SlideShare une entreprise Scribd logo

Hiring Guide to the Information Security Profession

A
amiable_indian

The document provides an overview of the information security profession and guidance for hiring information security professionals. It discusses the expanding role and types of jobs in the field, ideal traits for professionals, typical career paths, how to craft job descriptions and the importance of certifications. The document is a hiring guide intended to help HR, recruiters and hiring managers better understand the scope of the information security profession and find qualified candidates.

1  sur  32
Télécharger pour lire hors ligne
Hiring guide to the Information Security Profession
inTrOduCTiOn Welcome to the (ISC)2® Hiring Guide to the infrastructure. Today, driven by legal and regulatory Information Security Profession. It’s no secret that compliance and the desire to maximize global it’s not easy to find qualified experts to protect commerce, hiring first-rate information security your organization. As the world’s largest body staff is critical to mitigating risks that can destroy of information security professionals, with more a company’s reputation, violate privacy, result in than 54,000 certified members in 135 countries, the theft or destruction of intellectual property, (ISC)2 wants to help HR professionals, recruiters and, in some cases, even endanger lives. and hiring managers understand the scope of We hope this hiring guide, compiled with this burgeoning profession and lessen the pain significant contributions from Alta Associates, of obtaining the best and brightest information will shine some light on the significance of this security staff. relatively new profession, as well as offer tips on The information security profession is expanding ensuring your security staff is filled with talented rapidly. The 2006 (ISC)²/IDC Global Information and qualified professionals. Security Workforce Study (GISWS) showed You can also find more tools at the online that the number of professionals worldwide will (ISC)² Hiring Center at www.isc2.org/HRCenter. increase to slightly more than 2 million by 2010, Best of luck in your recruiting efforts! a compound annual growth rate of 7.8 percent from 2005 to 2010. Eddie Zeitler, CISSP Executive Director It wasn’t always this way. Twenty years ago, the (ISC)2 field of information security was in its infancy, and companies often brushed off threats to their (1)
TABLe OF COnTenTS TABLe OF COnTenTS What is Information Security? ...................................... 3-4 The Evolving Role of the Information Security Profession .............................................................. 5-6 What Types of Job Functions Exist? ........................... 7-8 What are the Ideal Traits of an Information Security Professional? ...................................................... 9-10 What are Typical Career Paths? ......................................11 Crafting a Job Description ..........................................13-14 Certification Requirements ........................................15-16 Recruiting ..............................................................................17-18 Screening ..............................................................................19-20 Interviewing ....................................................................... 21-23 References/Security Checks ............................................ 24 Crafting and Presenting an Offer .......................... 25-26 Retention ................................................................................... 27 Resources ............................................................................29-30 (2)
WHAT iS inFOrmATiOn SeCuriTy? WHAT iS inFOrmATiOn SeCuriTy? Information security involves protecting information and information systems from Governments, military, financial institutions, unauthorized access, use, disclosure, disruption, healthcare and private business today amass modification, or destruction. The purpose volumes of confidential information about their of information security is to ensure that all employees, customers, products, and financial information held by an organization, regardless status. Most of this information is now collected, of whether it resides on a computer hard drive processed and stored on computers and servers or in a filing cabinet, is maintained with: and transmitted across networked systems. Confidentiality - ensuring that information is Should such confidential information fall into the accessible only to those authorized to have access; hands of outsiders, such a breach of security could lead to lost business, lawsuits, reputation damage Integrity - safeguarding the accuracy and and even bankruptcy. Protecting confidential completeness of information and processing information is a common sense requirement these methods; days, and in most cases is also a legal requirement. Availability - ensuring that authorized users have access to information and associated assets when required; and (3)
WHAT iS inFOrmATiOn SeCuriTy? Compliance – ensuring that all laws and industry regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPPA) for healthcare providers and Sarbanes-Oxley (SOX) for publicly traded companies, are met. The objective of an information security policy is to minimize damage to the organization by preventing and controlling the impact of security breaches. Information security provides the essential protective framework in which information can be shared while ensuring its protection from unauthorized users. (4)
THe evOLving rOLe OF THe inFOrmATiOn SeCuriTy PrOFeSSiOn THe evOLving rOLe OF THe A secure organization requires seasoned inFOrmATiOn SeCuriTy PrOFeSSiOn professionals who can create and implement Years ago, the majority of people responsible a program, obtain support and funding for the for protecting information assets entered the program, and make every employee a security field without a formal background or education conscious citizen, all while adhering to necessary and obtained their experience in broader regulatory standards. In addition, it requires a disciplines, such as information technology (IT) or team of technical practitioners to implement the engineering, transferring into information security policies set by the security manager. only as the need arose. Today’s information security professionals work Unlike two decades ago, many younger closely with HR, legal, audit, IT and other areas professionals in today’s sophisticated cyber world of business to mitigate risk throughout the have information security in mind from the organization. Many are now called upon as critical beginning, pursuing college degrees in information contributors to business-decision making. security, information assurance, or a related In the face of these daunting challenges, the role discipline such as computer science. They also of the professional has changed dramatically over likely have a working knowledge of network the past few years. The successful professional systems and security protocols, security software must now quickly and securely respond to programs and implementation, and best change, whether brought on by external and practices for developing security procedures internal threats, or by customer demand for new and infrastructure. goods and services. The professional must also (5)
THe evOLving rOLe OF THe inFOrmATiOn SeCuriTy PrOFeSSiOn implement integrated security solutions at all levels where people, processes and technologies intersect, and ensure they support the objectives of the organization. Although having qualified information security professionals on staff is a necessity for organizations of all industries and sizes, it is especially important to those who have critically sensitive information, such as financial, healthcare or insurance entities, or those who have to comply with strict legal or regulatory mandates. (6)
WHAT TyPeS OF JOB FunCTiOnS eXiST? WHAT TyPeS OF JOB FunCTiOnS eXiST? • IT Security Manager In the early days of information security, an • Certification & Accreditation Specialist organization hired a single “security engineer” • Risk Manager who was an adjunct to the IT department and focused on network security and security • Compliance Officer administration. The position required an The scope of traditional security roles has also understanding of network protocols, firewalls expanded. The early role of security engineer and network vulnerabilities. now has expanded to include numerous areas Today, with the increasing dependence upon the of specialization, such as identity and access virtual world in every corner of business and management, vulnerability management and society, the requirements and job functions of the application security. These positions require information security profession have exploded. extensive technical backgrounds, as well as Security-specific roles include: business risk analysis so the security controls appropriate to the specific organization can • Forensics Specialist be developed. • Security Architect • Chief Information Security Officer • Information Assurance Manager (7)
WHAT TyPeS OF JOB FunCTiOnS eXiST? (8)
WHAT Are THe ideAL TrAiTS OF An inFOrmATiOn SeCuriTy PrOFeSSiOnAL? WHAT Are THe ideAL TrAiTS OF An perceptions. The best security policies won’t inFOrmATiOn SeCuriTy PrOFeSSiOnAL? be effective without buy-in from all employees; While the information security profession • The ability to articulate business value. has become too complex for any one set of Professionals must know their audience and specific skills, there are general attributes that talk in a language they understand; are important to consider when seeking a professional. A few of these ideal traits include: • Understands and manages risk. Security professionals must tailor their security postures Skills and Competencies to the specific needs and risk appetites of • A track record of developing information the organization; security and risk management solutions; • Ability to build strong relationships with the • A keen understanding of technology and the key stakeholders of the organization, including ability to leverage this knowledge to implement legal, HR, audit, physical security, PR, and risk effective security solutions; managers; and • An understanding of the industry, the company’s • Ability to see the overall security needs of an place in the market, relevant regulatory and legal organization. Even in more traditional network requirements, and how they can add value; security roles, organizations need professionals who can interpret technology in a way that’s • Solid communications skills. These include the useful and in line with its business and risk ability to influence employee behavior and management goals. (9)
WHAT Are THe ideAL TrAiTS OF An inFOrmATiOn SeCuriTy PrOFeSSiOnAL? Personal Attributes • A positive attitude. While professionals need a healthy dose of caution, the professional should emphasize the power of defense, rather than the negatives or costs of vulnerability; • Commitment to ethics. To be effective, a professional must always tell the truth and never exaggerate about what can and can’t be done; and • Embraces the need to stay current in the latest security and technology knowledge. (10)
