Today more young professionals are choosing information security as a first career, bringing a post-graduate degree but little experience, writes John Colley, managing director EMEA of the International Information Systems Security Certification Consortium, (ISC)2.
Demand for professionals continues to outstrip supply putting pressure on salaries and opening up opportunities for less experienced individuals. For the hiring manager providing an effective professional development environment for the people they have employed is a growing challenge.
Research conducted by (ISC)2 , suggests that companies are dedicating more of their information security budgets to personnel, education and training, and that they are increasing their investment in this area. For training and education specifically, nearly 40% of respondents to the most recent global information security workforce study, conducted by industry analysts on behalf of (ISC)2 , said they would be increasing their budgets, with an average increase of 31% for 2007. Protecting this investment in people requires a formalised approach for professional development that reflects both expectations of the individual and the opportunities of the company.
To be effective, professional development strategies should reflect the changing environments in which people are working. As a relatively new discipline, most companies have a flat information security organisation, which provides little room for traditional promotion. A more creative approach is required. Skills that are in demand change rapidly, making the risk of becoming obsolete a constant concern for security professionals. This is exacerbated by the need to specialise.
Yet information security is entering the mainstream with well-established governance and compliance, increasing public awareness and more and more business processes going online. Concrete development opportunities therefore come from the experiences managers can offer the people on their team. Training can be designed to ensure competencies are tied to the experience gained in a given professional's development plan. People are motivated by the flexibility they gain in their working environment, often choosing an acceptable work/life balance and interest in their work over aggressive promotion. Loyalty to an organisation is more likely sown by the ability to progress a desired skill set, new influence in more parts of the business, and flexibility, than by an increase in salary alone.
Addressing the issue, information security and department managers need to develop a workforce plan that maps business requirements while acknowledging the interest of the individuals involved. It should reflect the skill profile needed - managerial, technical and business, cover the experience and qualifications desired, then review how the existing team compares, setting out actions for achieving the desired state. It should also lay out an acquisition strategy, defining whether skills are to be 'bought in' through recruitment or home grown.This plan must then be communicated to the people involved to shape their personal development plan, allowing them to both feel comfortable expressing their interests and understand where they are going.
Outside the actual information security department, managers should promote security across the organisation. They must proactively make security a part of the business by developing an overall security business strategy and running the department as if it were a business. Prioritising and describing risk in business terms, and communicating value to the business units, they will obtain not just the budgets required, but buy-in, co-operation and even enthusiasm from across the organisation.
While individuals understand they must take control of their own careers, companies must also support and develop the people they rely on to provide the most effective information security program for their company. With a formalised plan that focuses on opportunities across the business, and development of an appreciation for the information security function, the foundations are in place to effectively manage infosecurity careers as well as risks.