Over the past several months, I have had a series of conversations with colleagues about whether companies are increasing their corporate liability exposure by failing to recruit those with recognised information security accreditation and/or academic qualifications.
Rob Carolina, an intellectual property attorney who works in information security and is the legal council for the Information Systems Security Association UK, said, "A company can lower its risk of exposure to third parties by raising the qualification level of the staff it hires. Similarly, one way to increase risk exposure to third parties is by hiring less-qualified staff.
"This is because a company often retains financial responsibility for the errors of its employees. The trick for any employer is to hire someone who is qualified enough for the job they are doing. Employers should examine types of qualifications and credentials closely to get a better understanding of what they mean in a business sense."
Business is all about taking risk or, should I say, manageable risk. Successful businesses effectively manage risk while maximising profit. At the same time, as businesses look to migrate an increasing number of mission-critical applications to converged IP networks, the role of the information security professional has never been more important.
So how do we minimise risk in hiring? There is the standard litany of prescribed best practices that most businesses follow, which include checks on financial and criminal records, references, interviews with former employers and academic and certification verification.
This is important because there are more than 40 different information security certifications, including master- and doctoral-level academic qualifications. So what do we look for when we hire a security professional?
Jim Duffy, executive director of (ISC)2, which manages the certified information security professional certification, said, "The issue boils down to trust. Business today is heavily reliant on global interconnectivity between enterprise computing systems. Certifications provide baseline assurance that professionals responsible for information security policy development, IT controls and implementation are qualified to do so."
Cable & Wireless, Hewlett-Packard, Microsoft and Deloitte & Touche all have programmes to assist their information security personnel in obtaining the certified information security professional certification.
But does having certified or academically qualified personnel lower your exposure to risk or limit your liability?
I would argue it does. At the very least, it helps to demonstrate that your personnel meet a minimum acceptable standard of knowledge; an important element of any best practice.
Richard Starnes is director of incident response in the Managed Security Operations Centre at Cable & Wireless
This was first published in August 2004