WHAT Are TyPiCAL CAreer PATHS? WHAT Are TyPiCAL CAreer PATHS? Desired attributes for a security technologist may include: An information security professional can come from many different, non-security disciplines. • Deep understanding of multiple technologies Indeed, many exemplary professionals began • Subject matter expertise in a technical domain their careers in technology and went on to learn security. Although professionals typically have • Desire to remain part of technical technology backgrounds, increasingly they are also implementation and monitoring side of security coming from risk assessment areas with strong Desired attributes for a security manager project management experience. may include: The two most common job paths available to • Broad understanding of multiple technologies information security professionals are the security technologist or the security manager/strategist. • Executive management and presentation skills Some professionals enjoy meeting the day-to-day • Particular knowledge of a business line technical challenges of the security technologist or product role and will remain there throughout their careers, although even this role is increasingly requiring the • Desire to manage broader risk issues “soft skills” of business knowledge, communication and collaboration. Others acquire the management skills needed to bridge the gap between an organization’s technical and business priorities. (11)
WHAT Are TyPiCAL CAreer PATHS? (iSC)2 CAreer PATH testing and specialized concentrations. (ISC)2 members are at the forefront of today’s dynamic (ISC)2 provides a career path for information information security industry. Look for one of security professionals from the beginning of their these credentials when you make your next career until retirement. We offer a unique blend hiring decision. of certifications, advanced education, rigorous (12)
CrAFTing A JOB deSCriPTiOn CrAFTing A JOB deSCriPTiOn If you are working with an experienced external recruiter who specializes in information security, A common misconception that still exists in many this is the time to get them involved in the HR departments is that information security is process. A knowledgeable recruiter can advise part of information technology. In fact, because of you on competitive salary ranges for the role expanding business requirements, the information and assist with the creation of the job description. security profession has splintered into many different facets beyond IT and offers specialization Getting the recruiter involved this early in the in process, auditing, policy, compliance and other process lays the groundwork for a successful topics. As with many fields, even a position with partnership by creating a common understanding the identical job title in two departments of the of the role and responsibilities and consistent same company can have different requirements. messaging to potential candidates. The key to developing a solid job description for the information security field is to ensure the hiring manager has an in-depth conversation with the HR department. Regardless of the level of the position, this initial discussion should help the hiring manager focus on what the organizational chart looks like, where this position sits, its roles and responsibilities, how the position relates to the larger organization, and expectations for success. (13)
CrAFTing A JOB deSCriPTiOn An information security manager’s job description • Monitor compliance with the organization’s may include: information security policies and procedures among employees, contractors, alliances, and • Develop and oversee implementation of the other third parties; organization’s information security policies and procedures; • Monitor internal control systems to ensure that appropriate information access levels and • Oversee implementation of the organization’s security clearances are maintained; information security policies and procedures; • Perform information security risk assessments • Ensure unauthorized intrusions, access and and ensure auditing of information security tampering are prevented, and detect and processes; remediate security incidents quickly; • Prepare the organization’s disaster recovery • Ensure the most effective and appropriate and business continuity plans for information security technology tools are selected and systems; correctly deployed; • Monitor changes in legislation and accreditation • Provide information security awareness training standards that affect information security. to all employees, contractors, alliances, and other third parties; (14)
CerTiFiCATiOn requiremenTS CerTiFiCATiOn requiremenTS According to the 2006 Global Information Security Workforce Study, 85 percent of security In the requirements area, in addition to the hiring managers worldwide believe in the education and experience level you are seeking, importance of information security certifications it’s important to determine the professional as a hiring criterion. Employee competency and certification that best validates a candidate’s quality of work remain the top reasons that suitability for the position. If you are seeking a employers and hiring managers continue to place security technologist, a vendor certification that emphasis on security certifications. Company matches your organization’s particular technology policy and regulations are becoming critical environment, such as certifications from Microsoft reasons as well. or Cisco, might be desirable. For security management positions, the industry’s A vendor-neutral certification to ensure gold standard certification is the Certified the security technologist understands the Information Systems Security Professional overarching principles of effective security and (CISSP®), also from (ISC)2. The CISSP was can communicate well with security management developed by information security pioneers in the is also desirable. These include certifications early 1990s and is the first and most respected such as the Systems Security Certified security credential on the market. It tests the Practitioner (SSCP®) from (ISC)2® broadest knowledge of any information security and the GIAC from SANS. certification with a six-hour exam on its CISSP CBK®, a regularly updated taxonomy of global (15)
CerTiFiCATiOn requiremenTS information security topics. It also requires the candidate to possess five years of experience in at least two domains of the CBK, obtain endorsement by a certified (ISC)2 professional, subscribe to the (ISC)2 Code of Ethics, and complete annual continuing professional education requirements to remain certified. Other professional security certifications include the Certified Information Security Auditor (CISA) and Certified Information Security Manager (CISM) from ISACA, as well as CISSP Concentrations from (ISC)2 in management, architecture and engineering. (16)
reCruiTing reCruiTing roles that you are filling and knowledge of your industry. Ask for references and gain a comfort Information security professionals possess level with the recruiter to ensure that you are highly specialized skills that are in high demand. confident that they are capable of partnering Because of this demand, talented professionals with you on the full life cycle of recruitment, from are often available for just a few weeks. It’s a fact sourcing the candidate through negotiating an of the current market that organizations must acceptance. Developing a trusted relationship with hire a desired candidate quickly. Many qualified a specialized recruiter will enable you and the candidates are lost because the hiring process hiring manager to have confidence that you are went on too long. finding the best possible candidate in the most To be competitive in successfully recruiting expedient time frame. information security professionals, the HR Professional associations can also be an excellent department should partner with the hiring resource for finding the right candidate. (ISC)2®, manager and a specialized recruiter to streamline for instance, offers employers access to nearly the hiring process before recruiting begins. 60,000 certified members worldwide through Engaging a specialized recruiter can have many its online Career Center. Employers can post benefits, including reducing your time to hire, jobs and search resumes by industry, specific reaching passive candidates and extending your certification and location. Only certified brand in a positive manner to the community. (ISC)² credential holders may post resumes Make sure you choose a firm that has an on the (ISC)² Career Center. The service is established track record of success in the types of free of charge. (17)
reCruiTing Another avenue of recruiting is to build a Centers of Academic Excellence in Information partnership with an association and sponsor Assurance Education. programs or provide informational sessions that You may also wish to consider a student or recent might be appealing to their membership. Placing graduate who has attained the Associate of (ISC)² your organization’s name regularly in front of designation. This designation is earned by those security professionals is a great way to connect who pass the rigorous the CISSP® exam and with the person who is not actively looking but have committed to the professional Code of may be interested when he or she hears about Ethics but do not yet possess the requisite an opportunity. experience to be certified. If your position is one that a recent college graduate would be qualified for, consider contacting schools that have been qualified as a U.S. National Center of Academic Excellence in Information Assurance Education (CAEIAE) Program or regional equivalent (www.nsa. gov/ia/academia/caeiae.cfm). The goal of the U.S. program is to identify four-year colleges and graduate-level universities that demonstrate academic excellence in information security education. Currently, there are 85 National (18)
SCreening SCreening Education Options/Requirements: Detailed initial screening of the information • Associate Degree in systems administration security candidate will allow for a better • BA in information technology or related field assessment of whether an individual’s goals and motivators are in line with what the organization • BS in computer science or equivalent is seeking. information security experience Information security is a relatively new discipline • MS or MA for director or higher position and has a recently established educational • Ph.D. for professor, researcher, advanced curriculum and career path. For instance, many developer academic institutions have only been offering security-focused programs in the past five years or so. Besides the IT field, many more senior Technical Skills Required: information security professionals have come • Knowledge of network systems and security from the military, law enforcement and security protocols auditing fields. • Knowledge of security software programs and Below are some general requirements or implementation suggestions, broken down by education, technical skills and general skills. • Knowledge of best practices in developing security procedures and infrastructure (19)
SCreening General Skills and Aptitudes: • Ability to effectively relate security-related concepts to a broad range of technical and • Excellent oral, written and presentation skills non-technical staff.* • Strong conceptual and analytical skills • Ability to operate as an effective member of a team • Ability to manage multiple diverse tasks simultaneously • Strong project management skills (ability to manage the overall project while understanding the subcomponents and how they relate to the total project) • Possess a vendor-specific or vendor-neutral professional certification* • Excellent leadership qualities* • Demonstrate interpersonal and conflict management skills* * Helpful for advancement to information security management. (20)
