Special Coverage Series

Network Computing

Special Coverage Series


How To Hire The Right IT Security Pro

Want to hire the best security team for your company? Understand your security needs, focus on specific skills (including people skills), and don’t worry too much about certifications, advises security expert Michael Davis.

Recent reports show that demand for security staff is rising faster than the available supply of workers. At the same time, the No. 1 hiring priority for U.S. companies is beefing up the ranks of competent security staffers, according to a recent InformationWeek staffing survey.

Twenty-four percent of companies polled said they plan to increase the number of security staff positions during 2013, the report found.

More Insights

Webcasts

More >>

White Papers

More >>

Reports

More >>

But it won't be easy. 39% told InformationWeek that people with the right skillsets were difficult to find.

There are ways for hiring managers overcome a skewed demand/supply curve. The first thing to do is reconsider your requirements without lowering your standards, according to Michael A. Davis, CEO of security consulting firm Savid Technologies, who wrote the InformationWeek security hiring report.

"Most security teams fail for one of two reasons," he wrote. "A lack of proper funding and bad hires. Funding is becoming less of a concern...but making the right hire is always a concern."

The most important things are for your company to understand its specific security needs, and make sure the hiring budget matches the actual requirements, Davis wrote. Security plans often founder because a company hires only one security professional when three are required, or a company assumes that a person who only spends part of her time on security is just as effective as a full-time, dedicated hire.

Companies may also overlook qualified candidates because they think they need a "security ninja;" that is, someone who is expert in white-hat hacking, IT architecture, network engineering, policy administration, social engineering, training and every other potentially relevant skill.

Even companies desperate to overcome a serious shortage of infosec skills don't necessarily need to hire a person with mythic skills. "Usually when a company thinks it needs a ninja, we find it really just needs a plan and someone to execute it," Davis wrote.

[ Join us at Interop Las Vegas for access to 125+ IT sessions and 300+ exhibiting companies. Register today! ]

The first step, then is to identify the specific projects, tasks and roles a new security hire would fill during the first six to 12 months. "Specific," by the way, means something like "analyze and bring up to spec all firewall rules and anti-virus systems," not "stop all the hackers."

In addition to expertise, some organizations may require a security professional with softer qualifications, such as good people skills that will allow him or her to balance security demands with the productivity needs of business units.

Security pros with experience as a security evangelist should be able to act as a go-between and translator for IT and business units, making clear to business-unit managers and executives the importance of security and what that means to both their budgets and business procedures.

Finders, Keepers

It's one thing to want to fill a security position, but another thing to find someone to do it. Of the companies surveyed by InformationWeek, 21% said they prefer to retrain existing staff to fill new security roles. Only 16% said new skills would come exclusively from new hires or contractors. The other 63% planned to mix and match retraining, contracting and new hires in various combinations.

For new hires, the job description should be as detailed as the resumes you hope to review. Listing "Windows 2008 experience" as a requirement is not the same as "analysis of Windows 2008 event logs to determine if a login event was legitimate or not," Davis wrote.

Testing candidates in an interview is a fine technique, but whiteboarding a situation your company actually faces will also show more accurately how a candidate would approach the problem than inventing a theoretical problem, Davis wrote.

It's reasonable that companies would want to hire qualified candidates, including those with industry certifications. According to a report from Burning Glass, a developer of job-search and resume-parsing software, the number of job ads requiring security candidates hold a Certified Information Systems Security Professional (CISSP) certificate is 52% higher now than in 2011.

However, while potential employers may regard a security certification as a validation of a candidate's ability, organizations may not want to put too much stock into it. "We look at most security certifications as worthless," Davis wrote.

The problem with certifications is that they help recruiters identify candidates, but don't identify for hiring managers whether a candidate has a passion for security, or analytic problem-solving skills. Hiring managers have to go further to establish a candidate's bona fides, Davis maintained.

Davis' final hiring tip is to establish specific criteria and a consistent evaluation process before interviewing candidates. If more than one hiring manager interviews a candidate, it's more useful to have metrics against which to compare their impressions rather than the just gut feeling of each interviewer.

