What I Look for When Hiring IT Security Staff

The Business of Security – October 2009

by Andreas Wuchner, IT Manager and Risk, Compliance, and Security Professional, Deutsche Bank

In a time where the global economy has nearly collapsed, leaving every investor, business, and employee under enormous pressure, it is the most important thing to have a safe and steady income. Globally, the gross domestic product (GDP), industrial production, and retail sales are on their way south while, at the same time, unemployment rates are rising fast. Within the security market, we are still in very good shape and luckily enough we are not hurt too bad so far. Most organizations haven’t cut their security budgets and they have not planned to do so in the near future. Many IT specialists have recognized this already and have started to focus more and more on this knowledge area. With this trend, there are more and more people fighting for the same amount of jobs in the market. What do you need to do to be prepared for that? What differentiates the specialist from the beginner and how can an enterprise organization evaluate qualifications?

My name is Andreas Wuchner and I’m the author of the Risk Management blog. I have been working for more than 12 years in the IT security space and, in my former role as Head of IT Security & Risk Management for GIS Novartis Pharmaceuticals, I had a whole lot of experience in the area of hiring security staff. This I want to share with you today.

Expertise and Knowledge

Let me start with the debate around the background knowledge of an ideal candidate. The last couple of years, it became a nearly religious debate if the right IT security candidate must have a solid technology background or if a business-oriented person with an MBA would be the better fit. At the end, it’s all about the ability to speak the language of the business, right? With this, it highly depends on the company. Within an organization where a lot of IT services are outsourced, the IT security specialist needs to have a strong service management orientation. Within a technology company, the customers are technologists and the perfect IT security person needs to have a strong technology background. If there is one thing I would recommend to you in this space, it is to carefully look at the company and business to which you are applying. If you are coming from a pure technology background, you will have a hard time in a business environment where technology is not the main topic. To have a seat at the customer’s table, and to be trusted, you need to earn it and you need to be able to speak the language used at the table. A security and risk professional needs o be able to differentiate between a vulnerability, a threat, and the resulting risk. If you are already in security and you want to develop yourself into a more risk-oriented job, then start working on your business skills ASAP.

Certification

Another area of discussion is the topic of certification. Certification within the IT is big business and the variety of offers is just enormous. It is extremely hard to filter out the ones that are really adding value from the ones just stealing money from you. I have done my CISA and CISSP certification once to learn hands on about the value of such common bodies of knowledge. From what I have learned, I must tell you that having a certification in the field of security proves only that there is a baseline of certain special knowledge. It doesn’t prove to me that somebody is up-to-date.  I personally always prefer real life experience to certification. Depending on the position we are hiring for, several years of experience in a similar role in an international environment are a must. Again, be aware of the company to which you are applying.

Communication Skills

A large part of the security role is communication. A good and experienced security specialist is known for being an enabler in a way of saying “Yes, but with …” instead of starting with “No” all the time. Why do we engineer big brakes into fast sport cars? Risk and business-oriented security specialists will answer, “To be able to go faster with the car as we could with smaller brakes.” Only an old-fashioned specialist would answer, “To be able to stop.” It’s about being risk focused and being able to communicate the enablement part. Every security specialist who wants to work within my team needs to be able to speak clearly and communicate well to technical teams, business managers, and management in general.

Ongoing Education and Industry Knowledge

To be a real partner, up-to-date knowledge is essential and ongoing education is a must. One of the main criteria for every security and risk person I hire is how she/he keeps their knowledge current. Using real-life topics, I will ask the candidate for his/her thoughts and suggestions on a possible solution. Additionally, sharing knowledge and experience helps every organization prevent certain mistakes; and being part of a trusted global network of security and risk specialists helps each of us stay up to date. You might use questions like the following:

  • What magazines or Web sources do you follow?
  • What are the burning topics of the industry for the next 36 months to come?

No security specialist has every piece of information at her/his disposal. The question is: how would they find the missing pieces?

Good Under Pressure

One attribute of working in security is the guarantee of surprises from time to time. Perhaps your organization falls under attack from outsiders, or people within the organization are doing things they shouldn’t be doing, or a top manager loses his mobile device with all kinds of business-critical information on it. The list is endless; and whenever something big happens, many people tend to panic. Panic and high emotions are the worst partners you can have working in the security field. The best security specialists I know are becoming brilliant when under fire. To be able to stay calm in hot situations, to be able to stay focused on results and solutions, to make fast but solid decisions, and to clearly instruct and manage other people are criteria that differentiate winners from losers in moments of crisis. I’m normally testing candidates for such abilities. HOW?

Trustworthy

People working in security will have, by nature access, to many sensitive information and information that most organizations don’t want to see in public. For me, values and trustworthy behavior are absolutely essential for every security candidate. Depending on the country (not every country allows a full background check within their local laws), a solid background test needs to happen to ensure that there are no doubts about the integrity of a candidate. I wouldn’t hire the best candidate with the best résumé if I had doubts about his or her integrity. Trust is very important for me.

Conclusion

It is clear that a good candidate for a security and risk position needs to fulfill some basic requirements depending on the organization they are applying for, and the focus of the position job focus they will fill. No organization wants to reinvent the wheel and therefore it is essential that a security candidate has:

  • A solid understanding of high-level international security standards like ISO 27001/2
  • A solid knowledge of security technologies and process to ensure data security
  • Basic business administration skills to be able to judge cost versus value
  • The ability to participate in all kind of meetings “selling” the security value with founded arguments
  • The willingness to constantly develop and educate herself or himself
  • The ability to keep relationships alive
  • The ability to get into a new topic very quick
  • The ability to understand the different requirements of every business unit

I’m absolutely thrilled to work in the field of IT security and, with all the changes going on right now in the economic world around us, I’m sure that jobs in this field will not become boring very soon. I can only encourage everyone to keep their knowledge and skills up-to-date and to work closely with their main stakeholders to ensure a close relationship. IT is a service unit that produces services which should support the business, allowing them to do a better job. There are not many companies out there where IT is the main competence. With this I wish you all the best for your professional and personal future.

--------------------------------------------------------------------------------------------------

Andreas Wuchner is an experienced General IT Manager, Risk, Compliance and Security Professional at Deutsche Bank. He is a globally-acknowledged and well-known thought leader in the risk and security industry; and sits on advisory boards of leading IT technology companies including Microsoft, Oracle, Symantec, and Qualys. A self-motivated, professional, and dedicated individual, Andreas thrives on challenges and welcomes opportunities to work both autonomously and within team environments to develop and achieve set goals and targets. Outside of his job, Andreas is very passionate about all aspects of security management and is editor-in chief of his own Risk Management Blog at http://ITRiskSpace.com.

Page view tracker