inTervieWing inTervieWing Companies need to devote attention to selecting and preparing the interviewers. Those selected Before any interview, HR should work with the should have a clear understanding of the roles hiring manager and specialized external recruiter and responsibilities of the position and know to develop a set of evaluation criteria for all to the priority of skills required. In addition, all follow and confirm who the final decision maker interviewers must provide a consistent message will be. The final decision maker, along with the about the details of the position, such as reporting interviewers, may then create an evaluation structure, title, compensation, and responsibilities. form listing agreed upon critical profile points for each position. It can include specific technical Everyone must also take part in selling or requirements, cultural fit, communication and closing the candidate. This means everyone in presentation skills, potential for growth, and the interview process must be positive and relevant past experiences. informative, and highlight the position’s potential for growth. Interviewers must recognize that they Each interviewer ought to touch on all topics but are the face of your department and company, also be assigned specific profile points to delve and the image they present will make a significant into. This approach will facilitate a comprehensive impression on the candidate. understanding of the candidate’s strengths and weaknesses, allowing the decision maker to make While the hiring manager will likely focus on an informed choice when extending an offer. the hard technical skills, HR should help the interviewers get a sense of the candidate’s “soft” skills that he or she can communicate effectively (21)
inTervieWing and articulate business value. If the information Another good interview question can center security professional cannot positively influence on what differentiates the candidate from other employees, especially those not under his or her information security professionals. A quality to direct authority, processes and technology won’t look for includes how well a candidate articulates solve anything. Asking the candidate to explain a the effect their efforts have had on the success or security issue to a non-technical person can be bottom line of their organization. one way in evaluating their communications skills. Ask the candidate to describe a specific security The candidate should know how to deliver issue and how he or she solved it. The type of appropriate messages to different audiences and answers you hear define the traits of a successful tailor security posture to fit the specific needs security professional: and risk appetites of an organization. Ask the • Did they display an understanding of the cause candidate to provide examples of where he/she of the problem before they implemented the has utilized common ground to build credibility solution? and gain consensus. • Did they consider and anticipate the impact of Leadership is another key desired attribute, and different courses of action? asking for a specific example where the candidate demonstrated leadership can be helpful. Both the • Were they able to tailor the solution to meet answer and the manner in which it is answered the needs and risk appetites of the business, reflects leadership qualities. and how successful were they in communicating the results? (22)
inTervieWing Also, identify what your candidate reads and the Websites they visit. Information security is a field that’s constantly changing, so you should make sure a candidate is well-informed and keeping up with the latest forums, discussion groups and other industry sites. (23)
reFerenCeS/SeCuriTy CHeCkS reFerenCeS/SeCuriTy CHeCkS Test the candidate’s credibility by verifying academic and professional credentials, professional Checking references and verifying background background and personal references. (ISC)2® information are critical when hiring an information offers a free online certification verification tool security professional, as information security for employers that only takes a few seconds. Also, professionals have more access to employee, several vendor-neutral certification organizations, customer and proprietary data than often any including (ISC)2, require candidates to subscribe other single job function. Strong ethics and to a professional code of ethics and risk de- honesty are imperative. certification if they are found to be in violation. Professional references not only validate and Look at credit reports as an indication of financial verify an information security candidate’s problems that may influence misdeeds. Some of technical ability to do the job but also his/her the issues to consider are a record of multiple communication skills, personality and moral collections, civil judgments, bad debts, charge-offs, compass. An information security candidate who a tax lien or repossession. fails a background check either for errors of omission, misstatements of facts, or financial or Make sure you notify the applicant that he or legal problems presents a red flag, and great care she can dispute the information contained in the should be taken before proceeding any further background check report if he or she deems it to with the hiring process. be inaccurate or incomplete. (24)
CrAFTing And PreSenTing An OFFer CrAFTing And PreSenTing An OFFer One of the more accurate salary surveys is included in the Global Information Security HR departments often fail to recognize that salary Workforce Study, which surveys thousands of scales for information security professionals are information security professionals worldwide. higher than general IT practitioners, resulting in It can be downloaded free-of-charge from the the extension of offers that are below market (ISC)2® Website at www.isc2.org/workforcestudy. value and ultimately rejected. Information security is a field where conditions are constantly changing, Before making a decision on an offer, make sure and it is difficult to stay on top of the skill sets, the interview team: profile and market value of security professionals. • Collects and discusses evaluation criteria Be hesitant to rely on information security salary • Understands the candidate’s total current surveys by publications and industry analysts, as compensation and expectations they are often not in line with the realities of the marketplace, offering estimates that are much • Considers creative compensation alternatives lower than actual to retain high-caliber talent. Again, everyone should be aware of the hiring These don’t take into account the specialist skills process time line. The more time taken to deliver in demand, different geographic regions and the offer, the more likely the candidate will be different organizational layers to be used to make contacted by other companies, may re-evaluate a competitive offer. his/her current position, get promoted, or just (25)
CrAFTing And PreSenTing An OFFer plain lose interest. There is an inverse correlation It is also wise to discuss succession plans. between the length of time it takes to extend an Discuss professional growth and give examples offer and the number of offers accepted. of how other employees have developed a more prominent role during their tenure at the If you can, be creative in your job offer by organization. Also consider the organization’s including a bonus or commission related to policy for reimbursement of certification and performance beyond the base salary. It’s a fact, education fees, continuous education, etc. too, that many information security professionals are not attracted solely by salary and respond In the end, the hiring manager, HR and recruiter to opportunities to further their educational should work together on presenting and selling development, work on an innovative project, the offer. Presentation and messaging are obtain professional certification, attend extremely important in making a successful offer conferences, write and publish papers, join and retaining the desired candidate. Information associations, etc. Many professionals appreciate security professionals generally aren’t prima the flexibility to network with their peers in donnas but often receive a certain level of addition to meeting the requirements of their job. attention from your competitors because of Much of that networking also makes them more their specialized skills and high demand in the knowledgeable professionals. marketplace. (26)
reTenTiOn reTenTiOn term career goals and need for professional challenges of its information security staff because With the amount of competition for quality they are in such high demand in the job market. information security professionals, companies must take a more strategic and supportive approach to HR professionals should also encourage retention if they want to keep the new breed of information security employees to seek out evolving talent. opportunities in training and education. Evolving and emerging threats and attacks will continue to Develop a formalized career progression for require security professionals to learn new skills the best and brightest members of your current and techniques. By cultivating home-grown talent, information security team. One of the most the HR team will be giving valued employees the unique and beneficial attributes of working tools to succeed, benefiting the organization in in an information security department is the the long run. In addition, the reputation of having a exposure one gets to operations, processes and strong security team can result in an organization’s technologies across all operations. This exposure ability to hire the best candidates on the market. provides a great training scenario for building the management teams of the future. Also allow the security professional to network with their peers to establish an external support Also, defined career paths will help assure the network consisting of people outside of their continuing supply of capable successors for each company that they can go to openly or privately important position within the security team. for advice and support. Organizations must work to satisfy the long- (27)
reSOurCeS reSOurCeS Executive Women’s Forum www.infosecuritywomen.com AFCEA International www.afcea.org Information Assurance Professionals Association (IAPA) Alta Associates www.iapa-glc.org www.altaassociates.com Information Systems Audit and Control American Council for Technology (ACT) and Association (ISACA) Industry Advisory Council www.isaca.org www.actgov.org Information Systems Security Association (ISSA) American National Standards Institute (ANSI) www.issa.org www.ansi.org Information Technology Association of America ASIS International (ITAA) www.asisonline.org www.itaa.org Computer Security Institute International Association of Privacy Professionals www.gocsi.com www.privacyassociation.org The Computing Technology Association International High Technology Crime Investigation (CompTIA) Association (HTCIA) www.comptia.org www.htcia.org (28)
reSOurCeS International Information Systems Forensics SANS Institute Association (ITFSA) www.sans.org www.iisfa.org Security Industry Association International Information Systems Security www.siaonline.org Certification Consortium, Inc. [(ISC)2®] www.isc2.org Internet Security Alliance www.isalliance.org National Academic Centers of Excellence www.nsa.gov/ia/academia/caeiae.cfm (29)
Acknowledgements (ISC)² wishes to acknowledge the invaluable contributions of Joyce Brocaglia, president and CEO of Alta Associates, Inc., in the making of this guide. Founded in 1986, Alta Associates is widely respected as a leading information security recruiting firm, helping global enterprises build world-class information security departments for 22 years. For more information, please visit www.altaassociates.com
www.isc2.org/contactus

