Security Auditor (CISA) and Certified Information Security Manager (CISM) from ISACA, as well as CISSP Concentrations from (ISC)2 in management, architecture and engineering. (16)
  18. 18. reCruiTing reCruiTing roles that you are filling and knowledge of your industry. Ask for references and gain a comfort Information security professionals possess level with the recruiter to ensure that you are highly specialized skills that are in high demand. confident that they are capable of partnering Because of this demand, talented professionals with you on the full life cycle of recruitment, from are often available for just a few weeks. It’s a fact sourcing the candidate through negotiating an of the current market that organizations must acceptance. Developing a trusted relationship with hire a desired candidate quickly. Many qualified a specialized recruiter will enable you and the candidates are lost because the hiring process hiring manager to have confidence that you are went on too long. finding the best possible candidate in the most To be competitive in successfully recruiting expedient time frame. information security professionals, the HR Professional associations can also be an excellent department should partner with the hiring resource for finding the right candidate. (ISC)2®, manager and a specialized recruiter to streamline for instance, offers employers access to nearly the hiring process before recruiting begins. 60,000 certified members worldwide through Engaging a specialized recruiter can have many its online Career Center. Employers can post benefits, including reducing your time to hire, jobs and search resumes by industry, specific reaching passive candidates and extending your certification and location. Only certified brand in a positive manner to the community. (ISC)² credential holders may post resumes Make sure you choose a firm that has an on the (ISC)² Career Center. The service is established track record of success in the types of free of charge. (17)
  19. 19. reCruiTing Another avenue of recruiting is to build a Centers of Academic Excellence in Information partnership with an association and sponsor Assurance Education. programs or provide informational sessions that You may also wish to consider a student or recent might be appealing to their membership. Placing graduate who has attained the Associate of (ISC)² your organization’s name regularly in front of designation. This designation is earned by those security professionals is a great way to connect who pass the rigorous the CISSP® exam and with the person who is not actively looking but have committed to the professional Code of may be interested when he or she hears about Ethics but do not yet possess the requisite an opportunity. experience to be certified. If your position is one that a recent college graduate would be qualified for, consider contacting schools that have been qualified as a U.S. National Center of Academic Excellence in Information Assurance Education (CAEIAE) Program or regional equivalent (www.nsa. gov/ia/academia/caeiae.cfm). The goal of the U.S. program is to identify four-year colleges and graduate-level universities that demonstrate academic excellence in information security education. Currently, there are 85 National (18)
  20. 20. SCreening SCreening Education Options/Requirements: Detailed initial screening of the information • Associate Degree in systems administration security candidate will allow for a better • BA in information technology or related field assessment of whether an individual’s goals and motivators are in line with what the organization • BS in computer science or equivalent is seeking. information security experience Information security is a relatively new discipline • MS or MA for director or higher position and has a recently established educational • Ph.D. for professor, researcher, advanced curriculum and career path. For instance, many developer academic institutions have only been offering security-focused programs in the past five years or so. Besides the IT field, many more senior Technical Skills Required: information security professionals have come • Knowledge of network systems and security from the military, law enforcement and security protocols auditing fields. • Knowledge of security software programs and Below are some general requirements or implementation suggestions, broken down by education, technical skills and general skills. • Knowledge of best practices in developing security procedures and infrastructure (19)
  21. 21. SCreening General Skills and Aptitudes: • Ability to effectively relate security-related concepts to a broad range of technical and • Excellent oral, written and presentation skills non-technical staff.* • Strong conceptual and analytical skills • Ability to operate as an effective member of a team • Ability to manage multiple diverse tasks simultaneously • Strong project management skills (ability to manage the overall project while understanding the subcomponents and how they relate to the total project) • Possess a vendor-specific or vendor-neutral professional certification* • Excellent leadership qualities* • Demonstrate interpersonal and conflict management skills* * Helpful for advancement to information security management. (20)
