How should we hire for specialized information security roles?

A recent statistic shows that in the next seven years, the employment rate of security analysts will rise 37% in the U.S. Security hiring in general can be challenging, so how should organizations go about filling these specialized roles? Where can we look for this security talent?

According to a study from the U.S. Department of Labor, by 2022 the demand for security industry professionals will grow 37%. Throwing additional resources at a problem does not necessarily address or remediate it. Putting more border patrol on borders, more DEA agents to fight the war on drugs or more security guards surrounding critical infrastructures are typically reactionary nostrums.

The question remains, how can enterprises find security professionals to meet this demand? Security professionals need to have strong technical skills in information security, be well-versed in security monitoring and alert systems, have competent incident response program experience, be knowledgeable in the deployment of a risk based security program, and have experience in the deployment of next generation integrated security tools such as UTMand NGFWs.

Finding and hiring talented professionals who fill information security roles with these skills can be challenging, but building it internally, or a combination of both, are alternatives.

So where can someone find information security professionals with the appropriate skill sets? There are numerous resources. One is LinkedIn where searches can be made by region, industry and title. Other resources include professional organizations such as ISSA, ISC², ISACA, SANS and HTCIA. Each of these has certification programs such as CISSP, CISM or GSEC, and has resources for posting or announcing your interest in candidates. Local universities with degrees in technology, CIS and possibly information security are also good candidates; however they typically lack the experience requirements. Professional recruiters are also an obvious choice.

Wherever you find applicants, they should have at least one or two certifications such as CISSP, CISA, CISM, GSEC or other specialty certifications such as GPEN, CEH and CCFP.

Possessing a certification does not guarantee the security professional has the skills needed for the job, but it does lay the foundation for the Common Body of Knowledge required. Subject matter experts (SMEs) can be hired based on the present need, but information security professionals today -- who are typically jack-of-all-trades in information security -- should strive to be an SME of at least one specialty.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)