Hiring Guide to the Information Security Profession

Transcription

1 Hiring Guide to the Information Security Profession

2 INTRODUCTION Welcome to the (ISC) 2 Hiring Guide to the Information Security Profession. It s no secret that it s not easy to find qualified experts to protect your organization. As the world s largest body of information security professionals, with more than 60,000 certified members in 130 countries, (ISC) 2 wants to help HR professionals, recruiters and hiring managers understand the scope of this burgeoning profession and lessen the pain of obtaining the best and brightest information security staff. The information security profession is expanding rapidly. The 2008 (ISC) 2 /IDC Global Information Security Workforce Study (GISWS) showed that the number of professionals worldwide will increase to slightly more than 2.7 million by 2012, a compound annual growth rate of 10 percent from 2007 to It wasn t always this way. Twenty years ago, the field of information security was in its infancy, and companies often brushed off threats to their infrastructure. Today, driven by legal and regulatory compliance and the desire to maximize global commerce, hiring first-rate information security staff is critical to mitigating risks that can destroy a company s reputation, violate privacy, result in the theft or destruction of intellectual property, and, in some cases, even endanger lives. We hope this hiring guide, compiled with significant contributions from Alta Associates, will shine some light on the significance of this relatively new profession, as well as offer tips on ensuring your security staff is filled with talented and qualified professionals. You can also find more tools at the online (ISC) 2 Hiring Resource Center at Best of luck in your recruiting efforts! W. Hord Tipton, CISSP-ISSEP, CAP, CISA Executive Director (ISC) 2 (1)

3 TABLE OF CONTENTS TABLE OF CONTENTS What is Information Security? The Evolving Role of the Information Security Profession What Types of Job Functions Exist? What are the Ideal Traits of an Information Security Professional? What are Typical Career Paths?...11 Crafting a Job Description Certification Requirements Recruiting Screening Interviewing References/Security Checks Crafting and Presenting an Offer Retention Resources (2)

4 WHAT IS INFORMATION SECURITY? WHAT IS Information Security? Governments, military, financial institutions, healthcare and private business today amass volumes of confidential information about their employees, customers, products, and financial status. Most of this information is now collected, processed and stored on computers and servers and transmitted across networked systems. Should such confidential information fall into the hands of outsiders, such a breach of security could lead to lost business, lawsuits, reputation damage and even bankruptcy. Protecting confidential information is a common sense requirement these days, and in most cases is also a legal requirement. Information security involves protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The purpose of information security is to ensure that all information held by an organization, regardless of whether it resides on a computer hard drive or in a filing cabinet, is maintained with: Confidentiality - ensuring that information is accessible only to those authorized to have access; Integrity - safeguarding the accuracy and completeness of information and processing methods; Availability - ensuring that authorized users have access to information and associated assets when required; and (3)

5 WHAT IS INFORMATION SECURITY? Compliance ensuring that all laws and industry regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare providers in the United States, Sarbanes-Oxley (SOX) for companies traded on the New York Stock Exchange and the European Directive on Data Protection for companies operating in Europe, are met. The objective of an information security policy is to minimize damage to the organization by preventing and controlling the impact of security breaches. Information security provides the essential protective framework in which information can be shared while ensuring its protection from unauthorized users. (4)

6 THE EVOLVING ROLE OF THE INFORMATION SECURITY PROFESSION The Evolving Role of the Information Security Profession Years ago, the majority of people responsible for protecting information assets entered the field without a formal background or education and obtained their experience in broader disciplines, such as information technology (IT) or engineering, transferring into information security only as the need arose. Unlike two decades ago, many younger professionals in today s sophisticated cyber world have information security in mind from the beginning, pursuing college degrees in information security, information assurance, or a related discipline such as computer science. They also likely have a working knowledge of network systems and security protocols, security software programs and implementation, and best practices for developing security procedures and infrastructure. A secure organization requires seasoned professionals who can create and implement a program, obtain support and funding for the program, and make every employee a security conscious citizen, all while adhering to necessary regulatory standards. In addition, it requires a team of technical practitioners to implement the policies set by the security manager. Today s information security professionals work closely with HR, legal, audit, IT and other areas of business to mitigate risk throughout the organization. Many are now called upon as critical contributors to business-decision making. In the face of these daunting challenges, the role of the professional has changed dramatically over the past few years. The successful professional must now quickly and securely respond to change, whether brought on by external and internal threats, or by customer demand for new goods and services. The professional must also (5)