  22. 22. inTervieWing inTervieWing Companies need to devote attention to selecting and preparing the interviewers. Those selected Before any interview, HR should work with the should have a clear understanding of the roles hiring manager and specialized external recruiter and responsibilities of the position and know to develop a set of evaluation criteria for all to the priority of skills required. In addition, all follow and confirm who the final decision maker interviewers must provide a consistent message will be. The final decision maker, along with the about the details of the position, such as reporting interviewers, may then create an evaluation structure, title, compensation, and responsibilities. form listing agreed upon critical profile points for each position. It can include specific technical Everyone must also take part in selling or requirements, cultural fit, communication and closing the candidate. This means everyone in presentation skills, potential for growth, and the interview process must be positive and relevant past experiences. informative, and highlight the position’s potential for growth. Interviewers must recognize that they Each interviewer ought to touch on all topics but are the face of your department and company, also be assigned specific profile points to delve and the image they present will make a significant into. This approach will facilitate a comprehensive impression on the candidate. understanding of the candidate’s strengths and weaknesses, allowing the decision maker to make While the hiring manager will likely focus on an informed choice when extending an offer. the hard technical skills, HR should help the interviewers get a sense of the candidate’s “soft” skills that he or she can communicate effectively (21)
  23. 23. inTervieWing and articulate business value. If the information Another good interview question can center security professional cannot positively influence on what differentiates the candidate from other employees, especially those not under his or her information security professionals. A quality to direct authority, processes and technology won’t look for includes how well a candidate articulates solve anything. Asking the candidate to explain a the effect their efforts have had on the success or security issue to a non-technical person can be bottom line of their organization. one way in evaluating their communications skills. Ask the candidate to describe a specific security The candidate should know how to deliver issue and how he or she solved it. The type of appropriate messages to different audiences and answers you hear define the traits of a successful tailor security posture to fit the specific needs security professional: and risk appetites of an organization. Ask the • Did they display an understanding of the cause candidate to provide examples of where he/she of the problem before they implemented the has utilized common ground to build credibility solution? and gain consensus. • Did they consider and anticipate the impact of Leadership is another key desired attribute, and different courses of action? asking for a specific example where the candidate demonstrated leadership can be helpful. Both the • Were they able to tailor the solution to meet answer and the manner in which it is answered the needs and risk appetites of the business, reflects leadership qualities. and how successful were they in communicating the results? (22)
  24. 24. inTervieWing Also, identify what your candidate reads and the Websites they visit. Information security is a field that’s constantly changing, so you should make sure a candidate is well-informed and keeping up with the latest forums, discussion groups and other industry sites. (23)
  25. 25. reFerenCeS/SeCuriTy CHeCkS reFerenCeS/SeCuriTy CHeCkS Test the candidate’s credibility by verifying academic and professional credentials, professional Checking references and verifying background background and personal references. (ISC)2® information are critical when hiring an information offers a free online certification verification tool security professional, as information security for employers that only takes a few seconds. Also, professionals have more access to employee, several vendor-neutral certification organizations, customer and proprietary data than often any including (ISC)2, require candidates to subscribe other single job function. Strong ethics and to a professional code of ethics and risk de- honesty are imperative. certification if they are found to be in violation. Professional references not only validate and Look at credit reports as an indication of financial verify an information security candidate’s problems that may influence misdeeds. Some of technical ability to do the job but also his/her the issues to consider are a record of multiple communication skills, personality and moral collections, civil judgments, bad debts, charge-offs, compass. An information security candidate who a tax lien or repossession. fails a background check either for errors of omission, misstatements of facts, or financial or Make sure you notify the applicant that he or legal problems presents a red flag, and great care she can dispute the information contained in the should be taken before proceeding any further background check report if he or she deems it to with the hiring process. be inaccurate or incomplete. (24)
  26. 26. CrAFTing And PreSenTing An OFFer CrAFTing And PreSenTing An OFFer One of the more accurate salary surveys is included in the Global Information Security HR departments often fail to recognize that salary Workforce Study, which surveys thousands of scales for information security professionals are information security professionals worldwide. higher than general IT practitioners, resulting in It can be downloaded free-of-charge from the the extension of offers that are below market (ISC)2® Website at www.isc2.org/workforcestudy. value and ultimately rejected. Information security is a field where conditions are constantly changing, Before making a decision on an offer, make sure and it is difficult to stay on top of the skill sets, the interview team: profile and market value of security professionals. • Collects and discusses evaluation criteria Be hesitant to rely on information security salary • Understands the candidate’s total current surveys by publications and industry analysts, as compensation and expectations they are often not in line with the realities of the marketplace, offering estimates that are much • Considers creative compensation alternatives lower than actual to retain high-caliber talent. Again, everyone should be aware of the hiring These don’t take into account the specialist skills process time line. The more time taken to deliver in demand, different geographic regions and the offer, the more likely the candidate will be different organizational layers to be used to make contacted by other companies, may re-evaluate a competitive offer. his/her current position, get promoted, or just (25)
