Problem solve Get help with specific problems with your technologies, process and projects.

Any recommendations for recruiting information security pros?

Finding qualified information security pros is a tough job because security certifications don't necessarily mean competence. So what makes the difference between a security pro and a security amateur? Security management expert Mike Rothman weighs in.

My organization is struggling to find and recruit qualified information security pros. Certifications would be nice, but primarily we're looking for smart people who have a little bit of experience. Is there anything you'd recommend we do in terms of trying to do some recruiting ourselves, or helping HR reel in the right people?
Recruiting qualified information security professionals is perhaps the most challenging aspect of the chief security officer's job nowadays. As I've written many times in the past, I believe that certifications are not terribly useful in determining whether a potential employee is qualified for an information security job, and I am pleased to see an organization not adhering to a certification-only hiring practice.

The reality is a corporation needs to have a couple of things going for it in order to attract good employees. First, having a competitive compensation package is a must. Security folks are in demand and that means they can (and should) command a premium salary and benefits to attract them. But it's about more than just money. Having a challenging work environment that will engage security pros and give them meaty projects they can work on is also important. Security professionals need to have a career path and corporations must be willing to make an investment in training and other education to keep their employees on the cutting edge both in technology and skills.

In terms of where to find these folks, company personnel (or recruiters) need to hang out where these folks do. That means in some of the security communities (for example, the Security Catalyst community, ha.ckers.org, etc.) as well as the more technically oriented conferences like SANS and DEFCON -- especially DEFCON, since a lot of younger security pros show up at that show looking to bolster their skills.

Most organizations must grow their own talent in-house, and information security is no exception. Consider looking for competent people with an interest in security within other technology groups, like the network team or application group, and then provide them with the training they need to understand and practice security. Talented information security practitioners don't grow on trees, so to speak, so wise organizations must plant the seeds to grow their own, which requires time and investment. Unless an organization is willing to overpay for talent, there aren't a lot of other ways to get it.

More information:

This was last published in June 2008

Dig Deeper on Information security certifications, training and jobs

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.