7 THE EVOLVING ROLE OF THE INFORMATION SECURITY PROFESSION implement integrated security solutions at all levels where people, processes and technologies intersect, and ensure they support the objectives of the organization. Although having qualified information security professionals on staff is a necessity for organizations of all industries and sizes, it is especially important to those who have critically sensitive information, such as financial, healthcare or insurance entities, or those who have to comply with strict legal or regulatory mandates. (6)

8 WHAT TYPES OF JOB FUNCTIONS EXIST? WHAT Types of Job Functions EXIST? In the early days of information security, an organization hired a single security engineer who was an adjunct to the IT department and focused on network security and security administration. The position required an understanding of network protocols, firewalls and network vulnerabilities. Today, with the increasing dependence upon the virtual world in every corner of business and society, the requirements and job functions of the information security profession have exploded. Security-specific roles include: Forensics Specialist IT Security Manager Certification & Accreditation Specialist Risk Manager Compliance Officer The scope of traditional security roles has also expanded. The early role of security engineer now has expanded to include numerous areas of specialization, such as identity and access management, vulnerability management and application security. These positions require extensive technical backgrounds, as well as business risk analysis so the security controls appropriate to the specific organization can be developed. Security Architect Chief Information Security Officer Information Assurance Manager (7)

9 WHAT TYPES OF JOB FUNCTIONS EXIST? (8)

10 WHAT ARE THE IDEAL TRAITS OF AN INFORMATION SECURITY PROFESSIONAL? (9) WHAT ARE THE Ideal Traits of an Information Security Professional? While the information security profession has become too complex for any one set of specific skills, there are general attributes that are important to consider when seeking a professional. A few of these ideal traits include: Skills and Competencies A track record of developing information security and risk management solutions; A keen understanding of technology and the ability to leverage this knowledge to implement effective security solutions; An understanding of the industry, the company s place in the market, relevant regulatory and legal requirements, and how they can add value; Solid communications skills. These include the ability to influence employee behavior and perceptions. The best security policies won t be effective without buy-in from all employees; The ability to articulate business value. Professionals must know their audience and talk in a language they understand; Understands and manages risk. Security professionals must tailor their security postures to the specific needs and risk appetites of the organization; Ability to build strong relationships with the key stakeholders of the organization, including legal, HR, audit, physical security, PR, and risk managers; and Ability to see the overall security needs of an organization. Even in more traditional network security roles, organizations need professionals who can interpret technology in a way that s useful and in line with its business and risk management goals.

11 WHAT ARE THE IDEAL TRAITS OF AN INFORMATION SECURITY PROFESSIONAL? Personal Attributes A positive attitude. While professionals need a healthy dose of caution, the professional should emphasize the power of defense, rather than the negatives or costs of vulnerability; Commitment to ethics. To be effective, a professional must always tell the truth and never exaggerate about what can and can t be done; and Embraces the need to stay current in the latest security and technology knowledge. (10)

12 WHAT ARE TYPICAL CAREER PATHS? WHAT ARE Typical Career Paths? An information security professional can come from many different, non-security disciplines. Indeed, many exemplary professionals began their careers in technology and went on to learn security. Although professionals typically have technology backgrounds, increasingly they are also coming from risk assessment areas with strong project management experience. The two most common job paths available to information security professionals are the security technologist or the security manager/strategist. Some professionals enjoy meeting the day-to-day technical challenges of the security technologist role and will remain there throughout their careers, although even this role is increasingly requiring the soft skills of business knowledge, communication and collaboration. Others acquire the management skills needed to bridge the gap between an organization s technical and business priorities. Desired attributes for a security technologist may include: Deep understanding of multiple technologies Subject matter expertise in a technical domain Desire to remain part of technical implementation and monitoring side of security Desired attributes for a security manager may include: Broad understanding of multiple technologies Executive management and presentation skills Particular knowledge of a business line or product Desire to manage broader risk issues (11)

