As an IT security executive, I am constantly asked, "What do you look for when hiring?"
Naturally, certification as an accredited security professional helps get job candidates to the table--there are many respected credentials, such as those offered by (ISC), ISACA, and SANS, to name a few. And it’s easy to point to the skills and qualifications that we articulate in our job postings.
But credentials are only part of what makes a good information security pro. Too often, information security professionals are seen by our colleagues in other areas of IT management not as partners, but as "Dr. No" who puts the kibosh on new projects and business initiatives because of security concerns. This is no longer an acceptable stance in most companies. Today's security pro must be able to work with business units to safely achieve their goals.
With this in mind, here are the top 10 qualities I look for when hiring future security leaders:
1. Results focus (i.e., a demonstrable track record of getting things done) I am looking for people who can demonstrate to me that they not only know and understand information security, but they have implemented successful programs or have led business-driven initiatives to successful completion. When I interview candidates, I routinely dig deep in this area to try to gauge whether the individual truly has a track record of success.
2. Passion Frankly, I expect to hear from candidates that they are passionate about information security--but that’s not necessarily what I want to know. What I really want to know is, what is their passion? It could be music, sports, or art. It doesn’t matter--I just want to know that the individual has depth and is passionate about something. From my perspective, someone who has a passion for something--anything--is a person who I find interesting and will excel professionally.
3. Operational experience in multiple IT disciplines Operational experience provides a critical foundation in IT management. Knowledge of and experience in operational processes--in areas such as mainframe operations, networking/communications, logical access, and application development--provide valuable and tangible experience that enriches the individual’s capacity to understand complex IT-related business problems.
4. Commitment to continuous personal development Candidates often come to me and say how interested they are in information security--but when I ask them what steps they have taken to learn about the profession, they tell me that they plan to sign up for training at some point. I like to see people who have shown commitment by actually completing training or are achieving a professional certification. Participation in security-focused user groups, volunteer work, or other related areas of academic study also demonstrates this commitment.
5. Self-awareness It's often difficult for me to give direct feedback to an individual who earnestly believes he or she is the best candidate--but is clearly nowhere near ready for the job in question. Self-awareness is a leadership trait that requires individuals to take stock of their skills, understand how they are perceived by their peers and their managers, and develop a personal development plan. Seeking feedback, accepting constructive criticism, and demonstrating a willingness to act on this feedback are all fundamental to success in a security position.
Read the next five reasons securirty professionals get hired on Dark Reading.
Greg Thompson is vice president of enterprise security services at Scotiabank. This article appears as a special to Dark Reading courtesy of the (ISC)2 Advisory Board of the Americas Executive Writers Bureau.
In the new, all-digital Dark Reading supplement: What industry can teach government about IT innovation and efficiency. Also in this issue: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)