When building an information security team, it is just as important to recruit on the basis of personality as it is to find someone with the right technical qualifications, according to Peter Berlich, a director of (ISC)2.
Berlich was speaking at RSA Europe in London on 23 October 2007, on a panel also including John Colley, managing director for (ISC)2 in Europe, the Middle East and Africa (Emea) Isabel Muench, security expert for the German Federal Office for Information Security, and Wojciech Swiatek, Emea director of security services for Motorola.
Building the right information security team
"There are three things that are essential to look for when recruiting: technical skills, business skills, and interpersonal skills. Using a recruitment agency can just take up your time unnecessarily, as they send you every CV that comes through their door, very few of which are actually relevant," Colley said.
Although he argued that human resources departments can be a very useful tool in the recruitment process, the huge majority of the audience disagreed - most voting that their HR departments had been of little or no use.
"The importance of formal qualifications is often too heavy," said Isobel Muench, "and often really talented people can be filtered out because of this. To recruit successfully, you really need to find someone who can communicate well with management. That is what is important."
Wojciech Swiatek disagreed with this, arguing that formal qualifications show more than an education, but also an enthusiasm for the industry. "Certifications show a willingness to make an effort and imply a good work ethic. It is a tell-tale sign that they are willing to continue their education."
"Filling medium-position jobs is easy, it is finding people to fill the top positions that is hard," continued Swiatek. "It is so hard to find someone bold and ambitious enough to say 'I want your job'."
"The industry is growing in popularity and more people are trying to get into information security because salaries are increasing," said Colley. "Organisations are looking to employ less qualified people - with the view to training them up - because they are cheaper."
Keeping the right team
"Finding the right people is easy, but keeping the right ones is the hard part," said Berlich. "You hire them, train them, certify them, and then they'll move on because they are senior. That is the reality," he said.
Ron Condon, the panel moderator, asked the panel what, in addition to money, could be offered as an incentive to keep staff. "People aren't motivated entirely by money," said Colley. "And infosec teams often have quite a flat structure, with little chance for promotion. So you need to offer them experiences to motivate and keep them."
"It is not rocket science," said Berlich. "Employees crave intellectual stimulation as well as a competitive salary. Give them the education that they want and need. Good communication and openness from the management is also essential."
"If people leave entirely for money reasons, it is probably best that they leave," said Swiatek. "Giving staff a voice, and listening to them, that's the secret to a good team. Moving people within the company is also a way of keeping them." This, however, can prove difficult within a very small security team. "Hiring people with wide interests is a good idea, they will be more flexible and open to different areas of challenge."
"People want the opportunity to research - things that they could not do in a different role or in a different company. This will provide motivation for employees to stay," argued Muench.
Outsourcing out of the team
"Outsourcing sends chills down employee's spines," said Berlich. "They immediately think that they are job is over. And there is not always a solution that will benefit everybody. But often, outsourcing makes sense."
Swiatek disagreed. "Outsourcing is done to save money, but it is a huge security risk. You might save money, but you lose confidence. And loss of security confidence is not worth the slight cost benefits." Along the same lines, Muench argued: "Outsourcing totally changes the tasks of a security team. You can have a perfectly capable team, and after outsourcing, will lose that confidence."
"It does not matter how big your security team is, it is not big enough," said Colley, with nods of agreement from the audience. "This becomes clear when you suffer a security breach."
Sense of belonging
"An old prime minister of ours once famously said 'education, education, education'. Well I say 'team, team, team'," said Colley. He emphasised the importance of feeling part of the security team, and the bigger team. "A sense of belonging is very important," he said.
"Senior management should offer thanks and encouragement to their security teams. It shows them that they are important," added Muench, who also argued that management needs to be reminded how important the information security team is within the organisation.
"Lastly, I would say that an information security team must be a leadership team, and prove this within the organisation," said Berlich.
This article first appeared on the web-site of Infosecurity magazine, http://www.infosecurity-magazine.com/