13 WHAT ARE TYPICAL CAREER PATHS? (ISC) 2 CAREER PATH (ISC) 2 provides a career path for information security professionals from the beginning of their career until retirement. We offer a unique blend of certifications, advanced education, rigorous testing and specialized concentrations. (ISC) 2 members are at the forefront of today s dynamic information security industry. Look for one of these credentials when you make your next hiring decision. (12)

14 CRAFTING A JOB DESCRIPTION Crafting a Job Description A common misconception that still exists in many HR departments is that information security is part of information technology. In fact, because of expanding business requirements, the information security profession has splintered into many different facets beyond IT and offers specialization in process, auditing, policy, compliance and other topics. As with many fields, even a position with the identical job title in two departments of the same company can have different requirements. If you are working with an experienced external recruiter who specializes in information security, this is the time to get them involved in the process. A knowledgeable recruiter can advise you on competitive salary ranges for the role and assist with the creation of the job description. Getting the recruiter involved this early in the process lays the groundwork for a successful partnership by creating a common understanding of the role and responsibilities and consistent messaging to potential candidates. The key to developing a solid job description for the information security field is to ensure the hiring manager has an in-depth conversation with the HR department. Regardless of the level of the position, this initial discussion should help the hiring manager focus on what the organizational chart looks like, where this position sits, its roles and responsibilities, how the position relates to the larger organization, and expectations for success. (13)

15 CRAFTING A JOB DESCRIPTION An information security manager s job description may include: Develop and oversee implementation of the organization s information security policies and procedures; Oversee implementation of the organization s information security policies and procedures; Ensure unauthorized intrusions, access and tampering are prevented, and detect and remediate security incidents quickly; Ensure the most effective and appropriate security technology tools are selected and correctly deployed; Provide information security awareness training to all employees, contractors, alliances, and other third parties; Monitor compliance with the organization s information security policies and procedures among employees, contractors, alliances, and other third parties; Monitor internal control systems to ensure that appropriate information access levels and security clearances are maintained; Perform information security risk assessments and ensure auditing of information security processes; Prepare the organization s disaster recovery and business continuity plans for information systems; Monitor changes in legislation and accreditation standards that affect information security. (14)

16 CERTIFICATION REQUIREMENTS Certification Requirements In the requirements area, in addition to the education and experience level you are seeking, it s important to determine the professional certification that best validates a candidate s suitability for the position. If you are seeking a security technologist, a vendor certification that matches your organization s particular technology environment, such as certifications from Microsoft or Cisco, might be desirable. A vendor-neutral certification to ensure the security technologist understands the overarching principles of effective security and can communicate well with security management is also desirable. These include certifications such as the Systems Security Certified Practitioner (SSCP ) from (ISC) 2 and the GIAC from SANS. According to the 2008 Global Information Security Workforce Study, 78 percent of security hiring managers worldwide believe in the importance of information security certifications as a hiring criterion. Employee competency and quality of work remain the top reasons that employers and hiring managers continue to place emphasis on security certifications. Company policy and regulations are becoming critical reasons as well. For security management positions, the industry s gold standard certification is the Certified Information Systems Security Professional (CISSP ), also from (ISC) 2. The CISSP was developed by information security pioneers in the early 1990s and is the first and most respected security credential on the market. It tests the broadest knowledge of any information security certification with a six-hour exam on its CISSP CBK, a regularly updated taxonomy of global (15)

17 CERTIFICATION REQUIREMENTS information security topics. It also requires the candidate to possess five years of experience in at least two domains of the CBK, obtain endorsement by a certified (ISC) 2 professional, subscribe to the (ISC) 2 Code of Ethics, and complete annual continuing professional education requirements to remain certified. Other professional security certifications include the Certified Information Security Auditor (CISA) and Certified Information Security Manager (CISM) from ISACA, as well as CISSP Concentrations from (ISC) 2 in management, architecture and engineering. (16)

18 RECRUITING (17) Recruiting Information security professionals possess highly specialized skills that are in high demand. Because of this demand, talented professionals are often available for just a few weeks. It s a fact of the current market that organizations must hire a desired candidate quickly. Many qualified candidates are lost because the hiring process went on too long. To be competitive in successfully recruiting information security professionals, the HR department should partner with the hiring manager and a specialized recruiter to streamline the hiring process before recruiting begins. Engaging a specialized recruiter can have many benefits, including reducing your time to hire, reaching passive candidates and extending your brand in a positive manner to the community. Make sure you choose a firm that has an established track record of success in the types of roles that you are filling and knowledge of your industry. Ask for references and gain a comfort level with the recruiter to ensure that you are confident that they are capable of partnering with you on the full life cycle of recruitment, from sourcing the candidate through negotiating an acceptance. Developing a tru zed recruiter will enable you and the hiring manager to have confidence that you are finding the best possible candidate in the most expedient time frame. Professional associations can also be an excellent resource for finding the right candidate. (ISC) 2, for instance, offers employers access to more than 60,000 certified members worldwide through its online Career Tools. Employers can post jobs and search resumes by industry, specific certification and location. Only certified (ISC) 2 credential holders may post resumes on the (ISC) 2 Career Tools. The service is free of charge.

19 RECRUITING Another avenue of recruiting is to build a partnership with an association and sponsor programs or provide informational sessions that might be appealing to their membership. Placing your organization s name regularly in front of security professionals is a great way to connect with the person who is not actively looking but may be interested when he or she hears about an opportunity. If your position is one that a recent college graduate would be qualified for and is in the United States, consider contacting schools that have been qualified as a U.S. National Center of Academic Excellence in Information Assurance Education (CAEIAE) Program ( gov/ia/academic_outreach/nat_cae/index.shtml). The goal of the U.S. program is to identify fouryear colleges and graduate-level universities that demonstrate academic excellence in information security education. Currently, there are 85 National Centers of Academic Excellence in Information Assurance Education. If the position is outside of the United States, check for similar schemes in the country in which you operate. You may also wish to consider a student or recent graduate who has attained the Associate of (ISC) 2 designation. This designation is earned by those who pass the rigorous the CISSP exam and have committed to the professional Code of Ethics but do not yet possess the requisite experience to be certified. (18)

20 SCREENING (19) Screening Detailed initial screening of the information security candidate will allow for a better assessment of whether an individual s goals and motivators are in line with what the organization is seeking. Information security is a relatively new discipline and has a recently established educational curriculum and career path. For instance, many academic institutions have only been offering security-focused programs in the past five years or so. Besides the IT field, many more senior information security professionals have come from the military, law enforcement and security auditing fields. Below are some general requirements or suggestions, broken down by education, technical skills and general skills. Education Options/Requirements: Associate Degree in systems administration BA in information technology or related field BS/BSc in computer science or equivalent information security experience MS/MSc, MA or MBA for director or higher position Ph.D. for professor, researcher, advanced developer Technical Skills Required: Knowledge of network systems and security protocols Knowledge of security software programs and implementation Knowledge of best practices in developing security procedures and infrastructure

21 SCREENING General Skills and Aptitudes: Excellent oral, written and presentation skills Strong conceptual and analytical skills Ability to effectively relate security-related concepts to a broad range of technical and non-technical staff. * Ability to operate as an effective member of a team Ability to manage multiple diverse tasks simultaneously Strong project management skills (ability to manage the overall project while understanding the subcomponents and how they relate to the total project) Possess a vendor-specific or vendor-neutral professional certification * Excellent leadership qualities * Demonstrate interpersonal and conflict management skills * * Helpful for advancement to information security management. (20)