Recommandé

Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Inno Eroraha [NetSecurity]
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...DFLABS SRL
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover StoryTorrid Networks Private Limited
 
113505 6969-ijecs-ijens
113505 6969-ijecs-ijens113505 6969-ijecs-ijens
113505 6969-ijecs-ijensgeekmodeboy
 
Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
 
Beyond top secret
Beyond top secretBeyond top secret
Beyond top secretgorin2008
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFLABS SRL
 
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...DFLABS SRL
 

Recommandé

Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Inno Eroraha [NetSecurity]
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...DFLABS SRL
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover StoryTorrid Networks Private Limited
 
113505 6969-ijecs-ijens
113505 6969-ijecs-ijens113505 6969-ijecs-ijens
113505 6969-ijecs-ijensgeekmodeboy
 
Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
 
Beyond top secret
Beyond top secretBeyond top secret
Beyond top secretgorin2008
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFLABS SRL
 
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...DFLABS SRL
 
Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...TISA
 
Information Security Shake-Up
Information Security Shake-Up Information Security Shake-Up
Information Security Shake-Up EMC
 
Transforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamTransforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamEMC
 
18 Tips of IRM - Making IRM Work for You
18 Tips of IRM - Making IRM Work for You18 Tips of IRM - Making IRM Work for You
18 Tips of IRM - Making IRM Work for YouSecure Islands - Data Security Policy
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelKoen Maris
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trendswardell henley
 
Secure by design building id based security
Secure by design building id based securitySecure by design building id based security
Secure by design building id based securityArun Gopinath
 
Is3 Capabilities Brief
Is3 Capabilities BriefIs3 Capabilities Brief
Is3 Capabilities Briefmageeb
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
Pdf7
Pdf7Pdf7
Pdf7Editor IJARCET
 
Agam Profile
Agam ProfileAgam Profile
Agam ProfileAgama Consulting
 
Agama Profile
Agama ProfileAgama Profile
Agama ProfileAgama Consulting
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze DataExchangeAgency
 
Looking into the future of security
Looking into the future of securityLooking into the future of security
Looking into the future of securitySouthern Cross Group Services
 
The 10 most trusted companies in enterprise security for dec 2017
The 10 most trusted companies in enterprise security for dec 2017The 10 most trusted companies in enterprise security for dec 2017
The 10 most trusted companies in enterprise security for dec 2017Merry D'souza
 
TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0TRUSTe
 
Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...
Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...
Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...Global Knowledge Training
 
PwC Survey 2010 CIO Reprint
PwC Survey 2010 CIO ReprintPwC Survey 2010 CIO Reprint
PwC Survey 2010 CIO ReprintKim Jensen
 
The Physical Security_&_Risk_Management_book
The Physical Security_&_Risk_Management_bookThe Physical Security_&_Risk_Management_book
The Physical Security_&_Risk_Management_bookJAMES E. McDONALD, PSNA
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance frameworkAnne ndolo
 
Network Protocol Analyzer
Network Protocol AnalyzerNetwork Protocol Analyzer
Network Protocol AnalyzerSourav Roy
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By DesignNalneesh Gaur
 

Contenu connexe

Tendances

Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...TISA
 
Information Security Shake-Up
Information Security Shake-Up Information Security Shake-Up
Information Security Shake-Up EMC
 
Transforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamTransforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamEMC
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelKoen Maris
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trendswardell henley
 
Secure by design building id based security
Secure by design building id based securitySecure by design building id based security
Secure by design building id based securityArun Gopinath
 
Is3 Capabilities Brief
Is3 Capabilities BriefIs3 Capabilities Brief
Is3 Capabilities Briefmageeb
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze DataExchangeAgency
 
The 10 most trusted companies in enterprise security for dec 2017
The 10 most trusted companies in enterprise security for dec 2017The 10 most trusted companies in enterprise security for dec 2017
The 10 most trusted companies in enterprise security for dec 2017Merry D'souza
 
TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0TRUSTe
 
Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...
Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...
Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...Global Knowledge Training
 
PwC Survey 2010 CIO Reprint
PwC Survey 2010 CIO ReprintPwC Survey 2010 CIO Reprint
PwC Survey 2010 CIO ReprintKim Jensen
 
The Physical Security_&_Risk_Management_book
The Physical Security_&_Risk_Management_bookThe Physical Security_&_Risk_Management_book
The Physical Security_&_Risk_Management_bookJAMES E. McDONALD, PSNA
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance frameworkAnne ndolo
 

Tendances (20)

Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...Prinya acis slide for swpark - it & information security human resource deve...
Prinya acis slide for swpark - it & information security human resource deve...
 
Information Security Shake-Up
Information Security Shake-Up Information Security Shake-Up
Information Security Shake-Up
 
Transforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended TeamTransforming Information Security: Designing a State-of-the-Art Extended Team
Transforming Information Security: Designing a State-of-the-Art Extended Team
 
18 Tips of IRM - Making IRM Work for You
18 Tips of IRM - Making IRM Work for You18 Tips of IRM - Making IRM Work for You
18 Tips of IRM - Making IRM Work for You
 
Information Security Governance at Board and Executive Level
Information Security Governance at Board and Executive LevelInformation Security Governance at Board and Executive Level
Information Security Governance at Board and Executive Level
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trends
 
Secure by design building id based security
Secure by design building id based securitySecure by design building id based security
Secure by design building id based security
 
Is3 Capabilities Brief
Is3 Capabilities BriefIs3 Capabilities Brief
Is3 Capabilities Brief
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
Pdf7
Pdf7Pdf7
Pdf7
 
Agam Profile
Agam ProfileAgam Profile
Agam Profile
 
Agama Profile
Agama ProfileAgama Profile
Agama Profile
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
 
Looking into the future of security
Looking into the future of securityLooking into the future of security
Looking into the future of security
 
The 10 most trusted companies in enterprise security for dec 2017
The 10 most trusted companies in enterprise security for dec 2017The 10 most trusted companies in enterprise security for dec 2017
The 10 most trusted companies in enterprise security for dec 2017
 
TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0TRUSTe Online Security Guidelines v2.0
TRUSTe Online Security Guidelines v2.0
 
Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...
Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...
Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...
 
