E-BUSINESS SPECIAL REPORT
How To Hire a Security Guru

As software flaws, wireless network holes and data thieves continue to make companies vulnerable to technological bad guys, a growing need for security experts has driven more IT workers toward this constantly changing field.

However, the search for the right keymaster can be a tricky one. After all, hiring someone to watch all of a company's electronic doors can be a terrifying prospect for even the most seasoned CIO. How can a company make sure it is handing the keys to the kingdom to the right candidate?

Although the CISSP (Certified Information Systems Security Professional) certification separates some of the wannabes from the superstars, companies still need to employ a variety of methods to find the right security guru.

Taming the Scaredy Cat

One of the first steps in hiring a good security expert is getting over the fear that anyone who comes on board is going to sink the company.

"Most people are scared to death of security gurus," Aberdeen Group analyst Jim Hurley told the E-Commerce Times. "Organizations are very scared of what these people can do."

The result of such fear is that a company could put its data at risk by leaving jobs vacant in the security department, because it feels that a move toward hiring more security also would be a threat. This dilemma sets up a Catch-22 situation that is difficult for some executives to overcome.

Hurley said Aberdeen estimates the number of security information personnel in any organization is about .005 percent of the total employee population. That number indicates how short-staffed most organizations are in the security arena, he noted.

"I suspect that some of the fear is due to a lack of understanding of what the real risks are," Hurley said. "The art of computer and network security is still seen as a black art rather than a science by many of the executives that hire people. That's unfortunate."

Top Dog

Fortunately, if a company is willing to take the plunge and hire a guru, there are certain qualities that make the great stand out from the merely good.

At the highest level, such as a CSO (chief security officer), candidates should have a stellar application business sense.

Even more important, the candidate should be able to map security programs as either revenue generators or loss leaders, according to Yankee Group senior analyst Eric Ogren.

"You want the security person to understand the technology involved," Ogren told the E-Commerce Times, "but that person should also be politically savvy enough to understand how security measures affect the business overall."

Worker Bee

Some organizations, when contemplating a new security hire, may find that they do not need a high-level executive, but rather an on-the-spot guru who can troubleshoot as well as implement new technology.

In that case, Ogren said, "There are personality traits that are important, like the ability to work extremely independently and to navigate competing technologies. A lot of products need help to work together, and you want a security person who's able to roll up their sleeves and manage it all."

Other qualities that shine in a great security person are the same characteristics that make other IT employees valuable.

For example, John Challenger, CEO of outplacement firm Challenger, Gray & Christmas, told the E-Commerce Times that a great security person should be able not only to deal with threats, but to anticipate them as well.

"They should be able to track down problems and investigate them," he said. "They should be willing to be on call 24 hours a day, which is pretty standard, and they have to enjoy keeping up with the latest information. This is a field that's constantly changing, with new issues arising, so you should look for someone that likes to keep on top of that."

Reference Section

Such qualities can be hard to spot in an interview, but there are a variety of other ways for companies to pluck the right security person from the pool of applicants.

Extensive use of references is often helpful. Although checking references is standard procedure for any job candidate, security people in particular should have sterling recommendations -- and plenty of them.

"Certifications just tell you that a person can learn," Ogren said. "They tell you that the individual can set goals. But there are lots of ways to get an A."

The better way to find out more about a candidate is to dig, and dig deep.

"You always want to check references in terms of character, but also, with security people, ask about what systems they've used," Ogren noted. "It's crucial to know the extent of their technology background, and if they are as experienced as they say they are."

Letter Jacket

As more security experts seek CISSP certification, the credential is slowly becoming more of a requirement in the field, though many good security gurus still remain uncertified.

"It's always nice to have certifications," Challenger said. "It gives you a feel for how much that person knows on the topic."

In fact, some companies place great emphasis on the certification, and even send their lower-level security employees to class to procure a CISSP.

Gwen Sparks, a spokesperson for Verizon, told the E-Commerce Times that although the company does not have a formalized requirement that its security employees get certified, it encourages them to pursue the CISSP and even ponies up the cash.

"We think it's important," Sparks said.

For aspiring security gurus, this is one way to meet the fairly rigorous certification requirements.

"There's a vicious cycle with the CISSP, that you have to have three years of work in security to get it, so it's easier for our security personnel to get the certification while they're employed," Sparks said.