The reality is a corporation needs to have a couple of things going for it in order to attract good employees. First, having a competitive compensation package is a must. Security folks are in demand and that means they can (and should) command a premium salary and benefits to attract them. But it's about more than just money. Having a challenging work environment that will engage security pros and give them meaty projects they can work on is also important. Security professionals need to have a career path and corporations must be willing to make an investment in training and other education to keep their employees on the cutting edge both in technology and skills.
In terms of where to find these folks, company personnel (or recruiters) need to hang out where these folks do. That means in some of the security communities (for example, the Security Catalyst community, ha.ckers.org, etc.) as well as the more technically oriented conferences like SANS and DEFCON -- especially DEFCON, since a lot of younger security pros show up at that show looking to bolster their skills.
Most organizations must grow their own talent in-house, and information security is no exception. Consider looking for competent people with an interest in security within other technology groups, like the network team or application group, and then provide them with the training they need to understand and practice security. Talented information security practitioners don't grow on trees, so to speak, so wise organizations must plant the seeds to grow their own, which requires time and investment. Unless an organization is willing to overpay for talent, there aren't a lot of other ways to get it.
- How does the CERT security incident-response project benefit infosec pros? Learn more.
- How useful is a Security+ certification for security pros? Read this expert response.
This was first published in June 2008