PwC Survey 2010 CIO Reprint
PwC Survey 2010 CIO ReprintPwC Survey 2010 CIO Reprint
PwC Survey 2010 CIO Reprint
 
The Physical Security_&_Risk_Management_book
The Physical Security_&_Risk_Management_bookThe Physical Security_&_Risk_Management_book
The Physical Security_&_Risk_Management_book
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance framework
 

En vedette

Network Protocol Analyzer
Network Protocol AnalyzerNetwork Protocol Analyzer
Network Protocol AnalyzerSourav Roy
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By DesignNalneesh Gaur
 
Killed by code - mobile medical devices
Killed by code - mobile medical devicesKilled by code - mobile medical devices
Killed by code - mobile medical devicesFlaskdata.io
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Maxime CARPENTIER
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Lecture #1 - Introduction to Information System
Lecture #1 - Introduction to Information SystemLecture #1 - Introduction to Information System
Lecture #1 - Introduction to Information Systemvasanthimuniasamy
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101Jerod Brennen
 
Module 5 Sniffers
Module 5 SniffersModule 5 Sniffers
Module 5 Sniffersleminhvuong
 
IB Chemistry on Electrolysis and Faraday's Law
IB Chemistry on Electrolysis and Faraday's LawIB Chemistry on Electrolysis and Faraday's Law
IB Chemistry on Electrolysis and Faraday's LawLawrence kok
 
Big Data & Text Mining
Big Data & Text MiningBig Data & Text Mining
Big Data & Text MiningMichel Bruley
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDr. Loganathan R
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
ERP Manager meets SDLC and CMMI
ERP Manager meets SDLC and CMMIERP Manager meets SDLC and CMMI
ERP Manager meets SDLC and CMMIMahesh Vallampati
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 pptvasanthimuniasamy
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information securityAnant Shrivastava
 
Capstone infographic
Capstone infographicCapstone infographic
Capstone infographicburgesco
 

En vedette (19)

Network Protocol Analyzer
Network Protocol AnalyzerNetwork Protocol Analyzer
Network Protocol Analyzer
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
 
Killed by code - mobile medical devices
Killed by code - mobile medical devicesKilled by code - mobile medical devices
Killed by code - mobile medical devices
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & Privacy
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
Lecture #1 - Introduction to Information System
Lecture #1 - Introduction to Information SystemLecture #1 - Introduction to Information System
Lecture #1 - Introduction to Information System
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
 
Module 5 Sniffers
Module 5 SniffersModule 5 Sniffers
Module 5 Sniffers
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
IB Chemistry on Electrolysis and Faraday's Law
IB Chemistry on Electrolysis and Faraday's LawIB Chemistry on Electrolysis and Faraday's Law
IB Chemistry on Electrolysis and Faraday's Law
 
Big Data & Text Mining
Big Data & Text MiningBig Data & Text Mining
Big Data & Text Mining
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
ERP Manager meets SDLC and CMMI
ERP Manager meets SDLC and CMMIERP Manager meets SDLC and CMMI
ERP Manager meets SDLC and CMMI
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
 
Capstone infographic
Capstone infographicCapstone infographic
Capstone infographic
 

Similaire à Hiring Guide to the Information Security Profession

I-Week April 2004 - Claudia Warwar
I-Week April 2004 - Claudia WarwarI-Week April 2004 - Claudia Warwar
I-Week April 2004 - Claudia WarwarClaudia Warwar
 
Symantec_2004_AnnualReport
Symantec_2004_AnnualReportSymantec_2004_AnnualReport
Symantec_2004_AnnualReportfinance40
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyCyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyOrganization
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligencewbesse
 
IT Security - Guidelines
IT Security - GuidelinesIT Security - Guidelines
IT Security - GuidelinesPedro Espinosa
 
Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)Md Shaifullar Rabbi
 
Whitepaper Pro-active Security Management 2006.pdf
Whitepaper Pro-active Security Management 2006.pdfWhitepaper Pro-active Security Management 2006.pdf
Whitepaper Pro-active Security Management 2006.pdfserve&solve
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber securitySAHANAHK
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security PolicyRobot Mode
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...EC-Council
 
Security Strategies for Success
Security Strategies for SuccessSecurity Strategies for Success
Security Strategies for SuccessCitrix
 
Information Security Analyst Resume. When seeking
Information Security Analyst Resume. When seekingInformation Security Analyst Resume. When seeking
Information Security Analyst Resume. When seekingDanielle Bowers
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & StrategyTony Hauxwell
 
Industry Overview: Big Data Fuels Intelligence-Driven Security
Industry Overview: Big Data Fuels Intelligence-Driven SecurityIndustry Overview: Big Data Fuels Intelligence-Driven Security
Industry Overview: Big Data Fuels Intelligence-Driven SecurityEMC
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyMighty Guides, Inc.
 
Presentation 1.pptx
Presentation 1.pptxPresentation 1.pptx
Presentation 1.pptxrabeetkashif
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Securityijtsrd
 
Building an Intelligence-Driven Security Operations Center
Building an Intelligence-Driven Security Operations CenterBuilding an Intelligence-Driven Security Operations Center
Building an Intelligence-Driven Security Operations CenterEMC
 

Similaire à Hiring Guide to the Information Security Profession (20)

I-Week April 2004 - Claudia Warwar
I-Week April 2004 - Claudia WarwarI-Week April 2004 - Claudia Warwar
I-Week April 2004 - Claudia Warwar
 
Symantec_2004_AnnualReport
Symantec_2004_AnnualReportSymantec_2004_AnnualReport
Symantec_2004_AnnualReport
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyCyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
 
IT Security - Guidelines
IT Security - GuidelinesIT Security - Guidelines
IT Security - Guidelines
 
Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)
 
Whitepaper Pro-active Security Management 2006.pdf
Whitepaper Pro-active Security Management 2006.pdfWhitepaper Pro-active Security Management 2006.pdf
Whitepaper Pro-active Security Management 2006.pdf
 
6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins6 Ways to Fight the Data Loss Gremlins
6 Ways to Fight the Data Loss Gremlins
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber security
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security Policy
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
 
Security Strategies for Success
Security Strategies for SuccessSecurity Strategies for Success
Security Strategies for Success
 
Information Security Analyst Resume. When seeking
Information Security Analyst Resume. When seekingInformation Security Analyst Resume. When seeking
Information Security Analyst Resume. When seeking
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
 
Industry Overview: Big Data Fuels Intelligence-Driven Security
Industry Overview: Big Data Fuels Intelligence-Driven SecurityIndustry Overview: Big Data Fuels Intelligence-Driven Security
Industry Overview: Big Data Fuels Intelligence-Driven Security
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
 
Presentation 1.pptx
Presentation 1.pptxPresentation 1.pptx
Presentation 1.pptx
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Security
 
Building an Intelligence-Driven Security Operations Center
Building an Intelligence-Driven Security Operations CenterBuilding an Intelligence-Driven Security Operations Center
Building an Intelligence-Driven Security Operations Center
 

Plus de amiable_indian

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commonsamiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art amiable_indian
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentestersamiable_indian
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...amiable_indian
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in Indiaamiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyamiable_indian
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Codingamiable_indian
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learnedamiable_indian
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissectedamiable_indian
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunityamiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentationamiable_indian
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization amiable_indian
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Timeamiable_indian
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics? amiable_indian
 

Plus de amiable_indian (20)

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Time
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics?
 