22 INTERVIEWING Interviewing Before any interview, HR should work with the hiring manager and specialized external recruiter to develop a set of evaluation criteria for all to follow and confirm who the final decision maker will be. The final decision maker, along with the interviewers, may then create an evaluation form listing agreed upon critical profile points for each position. It can include specific technical requirements, cultural fit, communication and presentation skills, potential for growth, and relevant past experiences. Each interviewer ought to touch on all topics but also be assigned specific profile points to delve into. This approach will facilitate a comprehensive understanding of the candidate s strengths and weaknesses, allowing the decision maker to make an informed choice when extending an offer. Companies need to devote attention to selecting and preparing the interviewers. Those selected should have a clear understanding of the roles and responsibilities of the position and know the priority of skills required. In addition, all interviewers must provide a consistent message about the details of the position, such as reporting structure, title, compensation, and responsibilities. Everyone must also take part in selling or closing the candidate. This means everyone in the interview process must be positive and informative, and highlight the position s potential for growth. Interviewers must recognize that they are the face of your department and company, and the image they present will make a significant impression on the candidate. While the hiring manager will likely focus on the hard technical skills, HR should help the interviewers get a sense of the candidate s soft skills that he or she can communicate effectively (21)

23 INTERVIEWING and articulate business value. If the information security professional cannot positively influence employees, especially those not under his or her direct authority, processes and technology won t solve anything. Asking the candidate to explain a security issue to a non-technical person can be one way in evaluating their communications skills. The candidate should know how to deliver appropriate messages to different audiences and tailor security posture to fit the specific needs and risk appetites of an organization. Ask the candidate to provide examples of where he/she has utilized common ground to build credibility and gain consensus. Leadership is another key desired attribute, and asking for a specific example where the candidate demonstrated leadership can be helpful. Both the answer and the manner in which it is answered reflects leadership qualities. Another good interview question can center on what differentiates the candidate from other information security professionals. A quality to look for includes how well a candidate articulates the effect their efforts have had on the success or bottom line of their organization. Ask the candidate to describe a specific security issue and how he or she solved it. The type of answers you hear define the traits of a successful security professional: Did they display an understanding of the cause of the problem before they implemented the solution? Did they consider and anticipate the impact of different courses of action? Were they able to tailor the solution to meet the needs and risk appetites of the business, and how successful were they in communicating the results? (22)

24 INTERVIEWING Also, identify what your candidate reads and the Websites they visit. Information security is a field that s constantly changing, so you should make sure a candidate is well-informed and keeping up with the latest forums, discussion groups and other industry sites. (23)

25 REFERENCES/SECURITY CHECKS References/Security Checks Checking references and verifying background information are critical when hiring an information security professional, as information security professionals have more access to employee, customer and proprietary data than often any other single job function. Strong ethics and honesty are imperative. Professional references not only validate and verify an information security candidate s technical ability to do the job but also his/her communication skills, personality and moral compass. An information security candidate who fails a background check either for errors of omission, misstatements of facts, or financial or legal problems presents a red flag, and great care should be taken before proceeding any further with the hiring process. Test the candidate s credibility by verifying academic and professional credentials, professional background and personal references. (ISC) 2 offers a free online certification verification tool for employers that only takes a few seconds. Also, several vendor-neutral certification organizations, including (ISC) 2, require candidates to subscribe to a professional code of ethics and risk decertification if they are found to be in violation. Look at credit reports as an indication of financial problems that may influence misdeeds. Some of the issues to consider are a record of multiple collections, civil judgments, bad debts, charge-offs, a tax lien or repossession. Make sure you notify the applicant that he or she can dispute the information contained in the background check report if he or she deems it to be inaccurate or incomplete. (24)

26 CRAFTING AND PRESENTING AN OFFER Crafting and Presenting an Offer HR departments often fail to recognize that salary scales for information security professionals are higher than general IT practitioners, resulting in the extension of offers that are below market value and ultimately rejected. Information security is a field where conditions are constantly changing, and it is difficult to stay on top of the skill sets, profile and market value of security professionals. Be hesitant to rely on information security salary surveys by publications and industry analysts, as they are often not in line with the realities of the marketplace, offering estimates that are much lower than actual to retain high-caliber talent. These don t take into account the specialist skills in demand, different geographic regions and different organizational layers to be used to make a competitive offer. One of the more accurate salary surveys is included in the Global Information Security Workforce Study, which surveys thousands of information security professionals worldwide. It can be downloaded free-of-charge from the (ISC) 2 Website at Before making a decision on an offer, make sure the interview team: Collects and discusses evaluation criteria Understands the candidate s total current compensation and expectations Considers creative compensation alternatives Again, everyone should be aware of the hiring process time line. The more time taken to deliver the offer, the more likely the candidate will be contacted by other companies, may re-evaluate his/her current position, get promoted, or just (25)