  27. 27. CrAFTing And PreSenTing An OFFer plain lose interest. There is an inverse correlation It is also wise to discuss succession plans. between the length of time it takes to extend an Discuss professional growth and give examples offer and the number of offers accepted. of how other employees have developed a more prominent role during their tenure at the If you can, be creative in your job offer by organization. Also consider the organization’s including a bonus or commission related to policy for reimbursement of certification and performance beyond the base salary. It’s a fact, education fees, continuous education, etc. too, that many information security professionals are not attracted solely by salary and respond In the end, the hiring manager, HR and recruiter to opportunities to further their educational should work together on presenting and selling development, work on an innovative project, the offer. Presentation and messaging are obtain professional certification, attend extremely important in making a successful offer conferences, write and publish papers, join and retaining the desired candidate. Information associations, etc. Many professionals appreciate security professionals generally aren’t prima the flexibility to network with their peers in donnas but often receive a certain level of addition to meeting the requirements of their job. attention from your competitors because of Much of that networking also makes them more their specialized skills and high demand in the knowledgeable professionals. marketplace. (26)
  28. 28. reTenTiOn reTenTiOn term career goals and need for professional challenges of its information security staff because With the amount of competition for quality they are in such high demand in the job market. information security professionals, companies must take a more strategic and supportive approach to HR professionals should also encourage retention if they want to keep the new breed of information security employees to seek out evolving talent. opportunities in training and education. Evolving and emerging threats and attacks will continue to Develop a formalized career progression for require security professionals to learn new skills the best and brightest members of your current and techniques. By cultivating home-grown talent, information security team. One of the most the HR team will be giving valued employees the unique and beneficial attributes of working tools to succeed, benefiting the organization in in an information security department is the the long run. In addition, the reputation of having a exposure one gets to operations, processes and strong security team can result in an organization’s technologies across all operations. This exposure ability to hire the best candidates on the market. provides a great training scenario for building the management teams of the future. Also allow the security professional to network with their peers to establish an external support Also, defined career paths will help assure the network consisting of people outside of their continuing supply of capable successors for each company that they can go to openly or privately important position within the security team. for advice and support. Organizations must work to satisfy the long- (27)
  29. 29. reSOurCeS reSOurCeS Executive Women’s Forum www.infosecuritywomen.com AFCEA International www.afcea.org Information Assurance Professionals Association (IAPA) Alta Associates www.iapa-glc.org www.altaassociates.com Information Systems Audit and Control American Council for Technology (ACT) and Association (ISACA) Industry Advisory Council www.isaca.org www.actgov.org Information Systems Security Association (ISSA) American National Standards Institute (ANSI) www.issa.org www.ansi.org Information Technology Association of America ASIS International (ITAA) www.asisonline.org www.itaa.org Computer Security Institute International Association of Privacy Professionals www.gocsi.com www.privacyassociation.org The Computing Technology Association International High Technology Crime Investigation (CompTIA) Association (HTCIA) www.comptia.org www.htcia.org (28)
  30. 30. reSOurCeS International Information Systems Forensics SANS Institute Association (ITFSA) www.sans.org www.iisfa.org Security Industry Association International Information Systems Security www.siaonline.org Certification Consortium, Inc. [(ISC)2®] www.isc2.org Internet Security Alliance www.isalliance.org National Academic Centers of Excellence www.nsa.gov/ia/academia/caeiae.cfm (29)
  31. 31. Acknowledgements (ISC)² wishes to acknowledge the invaluable contributions of Joyce Brocaglia, president and CEO of Alta Associates, Inc., in the making of this guide. Founded in 1986, Alta Associates is widely respected as a leading information security recruiting firm, helping global enterprises build world-class information security departments for 22 years. For more information, please visit www.altaassociates.com
  32. 32. www.isc2.org/contactus
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×