Tracking down and retaining the right security people poses problems for companies
If there's one thing almost everyone seems to agree on, it's that, despite the recession, few are going to be cutting back on security expenditure. Indeed, many companies are looking to expand their security operations because cybercriminals, disgruntled ex-employees and careless current employees with USB drives and laptops continue to increase the risks they pose to corporate data.
There is one other thing almost everyone agrees on: technology alone is not going to fix all security problems. It's going to take people: engineers to implement technology, consultants to test its effectiveness and managers to devise processes, organise budgets and set priorities. But while technology is easy to replicate, IT security professionals are a precious resource that can be hard to find, hard to recruit and hard to keep.
“The demand for good people is outstripping supply,” says John Colley, former head of information security at the Royal Bank of Scotland and managing director EMEA for non-profit industry education and training body, (ISC)2. “It has changed only slightly with the recession, with mergers putting a few more people in the job market.”
“It is very difficult to find the right people,” agrees Neil O'Connor, principal consultant at security testing company, Activity. “When the right person does come up, you recruit them.”
Indeed, Vernon Poole, head of business consultancy for Sapphire and a member of Isaca's information security management committee, says that many larger companies are looking overseas, in particular to “younger” countries such as South Africa and Australia, where they “aren't burned by regulations and get on with the job”. Poole says emerging markets, such as South America, Mexico, Japan, Taiwan and India, have similarly talented people, although companies looking to hire staff from these countries might have to “bed them in” because of different language and perspectives.
It is not difficult to find people claiming to be security professionals, despite an increasing number of security qualifications that make it easier to determine who has at least some formal knowledge. The problem is to weed out those without the right skills or attitude – or indeed to find someone with the right skills, since there is a good chance that anyone sufficiently competent for the job will already be employed elsewhere.
O'Connor says that advertising a job is usually not the best way to get the right sort of candidate. “I have advertised, but I have had a very variable standard of reply,” with a large number of poor CVs.
Instead, he uses a variety of methods. He says that clients are a good source of word-of-mouth recommendations, as are his competitors. “There's a friendly rivalry. When you meet someone, you ask if they know anyone looking for a job.”
But principally he uses networking and recruitment consultants. “Most people, if they're any good, have got a job already,” he says. Industry events such as Infosec are useful networking venues, as are Black Hat conferences, principally because security experts often attend to learn the latest techniques.
But with between 10,000 and 20,000 security professionals in the industry, meeting them all or relying on word of mouth can be problematic.
So recruitment consultants and agencies are the chief port of call for managers. The main agencies are Acumin, Barclay Simpson and Greythorn, but there are other, smaller firms, such as Harvey Nash and Computer People.
Colley says the agencies vary in quality. “Some go rooting through the house for CVs, while others do a much better job of matching CVs to the position. But if people don't meet the requirements, you just say ‘Please don't send any more'.”
Graeme Cox, MD and co-founder of Edinburgh-based managed service provider, dns, relies on graduate recruiters for entry-level jobs and on Harvey Nash IT director for Scotland, Rhona Hutchon, for senior posts. “I've built up a relationship with Rhona over many years and I value somebody who understands the culture of my business, so I don't get swamped with useless CVs. If I interview someone, I want there to be a significant chance of success.”
Cox says Hutchon's willingness to operate as part of his team means that he has continued to use her, even as she has moved between firms. Before contracting her five years ago, he had used other recruiters in a more ad hoc manner, and wasn't as close to them, viewing their services as a commodity. As a result, they weren't successful. He says he receives calls from at least five recruitment companies a week, offering candidates, and that he would be “swamped” if he tried to deal with them all.
Hutchon says that the secret to her finding the right people is networking and industry knowledge. “Sometimes, the people on the market aren't the top percentile of talent. Through networking, you know who the trusted individuals are and which organisations are the ones that develop good staff.” She also uses online advertising, user groups and attending relevant security events.
Another recruitment agency, Computer People, has a database of 400,000, mostly from CVs sent in, from which it draws its list of security professionals. The firm then employs a vetting procedure, including aptitude tests and competency-based interviews, to identify candidates' skills. The result, says Mohammed Lakhanpal, who heads the company's security recruitment team, is that most candidates he puts forward are hired on the strength of a phone interview.
The qualities people are looking for vary from job to job, with some roles requiring technical knowledge and others more business-oriented skills. However, Lakhanpal usually offers candidates with track records on long-term projects that have been on time and on budget.
As with most security recruiters, though, his main criteria include integrity, reliability and an “enthusiastic pride in what they do, someone who's still in love with their job. If it's someone in testing, they want to break something then make it unbreakable.”
O'Connor agrees. “They have to have an interest in security and bring an enthusiasm to it. If it's just another 9-5 job, then they're not the right person.”
Cox says that despite the trend towards people with business experience but little technical background, he still wants someone with IT experience. “They need to be able to connect with the IT security team. I won't hire technophobes who struggle to open their own laptops.”
Getting someone and keeping them, when skilled people are at a premium, isn't easy. Generally, says Hutchon, most security professionals are motivated by self-development and the content of the job – and to a lesser extent by money – so giving employees the chance to work on new things and developing a suitable training package can not only keep an employee but attract a new one to the job. With flatter management structures in IT meaning promotions are rare, recognition among peers that they have sector expertise can be a rewarding alternative, as can the chance to speak at conferences. Developing this training package in conjunction with the employee lets them expand their career the way they want and helps with morale.