27 CRAFTING AND PRESENTING AN OFFER plain lose interest. There is an inverse correlation between the length of time it takes to extend an offer and the number of offers accepted. If you can, be creative in your job offer by including a bonus or commission related to performance beyond the base salary. It s a fact, too, that many information security professionals are not attracted solely by salary and respond to opportunities to further their educational development, work on an innovative project, obtain professional certification, attend conferences, write and publish papers, join associations, etc. Many professionals appreciate the flexibility to network with their peers in addition to meeting the requirements of their job. Much of that networking also makes them more knowledgeable professionals. It is also wise to discuss succession plans. Discuss professional growth and give examples of how other employees have developed a more prominent role during their tenure at the organization. Also consider the organization s policy for reimbursement of certification and education fees, continuous education, etc. In the end, the hiring manager, HR and recruiter should work together on presenting and selling the offer. Presentation and messaging are extremely important in making a successful offer and retaining the desired candidate. Information security professionals generally aren t prima donnas but often receive a certain level of attention from your competitors because of their specialized skills and high demand in the marketplace. (26)

28 RETENTION Retention With the amount of competition for quality information security professionals, companies must take a more strategic and supportive approach to retention if they want to keep the new breed of evolving talent. Develop a formalized career progression for the best and brightest members of your current information security team. One of the most unique and beneficial attributes of working in an information security department is the exposure one gets to operations, processes and technologies across all operations. This exposure provides a great training scenario for building the management teams of the future. Also, defined career paths will help assure the continuing supply of capable successors for each important position within the security team. Organizations must work to satisfy the long- term career goals and need for professional challenges of its information security staff because they are in such high demand in the job market. HR professionals should also encourage information security employees to seek out opportunities in training and education. Evolving and emerging threats and attacks will continue to require security professionals to learn new skills and techniques. By cultivating home-grown talent, the HR team will be giving valued employees the tools to succeed, benefiting the organization in the long run. In addition, the reputation of having a strong security team can result in an organization s ability to hire the best candidates on the market. Also allow the security professional to network with their peers to establish an external support network consisting of people outside of their company that they can go to openly or privately for advice and support. (27)

29 RESOURCES Resources AFCEA International Alta Associates American Council for Technology (ACT) and Industry Advisory Council American National Standards Institute (ANSI) ASIS International Computer Security Institute The Computing Technology Association (CompTIA) European Network and Information Security Agency (ENISA) ECRYPT: European Network of Excellence for Cryptology EEMA The European Association for e-identity and Security The European Information Society Group (EURIM) Executive Women s Forum Information Security Forum (ISF) Information Systems Audit and Control Association (ISACA) Information Systems Security Association (ISSA) (28)

30 RESOURCES Information Technology Association of America (ITAA) Institute for Information Security Professionals International Association of Privacy Professionals International Federation for Information Processing International High Technology Crime Investigation Association (HTCIA) International Information Systems Forensics Association (ITFSA) International Information Systems Security Certification Consortium, Inc. [(ISC) 2 ] International Security, Trust, and Privacy Alliance (ISTPA) International Standards Organization Internet Security Alliance The Jericho Forum National Academic Centers of Excellence index.shtml SANS Institute Security Industry Association (29)

31 Acknowledgements (ISC) 2 wishes to acknowledge the invaluable contributions of Joyce Brocaglia, president and CEO of Alta Associates, Inc., in the making of this guide. Founded in 1986, Alta Associates is widely respected as a leading information security recruiting firm, helping global enterprises build world-class information security departments for 23 years. For more information, please visit

32 (09/09)