When building an information security team, it is just
as important to recruit on the basis of personality as it is to
find someone with the right technical qualifications, according to
Peter Berlich, a director of(ISC)2
.
Berlich was speaking at
RSA Europe
in London on 23 October 2007, on a panel also including John
Colley, managing director for (ISC)2 in Europe, the Middle East and
Africa (Emea) Isabel Muench, security expert for the German Federal
Office for Information Security, and Wojciech Swiatek, Emea
director of security services for
Motorola.
Building the right information security
team
"There are three things that are essential to look for when
recruiting: technical skills, business skills, and interpersonal
skills. Using a recruitment agency can just take up your time
unnecessarily, as they send you every CV that comes through their
door, very few of which are actually relevant," Colley said.
Although he argued that human resources departments can be a
very useful tool in the recruitment process, the huge majority of
the audience disagreed - most voting that their HR departments had
been of little or no use.
"The importance of formal qualifications is often too heavy,"
said Isobel Muench, "and often really talented people can be
filtered out because of this. To recruit successfully, you really
need to find someone who can communicate well with management. That
is what is important."
Wojciech Swiatek disagreed with this, arguing that formal
qualifications show more than an education, but also an enthusiasm
for the industry. "Certifications show a willingness to make an
effort and imply a good work ethic. It is a tell-tale sign that
they are willing to continue their education."
"Filling medium-position jobs is easy, it is finding people to
fill the top positions that is hard," continued Swiatek. "It is so
hard to find someone bold and ambitious enough to say 'I want your
job'."
"The industry is growing in popularity and more people are
trying to get into information security because salaries are
increasing," said Colley. "Organisations are looking to employ less
qualified people - with the view to training them up - because they
are cheaper."
Keeping the right team
"Finding the right people is easy, but keeping the right ones is
the hard part," said Berlich. "You hire them, train them, certify
them, and then they'll move on because they are senior. That is the
reality," he said.
Ron Condon, the panel moderator, asked the panel what, in
addition to money, could be offered as an incentive to keep staff.
"People aren't motivated entirely by money," said Colley. "And
infosec teams often have quite a flat structure, with little chance
for promotion. So you need to offer them experiences to motivate
and keep them."
"It is not rocket science," said Berlich. "Employees crave
intellectual stimulation as well as a competitive salary. Give them
the education that they want and need. Good communication and
openness from the management is also essential."
"If people leave entirely for money reasons, it is probably best
that they leave," said Swiatek. "Giving staff a voice, and
listening to them, that's the secret to a good team. Moving people
within the company is also a way of keeping them." This, however,
can prove difficult within a very small security team. "Hiring
people with wide interests is a good idea, they will be more
flexible and open to different areas of challenge."
"People want the opportunity to research - things that they
could not do in a different role or in a different company. This
will provide motivation for employees to stay," argued Muench.
Outsourcingout of the team
"Outsourcing sends chills down employee's spines," said Berlich.
"They immediately think that they are job is over. And there is not
always a solution that will benefit everybody. But often,
outsourcing makes sense."
Swiatek disagreed. "Outsourcing is done to save money, but it is
a huge security risk. You might save money, but you lose
confidence. And loss of security confidence is not worth the slight
cost benefits." Along the same lines, Muench argued: "Outsourcing
totally changes the tasks of a security team. You can have a
perfectly capable team, and after outsourcing, will lose that
confidence."
"It does not matter how big your security team is, it is not big
enough," said Colley, with nods of agreement from the audience.
"This becomes clear when you suffer a security breach."
Sense of belonging
"An old prime minister of ours once famously said 'education,
education, education'. Well I say 'team, team, team'," said Colley.
He emphasised the importance of feeling part of the security team,
and the bigger team. "A sense of belonging is very important," he
said.
"Senior management should offer thanks and encouragement to
their security teams. It shows them that they are important," added
Muench, who also argued that management needs to be reminded how
important the information security team is within the
organisation.
"Lastly, I would say that an information security team must be a
leadership team, and prove this within the organisation," said
Berlich.
This article first appeared on the web-site of Infosecurity
magazine, http://www.infosecurity-magazine.com/