Hiring Guide to the Information Security Profession

  • 1. Hiring guide to the Information Security Profession
  • 2. inTrOduCTiOn Welcome to the (ISC)2® Hiring Guide to the infrastructure. Today, driven by legal and regulatory Information Security Profession. It’s no secret that compliance and the desire to maximize global it’s not easy to find qualified experts to protect commerce, hiring first-rate information security your organization. As the world’s largest body staff is critical to mitigating risks that can destroy of information security professionals, with more a company’s reputation, violate privacy, result in than 54,000 certified members in 135 countries, the theft or destruction of intellectual property, (ISC)2 wants to help HR professionals, recruiters and, in some cases, even endanger lives. and hiring managers understand the scope of We hope this hiring guide, compiled with this burgeoning profession and lessen the pain significant contributions from Alta Associates, of obtaining the best and brightest information will shine some light on the significance of this security staff. relatively new profession, as well as offer tips on The information security profession is expanding ensuring your security staff is filled with talented rapidly. The 2006 (ISC)²/IDC Global Information and qualified professionals. Security Workforce Study (GISWS) showed You can also find more tools at the online that the number of professionals worldwide will (ISC)² Hiring Center at www.isc2.org/HRCenter. increase to slightly more than 2 million by 2010, Best of luck in your recruiting efforts! a compound annual growth rate of 7.8 percent from 2005 to 2010. Eddie Zeitler, CISSP Executive Director It wasn’t always this way. Twenty years ago, the (ISC)2 field of information security was in its infancy, and companies often brushed off threats to their (1)
  • 3. TABLe OF COnTenTS TABLe OF COnTenTS What is Information Security? ...................................... 3-4 The Evolving Role of the Information Security Profession .............................................................. 5-6 What Types of Job Functions Exist? ........................... 7-8 What are the Ideal Traits of an Information Security Professional? ...................................................... 9-10 What are Typical Career Paths? ......................................11 Crafting a Job Description ..........................................13-14 Certification Requirements ........................................15-16 Recruiting ..............................................................................17-18 Screening ..............................................................................19-20 Interviewing ....................................................................... 21-23 References/Security Checks ............................................ 24 Crafting and Presenting an Offer .......................... 25-26 Retention ................................................................................... 27 Resources ............................................................................29-30 (2)
  • 4. WHAT iS inFOrmATiOn SeCuriTy? WHAT iS inFOrmATiOn SeCuriTy? Information security involves protecting information and information systems from Governments, military, financial institutions, unauthorized access, use, disclosure, disruption, healthcare and private business today amass modification, or destruction. The purpose volumes of confidential information about their of information security is to ensure that all employees, customers, products, and financial information held by an organization, regardless status. Most of this information is now collected, of whether it resides on a computer hard drive processed and stored on computers and servers or in a filing cabinet, is maintained with: and transmitted across networked systems. Confidentiality - ensuring that information is Should such confidential information fall into the accessible only to those authorized to have access; hands of outsiders, such a breach of security could lead to lost business, lawsuits, reputation damage Integrity - safeguarding the accuracy and and even bankruptcy. Protecting confidential completeness of information and processing information is a common sense requirement these methods; days, and in most cases is also a legal requirement. Availability - ensuring that authorized users have access to information and associated assets when required; and (3)
  • 5. WHAT iS inFOrmATiOn SeCuriTy? Compliance – ensuring that all laws and industry regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPPA) for healthcare providers and Sarbanes-Oxley (SOX) for publicly traded companies, are met. The objective of an information security policy is to minimize damage to the organization by preventing and controlling the impact of security breaches. Information security provides the essential protective framework in which information can be shared while ensuring its protection from unauthorized users. (4)
  • 6. THe evOLving rOLe OF THe inFOrmATiOn SeCuriTy PrOFeSSiOn THe evOLving rOLe OF THe A secure organization requires seasoned inFOrmATiOn SeCuriTy PrOFeSSiOn professionals who can create and implement Years ago, the majority of people responsible a program, obtain support and funding for the for protecting information assets entered the program, and make every employee a security field without a formal background or education conscious citizen, all while adhering to necessary and obtained their experience in broader regulatory standards. In addition, it requires a disciplines, such as information technology (IT) or team of technical practitioners to implement the engineering, transferring into information security policies set by the security manager. only as the need arose. Today’s information security professionals work Unlike two decades ago, many younger closely with HR, legal, audit, IT and other areas professionals in today’s sophisticated cyber world of business to mitigate risk throughout the have information security in mind from the organization. Many are now called upon as critical beginning, pursuing college degrees in information contributors to business-decision making. security, information assurance, or a related In the face of these daunting challenges, the role discipline such as computer science. They also of the professional has changed dramatically over likely have a working knowledge of network the past few years. The successful professional systems and security protocols, security software must now quickly and securely respond to programs and implementation, and best change, whether brought on by external and practices for developing security procedures internal threats, or by customer demand for new and infrastructure. goods and services. The professional must also (5)
  • 7. THe evOLving rOLe OF THe inFOrmATiOn SeCuriTy PrOFeSSiOn implement integrated security solutions at all levels where people, processes and technologies intersect, and ensure they support the objectives of the organization. Although having qualified information security professionals on staff is a necessity for organizations of all industries and sizes, it is especially important to those who have critically sensitive information, such as financial, healthcare or insurance entities, or those who have to comply with strict legal or regulatory mandates. (6)
  • 8. WHAT TyPeS OF JOB FunCTiOnS eXiST? WHAT TyPeS OF JOB FunCTiOnS eXiST? • IT Security Manager In the early days of information security, an • Certification & Accreditation Specialist organization hired a single “security engineer” • Risk Manager who was an adjunct to the IT department and focused on network security and security • Compliance Officer administration. The position required an The scope of traditional security roles has also understanding of network protocols, firewalls expanded. The early role of security engineer and network vulnerabilities. now has expanded to include numerous areas Today, with the increasing dependence upon the of specialization, such as identity and access virtual world in every corner of business and management, vulnerability management and society, the requirements and job functions of the application security. These positions require information security profession have exploded. extensive technical backgrounds, as well as Security-specific roles include: business risk analysis so the security controls appropriate to the specific organization can • Forensics Specialist be developed. • Security Architect • Chief Information Security Officer • Information Assurance Manager (7)
  • 9. WHAT TyPeS OF JOB FunCTiOnS eXiST? (8)
  • 10. WHAT Are THe ideAL TrAiTS OF An inFOrmATiOn SeCuriTy PrOFeSSiOnAL? WHAT Are THe ideAL TrAiTS OF An perceptions. The best security policies won’t inFOrmATiOn SeCuriTy PrOFeSSiOnAL? be effective without buy-in from all employees; While the information security profession • The ability to articulate business value. has become too complex for any one set of Professionals must know their audience and specific skills, there are general attributes that talk in a language they understand; are important to consider when seeking a professional. A few of these ideal traits include: • Understands and manages risk. Security professionals must tailor their security postures Skills and Competencies to the specific needs and risk appetites of • A track record of developing information the organization; security and risk management solutions; • Ability to build strong relationships with the • A keen understanding of technology and the key stakeholders of the organization, including ability to leverage this knowledge to implement legal, HR, audit, physical security, PR, and risk effective security solutions; managers; and • An understanding of the industry, the company’s • Ability to see the overall security needs of an place in the market, relevant regulatory and legal organization. Even in more traditional network requirements, and how they can add value; security roles, organizations need professionals who can interpret technology in a way that’s • Solid communications skills. These include the useful and in line with its business and risk ability to influence employee behavior and management goals. (9)
  • 11. WHAT Are THe ideAL TrAiTS OF An inFOrmATiOn SeCuriTy PrOFeSSiOnAL? Personal Attributes • A positive attitude. While professionals need a healthy dose of caution, the professional should emphasize the power of defense, rather than the negatives or costs of vulnerability; • Commitment to ethics. To be effective, a professional must always tell the truth and never exaggerate about what can and can’t be done; and • Embraces the need to stay current in the latest security and technology knowledge. (10)
  • 12. WHAT Are TyPiCAL CAreer PATHS? WHAT Are TyPiCAL CAreer PATHS? Desired attributes for a security technologist may include: An information security professional can come from many different, non-security disciplines. • Deep understanding of multiple technologies Indeed, many exemplary professionals began • Subject matter expertise in a technical domain their careers in technology and went on to learn security. Although professionals typically have • Desire to remain part of technical technology backgrounds, increasingly they are also implementation and monitoring side of security coming from risk assessment areas with strong Desired attributes for a security manager project management experience. may include: The two most common job paths available to • Broad understanding of multiple technologies information security professionals are the security technologist or the security manager/strategist. • Executive management and presentation skills Some professionals enjoy meeting the day-to-day • Particular knowledge of a business line technical challenges of the security technologist or product role and will remain there throughout their careers, although even this role is increasingly requiring the • Desire to manage broader risk issues “soft skills” of business knowledge, communication and collaboration. Others acquire the management skills needed to bridge the gap between an organization’s technical and business priorities. (11)
