Any recommendations for recruiting information security pros?

Any recommendations for recruiting information security pros?

My organization is struggling to find and recruit qualified information security pros. Certifications would be nice, but primarily we're looking for smart people who have a little bit of experience. Is there anything you'd recommend we do in terms of trying to do some recruiting ourselves, or helping HR reel in the right people?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Recruiting qualified information security professionals is perhaps the most challenging aspect of the chief security officer's job nowadays. As I've written many times in the past, I believe that certifications are not terribly useful in determining whether a potential employee is qualified for an information security job, and I am pleased to see an organization not adhering to a certification-only hiring practice.

The reality is a corporation needs to have a couple of things going for it in order to attract good employees. First, having a competitive compensation package is a must. Security folks are in demand and that means they can (and should) command a premium salary and benefits to attract them. But it's about more than just money. Having a challenging work environment that will engage security pros and give them meaty projects they can work on is also important. Security professionals need to have a career path and corporations must be willing to make an investment in training and other education to keep their employees on the cutting edge both in technology and skills.

In terms of where to find these folks, company personnel (or recruiters) need to hang out where these folks do. That means in some of the security communities (for example, the Security Catalyst community, ha.ckers.org, etc.) as well as the more technically oriented conferences like SANS and DEFCON -- especially DEFCON, since a lot of younger security pros show up at that show looking to bolster their skills.

Most organizations must grow their own talent in-house, and information security is no exception. Consider looking for competent people with an interest in security within other technology groups, like the network team or application group, and then provide them with the training they need to understand and practice security. Talented information security practitioners don't grow on trees, so to speak, so wise organizations must plant the seeds to grow their own, which requires time and investment. Unless an organization is willing to overpay for talent, there aren't a lot of other ways to get it.

More information:

This was first published in June 2008

Back to top