A panel session at the RSA conference has suggested that “it is just as important to recruit on the basis of personality as it is to find someone with the right technical qualifications” for information security jobs (See article in Computer Weekly here)
Some might argue that if this were the case then I’d have ended up in marketing. Joking aside, I think that the panel is making a good point. Never has it been more important to understand and appreciate how the business works, the management, objectives, strategy, culture and financing. Having the security team working in a silo, issuing edicts is a thing of the past – or it should be. Let’s, for example, take a business that has decided on a strategy of utilising a PaaS (being my current favorite subject) for managing essential data. It’s no good trying to shoe-horn existing policies based on traditional systems and processes into this. That is not being agile and it’s not serving the needs of the organisation.
To get there, we need to have a good understanding of what management is trying to accomplish, ensure that appropriate risks are understand and managed whilst also ensuring that in doing so we’re not putting unnecessary barriers in the way. It’s a tough trade-off and achieving success requires character and personality as well as traditional security skills and knowledge.
A similar point was made on this blog here earlier in the year. Dan Morrill says that we need to
1. Hire for technical ability, creativity, and socialization skills. I am well aware that this will cause problems in the ability to find these people, they are rare
2. In the interview ask “how would you solve this problem” and see what their responses are, is it purely technical, is it part technical part social, does the solution make sense to the company, how well do they communicate the solution?
I found an article written about information security qualifications that puts it a slightly different way: “the real traits that determine whether or not one succeeds (regardless of their career path) are positive personality traits such as motivation, tenacity, and the burning desire for achievement,”
Personality alone wont win the job. Qualifications and experience are important. In my case I worked my way through an MBA and can’t recommend highly enough the value of going down that particular path. My CISSP certification was useful years ago when I was starting out but probably less so now that my career has become established. The new Institute of Information Security Professionals (IISP) is also looking to play a part in validating the professionalism of individuals within the industry.
So, bottom line: personality is important, so too is training and education.