Home
 Vendors
 Publications
 Ceritfications
 Associations
 IT Strategy Center
 Open Directory
 Other
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Boardroom Strategies / Enterprise Smarts

Building an Effective Infosecurity Team

By Jodi Mardesich

With the onslaught of viruses, worms, and other intrusions attempted against corporate networks, information security is one IT budget area that can't be compromised. Even more important than investing in effective firewalls and intrusion detection systems is the human component, and that involves building a strong information security team.

Opportunities in this field are expected to grow steadily. International Data Corp projects that the number of infosecurity professionals will increase from 1.3 million today to 2.1 million by 2008.

Still, for CIOs, finding the right people can be a challenge, according to a study on infosecurity hiring by the Information Technology Association of America (ITAA). Of the ITAA members who participated in the study, 43 percent said job candidates lack hands-on experience. More than half the respondents said it was difficult to quantify technical skills, and one-third said they lacked standards to measure candidates against job responsibilities. The most challenging task, according to respondents: finding experienced, senior information security professionals.

In order to make better hiring decisions, CIOs need to clearly define the staff's roles and responsibilities. Inadequate specification of roles and responsibilities is one of the major impediments to moving ahead with information security at most organizations, says Charles Cresson Wood, an independent information security consultant with more than 25 years of experience and author of Information Security Roles & Responsibilities Made Easy. "Part of the reason why this is such a continuing problem is because specification of roles and responsibilities is a top management activity, except top management doesn't know about the real world of information security."

This creates a communication breakdown, Wood says, since management needs the technical staff to tell them what roles and responsibilities need to be specified, yet the technical staff expects management to do this work.

To break out of this cycle, Wood says, management should enlist the help of technical staff to write job descriptions. They should also draft documents that can be used for backup and to cross-train staff. Once management has this information, it can do a "gap analysis," which involves analyzing what's needed, and comparing those results to what already exists.

Creating a new structure

To create an effective information security team, consider hiring an infosecurity "czar." This person -- who may go by various titles, including chief security officer, chief information security officer, or vice president of information security -- usually reports to the CIO. According to Wood, however, this structure can pose some serious conflicts of interest that can result in security and privacy being compromised. "For example, when concerned about low cost or time to market with a new software package, a CIO may be tempted to go with these objectives at the expense of security and privacy," Wood says.

In some organizations, the security chief reports to the president or CEO. Another option is to have the security chief report to a top manager in the legal department, since in some fields, such as healthcare and financial services, security is a legal and regulatory issue, Wood says.
 
What they're worth
 
CIOs should also keep in mind that the infosecurity team doesn't come cheap. Security professionals have experienced growth in job prospects, career advancement, base salary, and salary premiums for certification faster than other information-related fields, according to an IDC infosecurity study.

Salaries for infosecurity positions vary. According to a 2004 salary survey by Computerworld, the average salary for chief security officers was $106,500; mid-level information security managers had an average salary of $90,137, while staff and entry-level security specialists had an average salary of $69,530 -- higher than all other staff positions other than "project leader."

Information security staffers saw the largest raises across all levels. According to the Computerworld study, the average chief security officer salary was 6 percent higher than the prior year. Among mid-level positions, information security managers' salaries grew the most, at 4.9 percent, and information security specialists' salaries went up 4.4 percent.

Where and whom to recruit
 
Before going outside for job candidates, CIOs might first consider looking under their own noses. Sixty-eight percent of respondents to the ITAA study said hiring from within is the best way to find infosecurity professionals. Word of mouth is another effective means -- 52 percent of the companies ITAA surveyed rely on word of mouth.

"They're a tight-knit group," says Lee J. Kushner, president of L.J. Kushner and Associates, an infosecurity recruiting firm. Kushner recommends networking with security trade organizations and consulting security-related Web sites to find qualified candidates.

In terms of identifying the right people, Kushner recommends looking for candidates who have a combination of people skills, technology skills, and process skills. "They have to have a good foundation in either information security, information technology, information technology audit, or compliance," Kushner says.

Continuing education
 
One measure of a candidate's knowledge is education. Another is certification. Good candidates will demonstrate a penchant for staying abreast of changes in products, policy, and certification.

The two main forms of information security certification are the CISSP (Certified Information Systems Security Professional) and the GIAC (Global Information Assurance Certification).

The CISSP is the oldest, and is administered by The International Information Systems Security Certification Consortium, or ISC2. The GIAC, founded in 1999, is administered by the SANS Institute.

For ongoing security training, online classes are available from ISC2. Other options, in the form of workshops and classroom training, are available from the MIS Training Institute, and Security University.

Building an effective infosecurity team is a continuing process, one that requires constant refreshing and education. "It's an ongoing business function," Wood says. "It's not just about putting a team in place."

Jodi Mardesich writes about business and is a former staff writer for Fortune.

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Initiatives
Peers and Superiors
Enterprise Smarts
Related Content

Features

View More


Metrics

View More

Fast Fact

43 percent of job candidates lack hands-on experience.

-- Information Technology Association of America
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Preparing for a Disaster
Playtime: 8 min 07 sec



Download | Subscribe

Copyright © 2009 Studio One Networks. All rights reserved.