Manage Learn to apply best practices and optimize your operations.

Best practices for choosing an information security team new hire

Hiring someone for your information security team? In this expert response, information security management expert David Mortman explains what relevant information security experience is.

I'm a security manager who's looking to bulk up my security team. The executives at my company would like me to try to promote someone internally from our help desk. Many of the IT pros there have years of experience, but not in security. Are there certain qualities or experiences I should look for in a candidate?
There are two main things that you should look for when hiring an information security professional: Someone who can think like a security person and someone who can be flexible enough mentally to pick up new ideas quickly.

By thinking like a security person, I don't mean "thinking like a hacker." While hacking skills are useful in some contexts, there is much more to security then that. Thinking like a security person means putting one's self in the shoes of various users and thinking about what their needs are. How will they use the software? Also, how will they accidently or intentionally misuse the software? Then it's a matter of finding solutions that address identified issues.

It's also important for the candidate to be able to think like a business person, or a programmer, or any other type of end user. Most importantly, however, he or she must understand that, in reality, security is about finding an acceptable compromise between perfect security and usability.

In order to achieve this compromise, the potential team member should be able to absorb new ideas and technologies quickly so he or she can help users make intelligent risk decisions. So in reality, those two traits I mentioned a minute ago are one in the same.

This mental agility, in my book, is far more important than years of experience. If someone has the right mindset, then he or she can learn the specific technologies or regulations required for the job. Working with this sort of person is far easier then breaking someone out of a solid mold.

For more information:

This was last published in March 2009

Dig Deeper on Information security policies, procedures and guidelines

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.