Cox highlights one graduate employee who left dns after three years to get more money. However, he returned within a year, Cox says, since the new firm didn't value security in the same way as dns.
The expanding market for IS skills means that experienced, talented professionals are as hard to find as ever, despite the recession. However, with the right techniques, they can be found and with the right package and nurturing they can be hired and enticed to stay.
Ten reasons why ISO 27001 can make you a better IS security professional
1. ISO 27001 is internationally recognised, both the standard and associated auditing qualifications, so your experience will be too.
2. It is best practice: it is a distillation of genuine experience and thought, so you benefit from others' experience.
3. It is risk-based: it looks at what security a company actually needs rather than imposing a standard set of measures; it allows you to give appropriate, justified and cost-effective advice.
4. It is a management standard, not a technical standard: it provides a model for the management of security and so allows you to demonstrate decision-making skills.
5. It is holistic: it considers all aspects of information security, not just technical measures, so it demonstrates breadth as well as depth.
6. Organisations can be independently certified: it provides an external, independent benchmark for your security management.
7. It provides a process for ongoing risk management, allowing you to regularly review and analyse risk objectively.
8. It provides a process for security monitoring and improvement, allowing you to demonstrate the benefits of security and to justify investment in security.
9. It complements other management standards, such as ISO 9001, ISO 14001 and ISO 20001, allowing you to work with and understand other disciplines.
10. Every organisation that implements ISO 27001 has found that it has improved its management of information security – you can make a tangible, positive difference to the business.
CASE STUDY – BSKYB
It was in 2003, before the famous security breaches of recent years, that Mike Maddison (left) was asked to establish a security function for satellite broadcaster BSkyB. It had decided that as a FTSE 20 company, IT security was a required element and it needed someone to provide security and governance.
Reporting directly to the CFO, Maddison found he had a “complete green field” site to work with. As a start, he took the “classic approach” of understanding the degree of risk first, before deciding how to put together his security team.
Once he knew what he needed, Maddison recruited both internally and externally. “Initially, I began by looking at people doing the work anyway as part of their day job. I found out who was interested in doing it, and who had the talent and the capabilities.” In particular, he was looking for a broad range of skills, not just technological, but regulatory and legal.
Externally, he looked to people he had worked with, and people he had heard of through word of mouth. As well as subject area expertise and experience of change management, he had other criteria. “I look for people with quality degrees and with a proven track of development – people who had taken ownership of their development.”
Maddison says the degree subject didn't matter so much as its quality. “I hired someone with a degree in law from Cambridge and someone with an engineering degree from Edinburgh.” He believes degree quality shows whether someone is a “smart cookie” and whether they can learn.
He also looked for good communication skills and business-facing capabilities, not just excellence at implementing technology. “I needed people with business polish, people who could go into meetings, put across ideas and talk in terms the business understands.”
To convince people to join (and stay), Maddison used BSkyB's infrastructure and his own management techniques, including a competitive package, a company vision that made people feel they would be somewhere where they would make a difference – and dedication to career development. Training packages were tailored to each individual, with employees developing the plan themselves. Graduates and lower grades can train for “a raft of qualifications”.
It took six months for Maddison to get 80 per cent of his team in place, since he refused to sacrifice quality for speed. Indeed, he says maintaining quality can be a challenge, because security is very much in demand and there's a limited pool of people to draw on. So he put succession plans in place in case anyone felt motivated to leave – and didn't try to stop them. “Security is like audit was ten years ago. It was niche and dead end and now people recognise it's a good place to develop individuals. Sometimes, it's okay to move on and have a career.”
THE QUALIFICATIONS TRAIL
Over the last few years, the range of security qualifications available to everyone, from seasoned professionals to school-leavers, has blossomed. Many universities, including Royal Holloway, London Metropolitan, Leicester, Greenwich, Glamorgan, Birmingham, UCL and Westminster, offer MScs in information security and these can often provide an initial step into IS. The School of Information Risk Management (www.sirm.ac) operates some of these MScs and at the time of writing was about to offer a postgraduate diploma in information security and assurance (ISA), leading to an MSc.
A more vocational qualification for school leavers – and certainly quicker to obtain – is CompTIA Security+, which, over four days, provides entry-level security administrators with the understanding and skills necessary for secure inter-network communications. Cisco's CCNA (Cisco Certified Network Associate) certification is becoming almost a standard requirement for anyone wanting to enter the industry for a technical position, as is MCSE: Security (Microsoft Certified Systems Engineer), while CISA (Certified Information Systems Auditor) is also taking off.
The Certificate of Ethical Hacking is a very hot topic at the moment for the mid-tiers, according to recruitment firm Computer People's James Ramsdale, as is CISSP (Certified Information Systems Security Professional).
But, according to Vernon Poole (CISM), head of business consultancy for Sapphire and a member of the Information Systems Audit and Control Association (Isaca) information security management committee, most adverts for IS professionals over the past five years have requested a CISM (Certified Information Security Manager) qualification. This covers five main areas: information security governance; risk management; information security programme management; information security management; and response management.
So much has CISM begun to dominate qualifications that Isaca has developed a new qualification for higher-level jobs: Certified in the Governance of Enterprise IT (CGEIT).