All recruitment decisions involve some element of risk. Every year, thousands of organisations offer contracts to people who subsequently prove to be unqualified or unsuited for the jobs they were hired to do. It's an expensive mistake to make. According to the Chartered Institute of Personnel and Development's 2007 Recruitment, Retention and Development survey, the average cost of hiring a new team member stands at somewhere between £4,333 and £7,750 per recruit.
But when it comes to IT security professionals, far more is at stake, says Ed Zeitler, executive director of (ISC)2. "Hiring first-rate infosec staff is critical to mitigating risks that can destroy a company's reputation, violate privacy, result in the theft or destruction of intellectual property, and even endanger lives," he says. "Choosing the wrong people to fill those positions just increases the chance of such disasters occurring."
As businesses and society come to rely more heavily on technology, he adds, the need to find and retain qualified and talented professionals to protect information assets has never been greater. And recent high-profile data security breaches are sending many companies scrambling to sign up the best and brightest information security staff to protect their own assets.
The 2006 Global Information Security Workforce Study (GISWS), conducted for (ISC)2, reported that the number of information security professionals worldwide in 2006 was approximately 1.5 million. This figure is expected to just top 2 million by 2010, with a compound annual growth rate of 7.8 per cent over five years, compared to 4.6 per cent of projected growth in the number of IT employees globally in the same period.
But is the IT security profession ready to incorporate this burgeoning workforce? After all, it has grown up in a pretty ad hoc way over the past 20 years. As a result, there are few widely recognised definitions of what IT security should cover, let alone consensus on what qualifications and experience individuals should have.
More importantly, how can managers ensure they select the best of the available talent? Certainly, it's not just a matter of technical skills and qualifications, says Paul Wood, a corporate board member of the IISP (Institute of Information Security Professionals) and group business protection director at insurance giant Aviva.
"I'm looking for someone who can deliver pragmatic solutions to real business problems. If a candidate is too technically focused, they may have a tendency to turn areas of the organisation into Fort Knox - and nothing makes the wider business lose faith in IT security faster than that," he says. "The last thing I want to see is a security solution that will make employees' daily tasks unworkable."
In fact, to some extent, qualifications can be "a real turn-off", he adds. "I've interviewed plenty of people with first-rate qualifications but no real business understanding."
The message is that senior information security professionals need to look beyond certificates to ensure that a potential recruit is up to the job. But qualifications are still vital, according to the 2006 GIWS survey, which found that 85 per cent of hiring managers believe information security certifications are either "somewhat" or "very" important when making hiring decisions.
At IT recruitment consultancy Computer People, accreditation is becoming more important every year. "One of the biggest trends in our business is the growung number of clients who closely scrutinise the accreditation of IT security candidates. For most, qualifications are a stated prerequisite," says Mohammed Lakhanpal, a London-based branch manager at the company.
Computer People is also seeing a rise in the number of candidates on its 300,000-strong database, from new graduates to IT directors, that have accreditations, and according to Lakhanpal, the salaries and rates clients are prepared to pay for accredited security staff are also going up year on year. For example, candidates with the CISSP qualification have seen contract day rates rise from £372 to £468 per day in the past year, he reports.
Of course, it all depends what level of employee you are hiring for. At lower levels, it's worth remembering that the best security recruit may already be lurking within another department in your organisation, points out Peter Bassill, group information security officer for gaming company Gala Group.
"Some of the best security analysts I've recruited have come from the call centre and customer service areas," he says. "I think that's because they're already familiar with the mission-critical systems that run the business and have a unique insight into how security issues arise in customer transactions. Training them in specific technologies doesn't take long."
Another benefit of recruiting internally is that trust already exists between employer and employee, says Paul Simmonds, global information security officer at chemicals giant ICI. "Trust is built up over time - recruit from within where possible," he advises.
Under the spotlight
Interview technique also plays a key role in identifying the best candidates, says Lakhanpal. Recruitment consultants at the Computer People, for example, use competency-based interviewing (CBI), in which candidates are asked open-ended questions that encourage them to talk about particular incidents in their own working lives. These reveal, Lakhanpal says, reveal how they use their personal, interpersonal and decision-making skills to solve problems. "Seeing how someone has handled past situations and projects can tell you a lot about how they will handle similar situations in future and help you decide if they are the right person for the job," he explains.
Interviews should also be conducted with a view to revealing the candidate's thought processes, adds Simmonds. "A divergent thought process is a good thing - you want someone who looks at people, processes and systems and asks 'how can I break this?'"
The classic recruitment mistake many CISOs make, he says, is hiring someone who is too much like themselves. "You should recruit to fill the gaps in your knowledge and experience," he advises.
For Zeitler, who served as chief information security officer at VW Credit before joining (ISC)2, candidates must have a passion for the subject. "Security risks change and grow so quickly these days that you need to build a team that is prepared to continually stay abreast of developments, whether that's by scanning the internet for details of emerging threats or by networking with their peers from different sectors to build their body of knowledge," he says.
Excellent communication skills are similarly vital, he continues. First, the information security specialist increasingly needs to be able to work closely with their line-of-business colleagues to identify areas in the organisation where a breach could occur.
Second, they need to be able to make an effective case for investment in security to senior level executives who sign off such purchases. "I hesitate to use the term 'salesperson', but there is certainly an element of marketing involved. Powers of persuasion are a very attractive commodity in an IT security professional," he says.
The trouble with HR
It is unfortunate, adds Zeitler, that the IT security and human resources departments are not more adept at working together on the recruitment challenge.
In a poll of 4,000 information security professionals conducted by (ISC)2 last December, more than half said they don't receive value from their HR department and a similar proportion said they don't involve HR in the hiring process. That situation needs to change, he says. "HR professionals generally understand the requirements and skills needed for an IT, accounting or marketing position but, given the immaturity of the information security profession, may not be aware of what's required to fill those positions."
While the hiring manager will generally know the desired qualifications they want from a potential employee, he says, "HR may be in the best position to screen for the personal characteristics that would be of value to the department, such as individuals who can handle a fast-paced environment and provide an overall 'fit' with the organisation."
By working together, HR and the information security department can in essence act as "extensions" of each other, he adds. To address this issue, (ISC)2 recently released a Hiring Guide to the Information Security Profession to educate HR staff about the specific needs of the IT security function and covers typical job functions, tips on hiring, recruiting and retaining highly qualified staff.
IT security and HR departments also need to work together on retention strategies to ensure that valued IT security staff are not lured away by a competitor. "Retention is a critical issue occupying senior IT security professionals right now, because once you've found the best people, you simply can't afford to let them go," agrees Wood of Aviva. "In a business environment where there is high demand for ambitious and accomplished IT security professionals, there's huge pressure to hang on to those you've got."
With that in mind, he says, the most savvy senior IT security professionals are ahead of the game in terms of offering exciting career development opportunities, attractive remuneration, and the chance to participate in mentoring and networking programmes to their brightest and best. After all, they're a valuable asset. "Guard that asset with your life," he advises.
TRICKS OF THE TRADE: THE SECRET CSO
When job candidates arrive to interview for an IT security position at a leading gaming company, they'd better be on their toes. The firm's group information security officer has a host of tricks up his sleeve intended to identify the most astute among prospective recruits.
He might, for example, arrange for apparently "confidential" documents to be left on the reception desk. These are fakes, of course, but the head od infosecurity wants to see if candidates spot them and alert him to this potential breach.
Or he may put interviewees on the spot by asking them to name their favourite security exploit and explain exactly why they think it is so ingenious.
And he is more than likely to place them in a series of tricky hypothetical situations - for example, a senior manager bullying them to reveal a colleague's password in order to access files - that will test their ability to weigh up the practical and ethical implications of their actions and react appropriately.
"Confidence is a huge asset in an IT security professional," he explains. "I need to see that someone can act decisively, even when conflicting pressures are being brought to bear on them, and stand by their decisions, even the unpopular ones"
But most of all, he is looking for imagination - a quality he finds sorely lacking in many candidates. "I get a lot of good graduates through my doors and they're excellent on the theory of IT security, but they don't necessarily have the ability to think laterally - to dream up new and better ways of solving existing problems.
Right now, he adds, he has a work placement student who has quickly gained a reputation for "hare-brained" thinking that is actually helping the company to spot vulnerabilities in code that senior members of the team haven't identified.
"This guy has a great ability to look at a piece of code and see where two conditions might combine to create a security gap - and that's too rare a skill, in my opinion."
QUALIFICATIONS - JUST A PIECE OF PAPER?
"Smart candidates for IT security positions make sure they understand accreditation." That's the advice of Mohammed Lakhanpal, a London-based branch manager at IT recruitment company Computer People. But in an industry littered with certifications, how can smart candidates figure out which ones hiring companies want?
Last year, analysts at IT market research company IDC warned that organisations were starting to view qualifications as "less relevant" because there were so many of them. "Six years ago, there were 15 different security certifications," said the report. "Today the number has grown to more than 40 vendor-neutral and more than 25 specified certifications, making it difficult for employers to discern which certifications carry the greatest value."
Vendor certifications may be a useful start, but generally only tell you that an individual knows how to configure and manage a particular piece of kit or software. For higher-level positions, senior information security professionals will be looking for far deeper skills: policy documentation, for example, or strategic planning.
The CISSP (Certified Information Systems Security Professional) certification, administered by (ISC)2, is currently considered a "gold standard" for managers within IT security departments, according to Lakhanpal.
Candidates must have at least five years' relevant work experience in two or more of the ten domains of the CISSP common body of knowledge framework, which cover all areas of IT security, from access control to business continuity. Alternatively, four years' work experience with an applicable college degree or a credential from the (ISC)2-approved list also qualifies candidates for the certification.
Accreditation by ISACA (the Information Systems Audit and Controls Association) is also widely recognised globally, in the form of the CISA (Certified Information Systems Auditor) and the CISM (Certified Information Security Manager).
In the UK, the British Computer Society offers a certificate in information security management principles, intended for those already doing it and those who want to move into it.
The SANS Institute, meanwhile, offers a suite of certifications under the GIAC (Global Information Assurance Certification) program. While GIAC certifications are intended primarily for practitioners, there are a few that would be appropriate for early-career managers. The GIAC Information Security Officer (GISO), for example, is an entry-level certification that includes knowledge of threats, risks and best practices. The GIAC Security Essentials Certification (GSEC) is an intermediate-level certification that demonstrates basic information security knowledge for both practitioners and managers.
Most chief information security officers agree, however, that possession of one or more certifications, even CISSP or CISA, doesn't necessarily indicate the existence of good security intuition. Practical work experience goes further than most computer-science graduates seem to understand and that should be the priority for anyone looking to build a career in IT security, says Paul Wood, group business protection director of insurance company Aviva.
"What graduates need to realise is that their degree may have given them some basic grounding, but it's workplace assignments and practical dissertations that focus on real business issues that really count," he advises.