  • 13. WHAT Are TyPiCAL CAreer PATHS? (iSC)2 CAreer PATH testing and specialized concentrations. (ISC)2 members are at the forefront of today’s dynamic (ISC)2 provides a career path for information information security industry. Look for one of security professionals from the beginning of their these credentials when you make your next career until retirement. We offer a unique blend hiring decision. of certifications, advanced education, rigorous (12)
  • 14. CrAFTing A JOB deSCriPTiOn CrAFTing A JOB deSCriPTiOn If you are working with an experienced external recruiter who specializes in information security, A common misconception that still exists in many this is the time to get them involved in the HR departments is that information security is process. A knowledgeable recruiter can advise part of information technology. In fact, because of you on competitive salary ranges for the role expanding business requirements, the information and assist with the creation of the job description. security profession has splintered into many different facets beyond IT and offers specialization Getting the recruiter involved this early in the in process, auditing, policy, compliance and other process lays the groundwork for a successful topics. As with many fields, even a position with partnership by creating a common understanding the identical job title in two departments of the of the role and responsibilities and consistent same company can have different requirements. messaging to potential candidates. The key to developing a solid job description for the information security field is to ensure the hiring manager has an in-depth conversation with the HR department. Regardless of the level of the position, this initial discussion should help the hiring manager focus on what the organizational chart looks like, where this position sits, its roles and responsibilities, how the position relates to the larger organization, and expectations for success. (13)
  • 15. CrAFTing A JOB deSCriPTiOn An information security manager’s job description • Monitor compliance with the organization’s may include: information security policies and procedures among employees, contractors, alliances, and • Develop and oversee implementation of the other third parties; organization’s information security policies and procedures; • Monitor internal control systems to ensure that appropriate information access levels and • Oversee implementation of the organization’s security clearances are maintained; information security policies and procedures; • Perform information security risk assessments • Ensure unauthorized intrusions, access and and ensure auditing of information security tampering are prevented, and detect and processes; remediate security incidents quickly; • Prepare the organization’s disaster recovery • Ensure the most effective and appropriate and business continuity plans for information security technology tools are selected and systems; correctly deployed; • Monitor changes in legislation and accreditation • Provide information security awareness training standards that affect information security. to all employees, contractors, alliances, and other third parties; (14)
  • 16. CerTiFiCATiOn requiremenTS CerTiFiCATiOn requiremenTS According to the 2006 Global Information Security Workforce Study, 85 percent of security In the requirements area, in addition to the hiring managers worldwide believe in the education and experience level you are seeking, importance of information security certifications it’s important to determine the professional as a hiring criterion. Employee competency and certification that best validates a candidate’s quality of work remain the top reasons that suitability for the position. If you are seeking a employers and hiring managers continue to place security technologist, a vendor certification that emphasis on security certifications. Company matches your organization’s particular technology policy and regulations are becoming critical environment, such as certifications from Microsoft reasons as well. or Cisco, might be desirable. For security management positions, the industry’s A vendor-neutral certification to ensure gold standard certification is the Certified the security technologist understands the Information Systems Security Professional overarching principles of effective security and (CISSP®), also from (ISC)2. The CISSP was can communicate well with security management developed by information security pioneers in the is also desirable. These include certifications early 1990s and is the first and most respected such as the Systems Security Certified security credential on the market. It tests the Practitioner (SSCP®) from (ISC)2® broadest knowledge of any information security and the GIAC from SANS. certification with a six-hour exam on its CISSP CBK®, a regularly updated taxonomy of global (15)
  • 17. CerTiFiCATiOn requiremenTS information security topics. It also requires the candidate to possess five years of experience in at least two domains of the CBK, obtain endorsement by a certified (ISC)2 professional, subscribe to the (ISC)2 Code of Ethics, and complete annual continuing professional education requirements to remain certified. Other professional security certifications include the Certified Information Security Auditor (CISA) and Certified Information Security Manager (CISM) from ISACA, as well as CISSP Concentrations from (ISC)2 in management, architecture and engineering. (16)
  • 18. reCruiTing reCruiTing roles that you are filling and knowledge of your industry. Ask for references and gain a comfort Information security professionals possess level with the recruiter to ensure that you are highly specialized skills that are in high demand. confident that they are capable of partnering Because of this demand, talented professionals with you on the full life cycle of recruitment, from are often available for just a few weeks. It’s a fact sourcing the candidate through negotiating an of the current market that organizations must acceptance. Developing a trusted relationship with hire a desired candidate quickly. Many qualified a specialized recruiter will enable you and the candidates are lost because the hiring process hiring manager to have confidence that you are went on too long. finding the best possible candidate in the most To be competitive in successfully recruiting expedient time frame. information security professionals, the HR Professional associations can also be an excellent department should partner with the hiring resource for finding the right candidate. (ISC)2®, manager and a specialized recruiter to streamline for instance, offers employers access to nearly the hiring process before recruiting begins. 60,000 certified members worldwide through Engaging a specialized recruiter can have many its online Career Center. Employers can post benefits, including reducing your time to hire, jobs and search resumes by industry, specific reaching passive candidates and extending your certification and location. Only certified brand in a positive manner to the community. (ISC)² credential holders may post resumes Make sure you choose a firm that has an on the (ISC)² Career Center. The service is established track record of success in the types of free of charge. (17)
  • 19. reCruiTing Another avenue of recruiting is to build a Centers of Academic Excellence in Information partnership with an association and sponsor Assurance Education. programs or provide informational sessions that You may also wish to consider a student or recent might be appealing to their membership. Placing graduate who has attained the Associate of (ISC)² your organization’s name regularly in front of designation. This designation is earned by those security professionals is a great way to connect who pass the rigorous the CISSP® exam and with the person who is not actively looking but have committed to the professional Code of may be interested when he or she hears about Ethics but do not yet possess the requisite an opportunity. experience to be certified. If your position is one that a recent college graduate would be qualified for, consider contacting schools that have been qualified as a U.S. National Center of Academic Excellence in Information Assurance Education (CAEIAE) Program or regional equivalent (www.nsa. gov/ia/academia/caeiae.cfm). The goal of the U.S. program is to identify four-year colleges and graduate-level universities that demonstrate academic excellence in information security education. Currently, there are 85 National (18)
  • 20. SCreening SCreening Education Options/Requirements: Detailed initial screening of the information • Associate Degree in systems administration security candidate will allow for a better • BA in information technology or related field assessment of whether an individual’s goals and motivators are in line with what the organization • BS in computer science or equivalent is seeking. information security experience Information security is a relatively new discipline • MS or MA for director or higher position and has a recently established educational • Ph.D. for professor, researcher, advanced curriculum and career path. For instance, many developer academic institutions have only been offering security-focused programs in the past five years or so. Besides the IT field, many more senior Technical Skills Required: information security professionals have come • Knowledge of network systems and security from the military, law enforcement and security protocols auditing fields. • Knowledge of security software programs and Below are some general requirements or implementation suggestions, broken down by education, technical skills and general skills. • Knowledge of best practices in developing security procedures and infrastructure (19)
  • 21. SCreening General Skills and Aptitudes: • Ability to effectively relate security-related concepts to a broad range of technical and • Excellent oral, written and presentation skills non-technical staff.* • Strong conceptual and analytical skills • Ability to operate as an effective member of a team • Ability to manage multiple diverse tasks simultaneously • Strong project management skills (ability to manage the overall project while understanding the subcomponents and how they relate to the total project) • Possess a vendor-specific or vendor-neutral professional certification* • Excellent leadership qualities* • Demonstrate interpersonal and conflict management skills* * Helpful for advancement to information security management. (20)
