New Rules for Hiring Information Security Staff

Last week, I spent two days with a small group of Fortune 500 CISOs at IREC’s offices in Arlington, talking about 2010 investments. The conversation reflected a worry from CISOs that I’ve heard frequently in my travels over the past year: that the recession’s acceleration of business rate-of-change, combined with continued “innovation” from external threats, means CISOs are starting to fall short on the talent required to keep up with such changes.

Increasingly, the controls needed to achieve our key outcomes—information protection, compliance, and resiliency—are outside our direct purview.  We are spending most of our time negotiating with business and IT partners to implement necessary controls…but since the CISO can’t be everywhere at once, we desperately need security staff that can do the same thing.  We need people who are skilled at influencing others to action.

Yet most of us still hire primarily for technical skills—invaluable once you’ve secured executive buy-in to implement a given control, but technical staff tend to think in terms of black-and-white, not the shades of gray required to negotiate with and convince skeptical (and budget-constrained) business executives who have other priorities than information security.

In our seminal work on Boosting CISO Effectiveness (full study behind the IREC paywall), the analysis identified a number of highly effective techniques for hiring and training leadership-level security talent. Here are our Top Three tips:

Look to Non-Traditional Sources of Talent: office of the COO, customer service…or what about marketing? (Sound crazy?  CISOs often cite Marketing as the division most difficult to work with—how valuable would it be to have one of “them” working for us?).  One CISO out in Palo Alto said that his most effective people are ex-WebSphere developers.  They have cross-platform (and cross-tower) technical knowledge, but also extensive experience liaising directly with business partners.

Prioritize Project Management Experience: this goes to whether a potential new hire can self-recognize if they are getting stuck in the weeks, or spending too much time “doing” the technical work themselves.  Project management is a signal that the individual has experience working with different stakeholders, and you can learn more about that to gauge their effectiveness at negotiation and communication.  Unisys (behind IREC paywall), has a best-practice program that highlights the key skills that these folks should have.

Own staff development yourself: Once you have hired the right people with the communication and business savvy you need, don’t neglect developing those folks: IREC collaborated with our good friends in the Learning & Development Roundtable to develop a program for Leaders to develop other leaders (behind IREC paywall), that you ought to have a look at.  There is no substitute for Leader-led development.

Bottom line: our environment has and continues to change, and the implication for Information Security is that we need much more than ever before to “influence others to action.”    If we don’t begin to augment our skill-set now, we’re liable to end up with a list of well-prioritized initiatives that we simply can’t execute.

Explore posts in the same categories: Uncategorized

One Comment on “New Rules for Hiring Information Security Staff”

  1. […] Diminished Standalone IT Role. As many IT resources get externalized or absorbed into the business services organization, the standalone IT function will become smaller. This implies the security function will need to have people with different skills. Security people in the new IT organization will need skills to work with business as well as other corporate functions, as we discussed our recent blog posting. […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: