Ask the Expert

Any recommendations for recruiting information security pros?

My organization is struggling to find and recruit qualified information security pros. Certifications would be nice, but primarily we're looking for smart people who have a little bit of experience. Is there anything you'd recommend we do in terms of trying to do some recruiting ourselves, or helping HR reel in the right people?

    Requires Free Membership to View

    Login

Recruiting qualified information security professionals is perhaps the most challenging aspect of the chief security officer's job nowadays. As I've written many times in the past, I believe that certifications are not terribly useful in determining whether a potential employee is qualified for an information security job, and I am pleased to see an organization not adhering to a certification-only hiring practice.

The reality is a corporation needs to have a couple of things going for it in order to attract good employees. First, having a competitive compensation package is a must. Security folks are in demand and that means they can (and should) command a premium salary and benefits to attract them. But it's about more than just money. Having a challenging work environment that will engage security pros and give them meaty projects they can work on is also important. Security professionals need to have a career path and corporations must be willing to make an investment in training and other education to keep their employees on the cutting edge both in technology and skills.

In terms of where to find these folks, company personnel (or recruiters) need to hang out where these folks do. That means in some of the security communities (for example, the Security Catalyst community, ha.ckers.org, etc.) as well as the more technically oriented conferences like SANS and DEFCON -- especially DEFCON, since a lot of younger security pros show up at that show looking to bolster their skills.

Most organizations must grow their own talent in-house, and information security is no exception. Consider looking for competent people with an interest in security within other technology groups, like the network team or application group, and then provide them with the training they need to understand and practice security. Talented information security practitioners don't grow on trees, so to speak, so wise organizations must plant the seeds to grow their own, which requires time and investment. Unless an organization is willing to overpay for talent, there aren't a lot of other ways to get it.

More information:

This was first published in June 2008

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top