  • 22. inTervieWing inTervieWing Companies need to devote attention to selecting and preparing the interviewers. Those selected Before any interview, HR should work with the should have a clear understanding of the roles hiring manager and specialized external recruiter and responsibilities of the position and know to develop a set of evaluation criteria for all to the priority of skills required. In addition, all follow and confirm who the final decision maker interviewers must provide a consistent message will be. The final decision maker, along with the about the details of the position, such as reporting interviewers, may then create an evaluation structure, title, compensation, and responsibilities. form listing agreed upon critical profile points for each position. It can include specific technical Everyone must also take part in selling or requirements, cultural fit, communication and closing the candidate. This means everyone in presentation skills, potential for growth, and the interview process must be positive and relevant past experiences. informative, and highlight the position’s potential for growth. Interviewers must recognize that they Each interviewer ought to touch on all topics but are the face of your department and company, also be assigned specific profile points to delve and the image they present will make a significant into. This approach will facilitate a comprehensive impression on the candidate. understanding of the candidate’s strengths and weaknesses, allowing the decision maker to make While the hiring manager will likely focus on an informed choice when extending an offer. the hard technical skills, HR should help the interviewers get a sense of the candidate’s “soft” skills that he or she can communicate effectively (21)
  • 23. inTervieWing and articulate business value. If the information Another good interview question can center security professional cannot positively influence on what differentiates the candidate from other employees, especially those not under his or her information security professionals. A quality to direct authority, processes and technology won’t look for includes how well a candidate articulates solve anything. Asking the candidate to explain a the effect their efforts have had on the success or security issue to a non-technical person can be bottom line of their organization. one way in evaluating their communications skills. Ask the candidate to describe a specific security The candidate should know how to deliver issue and how he or she solved it. The type of appropriate messages to different audiences and answers you hear define the traits of a successful tailor security posture to fit the specific needs security professional: and risk appetites of an organization. Ask the • Did they display an understanding of the cause candidate to provide examples of where he/she of the problem before they implemented the has utilized common ground to build credibility solution? and gain consensus. • Did they consider and anticipate the impact of Leadership is another key desired attribute, and different courses of action? asking for a specific example where the candidate demonstrated leadership can be helpful. Both the • Were they able to tailor the solution to meet answer and the manner in which it is answered the needs and risk appetites of the business, reflects leadership qualities. and how successful were they in communicating the results? (22)
  • 24. inTervieWing Also, identify what your candidate reads and the Websites they visit. Information security is a field that’s constantly changing, so you should make sure a candidate is well-informed and keeping up with the latest forums, discussion groups and other industry sites. (23)
  • 25. reFerenCeS/SeCuriTy CHeCkS reFerenCeS/SeCuriTy CHeCkS Test the candidate’s credibility by verifying academic and professional credentials, professional Checking references and verifying background background and personal references. (ISC)2® information are critical when hiring an information offers a free online certification verification tool security professional, as information security for employers that only takes a few seconds. Also, professionals have more access to employee, several vendor-neutral certification organizations, customer and proprietary data than often any including (ISC)2, require candidates to subscribe other single job function. Strong ethics and to a professional code of ethics and risk de- honesty are imperative. certification if they are found to be in violation. Professional references not only validate and Look at credit reports as an indication of financial verify an information security candidate’s problems that may influence misdeeds. Some of technical ability to do the job but also his/her the issues to consider are a record of multiple communication skills, personality and moral collections, civil judgments, bad debts, charge-offs, compass. An information security candidate who a tax lien or repossession. fails a background check either for errors of omission, misstatements of facts, or financial or Make sure you notify the applicant that he or legal problems presents a red flag, and great care she can dispute the information contained in the should be taken before proceeding any further background check report if he or she deems it to with the hiring process. be inaccurate or incomplete. (24)
  • 26. CrAFTing And PreSenTing An OFFer CrAFTing And PreSenTing An OFFer One of the more accurate salary surveys is included in the Global Information Security HR departments often fail to recognize that salary Workforce Study, which surveys thousands of scales for information security professionals are information security professionals worldwide. higher than general IT practitioners, resulting in It can be downloaded free-of-charge from the the extension of offers that are below market (ISC)2® Website at www.isc2.org/workforcestudy. value and ultimately rejected. Information security is a field where conditions are constantly changing, Before making a decision on an offer, make sure and it is difficult to stay on top of the skill sets, the interview team: profile and market value of security professionals. • Collects and discusses evaluation criteria Be hesitant to rely on information security salary • Understands the candidate’s total current surveys by publications and industry analysts, as compensation and expectations they are often not in line with the realities of the marketplace, offering estimates that are much • Considers creative compensation alternatives lower than actual to retain high-caliber talent. Again, everyone should be aware of the hiring These don’t take into account the specialist skills process time line. The more time taken to deliver in demand, different geographic regions and the offer, the more likely the candidate will be different organizational layers to be used to make contacted by other companies, may re-evaluate a competitive offer. his/her current position, get promoted, or just (25)
  • 27. CrAFTing And PreSenTing An OFFer plain lose interest. There is an inverse correlation It is also wise to discuss succession plans. between the length of time it takes to extend an Discuss professional growth and give examples offer and the number of offers accepted. of how other employees have developed a more prominent role during their tenure at the If you can, be creative in your job offer by organization. Also consider the organization’s including a bonus or commission related to policy for reimbursement of certification and performance beyond the base salary. It’s a fact, education fees, continuous education, etc. too, that many information security professionals are not attracted solely by salary and respond In the end, the hiring manager, HR and recruiter to opportunities to further their educational should work together on presenting and selling development, work on an innovative project, the offer. Presentation and messaging are obtain professional certification, attend extremely important in making a successful offer conferences, write and publish papers, join and retaining the desired candidate. Information associations, etc. Many professionals appreciate security professionals generally aren’t prima the flexibility to network with their peers in donnas but often receive a certain level of addition to meeting the requirements of their job. attention from your competitors because of Much of that networking also makes them more their specialized skills and high demand in the knowledgeable professionals. marketplace. (26)
  • 28. reTenTiOn reTenTiOn term career goals and need for professional challenges of its information security staff because With the amount of competition for quality they are in such high demand in the job market. information security professionals, companies must take a more strategic and supportive approach to HR professionals should also encourage retention if they want to keep the new breed of information security employees to seek out evolving talent. opportunities in training and education. Evolving and emerging threats and attacks will continue to Develop a formalized career progression for require security professionals to learn new skills the best and brightest members of your current and techniques. By cultivating home-grown talent, information security team. One of the most the HR team will be giving valued employees the unique and beneficial attributes of working tools to succeed, benefiting the organization in in an information security department is the the long run. In addition, the reputation of having a exposure one gets to operations, processes and strong security team can result in an organization’s technologies across all operations. This exposure ability to hire the best candidates on the market. provides a great training scenario for building the management teams of the future. Also allow the security professional to network with their peers to establish an external support Also, defined career paths will help assure the network consisting of people outside of their continuing supply of capable successors for each company that they can go to openly or privately important position within the security team. for advice and support. Organizations must work to satisfy the long- (27)
  • 29. reSOurCeS reSOurCeS Executive Women’s Forum www.infosecuritywomen.com AFCEA International www.afcea.org Information Assurance Professionals Association (IAPA) Alta Associates www.iapa-glc.org www.altaassociates.com Information Systems Audit and Control American Council for Technology (ACT) and Association (ISACA) Industry Advisory Council www.isaca.org www.actgov.org Information Systems Security Association (ISSA) American National Standards Institute (ANSI) www.issa.org www.ansi.org Information Technology Association of America ASIS International (ITAA) www.asisonline.org www.itaa.org Computer Security Institute International Association of Privacy Professionals www.gocsi.com www.privacyassociation.org The Computing Technology Association International High Technology Crime Investigation (CompTIA) Association (HTCIA) www.comptia.org www.htcia.org (28)
  • 30. reSOurCeS International Information Systems Forensics SANS Institute Association (ITFSA) www.sans.org www.iisfa.org Security Industry Association International Information Systems Security www.siaonline.org Certification Consortium, Inc. [(ISC)2®] www.isc2.org Internet Security Alliance www.isalliance.org National Academic Centers of Excellence www.nsa.gov/ia/academia/caeiae.cfm (29)
  • 31. Acknowledgements (ISC)² wishes to acknowledge the invaluable contributions of Joyce Brocaglia, president and CEO of Alta Associates, Inc., in the making of this guide. Founded in 1986, Alta Associates is widely respected as a leading information security recruiting firm, helping global enterprises build world-class information security departments for 22 years. For more information, please visit www.altaassociates.com