Today more young professionals are choosing information
security as a first career, bringing a post-graduate degree but
little experience, writes John Colley, managing director EMEA
of theInternational
Information Systems Security Certification Consortium,
(ISC)2.
Demand for professionals continues to outstrip supply putting
pressure on salaries and opening up opportunities for less
experienced individuals. For the hiring manager providing an
effective professional development environment for the people they
have employed is a growing challenge.
Research conducted by (ISC)2 , suggests that
companies are dedicating more of their information security budgets
to personnel, education and training, and that they are increasing
their investment in this area. For training and education
specifically, nearly 40% of respondents to the most recent global
information security workforce study, conducted by industry
analysts on behalf of (ISC)2 , said they would be
increasing their budgets, with an average increase of 31% for 2007.
Protecting this investment in people requires a formalised approach
for professional development that reflects both expectations of the
individual and the opportunities of the company.
To be effective, professional development strategies should
reflect the changing environments in which people are working. As a
relatively new discipline, most companies have a flat information
security organisation, which provides little room for traditional
promotion. A more creative approach is required.
Skills that are in demand change rapidly, making the risk of
becoming obsolete a constant concern for security professionals.
This is exacerbated by the need to specialise.
Yet information security is entering the mainstream with
well-established governance and compliance, increasing public
awareness and more and more business processes going online.
Concrete development opportunities therefore come from the
experiences managers can offer the people on their team. Training
can be designed to ensure competencies are tied to the experience
gained in a given professional's development plan. People are
motivated by the flexibility they gain in their working
environment, often choosing an acceptable work/life balance and
interest in their work over aggressive promotion. Loyalty to an
organisation is more likely sown by the ability to progress a
desired skill set, new influence in more parts of the business, and
flexibility, than by an increase in salary alone.
Addressing the issue, information security and department
managers need to develop a workforce plan that maps business
requirements while acknowledging the interest of the individuals
involved. It should reflect the skill profile needed - managerial,
technical and business, cover the experience and qualifications
desired, then review how the existing team compares, setting out
actions for achieving the desired state. It should also lay out an
acquisition strategy, defining whether skills are to be 'bought in'
through recruitment or home grown.This plan must then be
communicated to the people involved to shape their personal
development plan, allowing them to both feel comfortable expressing
their interests and understand where they are going.
Outside the actual information security department, managers
should promote security across the organisation. They must
proactively make security a part of the business by developing an
overall security business strategy and running the department as if
it were a business. Prioritising and describing risk in business
terms, and communicating value to the business units, they will
obtain not just the budgets required, but buy-in, co-operation and
even enthusiasm from across the organisation.
While individuals understand they must take control of their own
careers, companies must also support and develop the people they
rely on to provide the most effective information security program
for their company. With a formalised plan that focuses on
opportunities across the business, and development of an
appreciation for the information security function, the foundations
are in place to effectively manage infosecurity careers as well as
risks.
Computer Weekly Infosecurity 2008 showguide and preview