Hiring the right person takes time, but Davis says the time invested is worth it. If an organization cuts corners in the hiring process, it raises the odds that it will have to go through the whole rigamarole again in six months when a new hire isn't up to the job, or a good hire goes looking for another job with managers who might understand and appreciate their genuine skills.



Related Reading



Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 

Editor's Choice

Research: 2014 State of Server Technology

Research: 2014 State of Server Technology

Buying power and influence are rapidly shifting to service providers. Where does that leave enterprise IT? Not at the cutting edge, thatís for sure: Only 19% are increasing both the number and capability of servers, budgets are level or down for 60% and just 12% are using new micro technology.
Get full survey results now! »

Vendor Turf Wars

Vendor Turf Wars

The enterprise tech market used to be an orderly place, where vendors had clearly defined markets. No more. Driven both by increasing complexity and Wall Street demands for growth, big vendors are duking it out for primacy -- and refusing to work together for IT's benefit. Must we now pick a side, or is neutrality an option?
Get the Digital Issue »

WEBCAST: Software Defined Networking (SDN) First Steps

WEBCAST: Software Defined Networking (SDN) First Steps


Software defined networking encompasses several emerging technologies that bring programmable interfaces to data center networks and promise to make networks more observable and automated, as well as better suited to the specific needs of large virtualized data centers. Attend this webcast to learn the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging.
Register Today »

Related Content

From Our Sponsor

How Data Center Infrastructure Management Software Improves Planning and Cuts Operational Cost

How Data Center Infrastructure Management Software Improves Planning and Cuts Operational Cost

Business executives are challenging their IT staffs to convert data centers from cost centers into producers of business value. Data centers can make a significant impact to the bottom line by enabling the business to respond more quickly to market demands. This paper demonstrates, through a series of examples, how data center infrastructure management software tools can simplify operational processes, cut costs, and speed up information delivery.

Impact of Hot and Cold Aisle Containment on Data Center Temperature and Efficiency

Impact of Hot and Cold Aisle Containment on Data Center Temperature and Efficiency

Both hot-air and cold-air containment can improve the predictability and efficiency of traditional data center cooling systems. While both approaches minimize the mixing of hot and cold air, there are practical differences in implementation and operation that have significant consequences on work environment conditions, PUE, and economizer mode hours. The choice of hot-aisle containment over cold-aisle containment can save 43% in annual cooling system energy cost, corresponding to a 15% reduction in annualized PUE. This paper examines both methodologies and highlights the reasons why hot-aisle containment emerges as the preferred best practice for new data centers.

Monitoring Physical Threats in the Data Center

Monitoring Physical Threats in the Data Center

Traditional methodologies for monitoring the data center environment are no longer sufficient. With technologies such as blade servers driving up cooling demands and regulations such as Sarbanes-Oxley driving up data security requirements, the physical environment in the data center must be watched more closely. While well understood protocols exist for monitoring physical devices such as UPS systems, computer room air conditioners, and fire suppression systems, there is a class of distributed monitoring points that is often ignored. This paper describes this class of threats, suggests approaches to deploying monitoring devices, and provides best practices in leveraging the collected data to reduce downtime.

Cooling Strategies for Ultra-High Density Racks and Blade Servers

Cooling Strategies for Ultra-High Density Racks and Blade Servers

Rack power of 10 kW per rack or more can result from the deployment of high density information technology equipment such as blade servers. This creates difficult cooling challenges in a data center environment where the industry average rack power consumption is under 2 kW. Five strategies for deploying ultra-high power racks are described, covering practical solutions for both new and existing data centers.

Power and Cooling Capacity Management for Data Centers

Power and Cooling Capacity Management for Data Centers

High density IT equipment stresses the power density capability of modern data centers. Installation and unmanaged proliferation of this equipment can lead to unexpected problems with power and cooling infrastructure including overheating, overloads, and loss of redundancy. The ability to measure and predict power and cooling capability at the rack enclosure level is required to ensure predictable performance and optimize use of the physical infrastructure resource. This paper describes the principles for achieving power and cooling capacity management.