As an IT security executive, I am constantly asked, "What do you look for when hiring?"
Naturally, certification as an accredited security professional helps get job candidates to the table -- there are many respected credentials, such as those offered by (ISC), ISACA, and SANS, to name a few. And it’s easy to point to the skills and qualifications that we articulate in our job postings.
But credentials are only part of what makes a good information security pro. Too often, information security professionals are seen by our colleagues in other areas of IT management not as partners, but as "Dr. No" who puts the kibosh on new projects and business initiatives because of security concerns. This is no longer an acceptable stance in most companies. Today's security pro must be able to work with business units to safely achieve their goals.
With this in mind, here are the top 10 qualities I look for when hiring future security leaders:
1. Results focus (i.e., a demonstrable track record of getting things done)
I am looking for people who can demonstrate to me that they not only know and understand information security, but they have implemented successful programs or have led business-driven initiatives to successful completion. When I interview candidates, I routinely dig deep in this area to try to gauge whether the individual truly has a track record of success.
Frankly, I expect to hear from candidates that they are passionate about information security -- but that’s not necessarily what I want to know. What I really want to know is, what is their passion? It could be music, sports, or art. It doesn’t matter -- I just want to know that the individual has depth and is passionate about something. From my perspective, someone who has a passion for something -- anything -- is a person who I find interesting and will excel professionally.
3. Operational experience in multiple IT disciplines
Operational experience provides a critical foundation in IT management. Knowledge of and experience in operational processes -- in areas such as mainframe operations, networking/communications, logical access, and application development -- provide valuable and tangible experience that enriches the individual’s capacity to understand complex IT-related business problems.
4. Commitment to continuous personal development
Candidates often come to me and say how interested they are in information security -- but when I ask them what steps they have taken to learn about the profession, they tell me that they plan to sign up for training at some point. I like to see people who have shown commitment by actually completing training or are achieving a professional certification. Participation in security-focused user groups, volunteer work, or other related areas of academic study also demonstrates this commitment.
It's often difficult for me to give direct feedback to an individual who earnestly believes he or she is the best candidate -- but is clearly nowhere near ready for the job in question. Self-awareness is a leadership trait that requires individuals to take stock of their skills, understand how they are perceived by their peers and their managers, and develop a personal development plan. Seeking feedback, accepting constructive criticism, and demonstrating a willingness to act on this feedback are all fundamental to success in a security position.
6. Strategic thinking
Sun Tzu, in the oft-quoted "Art of War," had it right when he said, "Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat." The ability for individuals to understand how their tactical efforts support and influence the success or failure of the strategy is important -- and it becomes increasingly more important as you move up the food chain. Here, I’m looking for the candidate to talk to me about how his or her strategic focus enabled the team to achieve a stretch goal, and how his or her tactics and direct leadership influenced a positive outcome.
7. Ability to lead change
Leading change is a fundamental leadership skill. As innovation marches forward, so, too, do the threats that we have to deal with. Dealing with the constantly evolving threat landscape requires innovation by information security professionals, who often must help to re-engineer business processes or deploy new technologies to mitigate the ever-evolving risks. I expect a candidate to be able to articulate his or her experience as a leader of change. I want to know how they did it -- and what the outcome was.
8. Ability to strategically influence others
This leadership trait seems to come naturally to my 11-year-old daughter, who seems able to get me to do whatever she wants. She knows what makes me tick. I look for individuals who are resourceful, who can leverage their personal network of peers, and who can mobilize and garner support for projects or initiatives in support of my overall strategy. I ask candidates to describe instances when they used their strategic influencing skills, what techniques they used, and what the outcomes were.
9. Communication skills
Effective security awareness communication, management reporting, and trend analytics are some of the key aspects of a strong information security communication program. It is difficult to find security professionals with the ability to speak articulately, to interpret complex trend analysis, and to draw conclusions from that data tailored to a specific audience (e.g., techie groups versus non-techie groups). Nonetheless, when done right, this kind of skilled communication yields amazing results. Candidates should be able to describe their communication techniques and demonstrate their abilities.
10. Strong personal ethics
At the end of the day, we are in the business of trust. I demand a high degree of personal ethics. I believe that as information security professionals, we must hold ourselves to a higher standard. As a CISSP, myself, I know that I am held to a code of ethics. A professional credential that stipulates such a code, while no guarantee, is a good start toward finding the right candidate.
That's my top 10 list. I've tried to rank these characteristics, but, frankly, they are all important. Their relevance is dictated by the position description and level of the job in question. In the end, these characteristics form the basis of a well-rounded professional/leader in any profession. But as security matures and takes a lead role in our respective organizations, we must set the bar high to ensure we are seen as leaders first -- and information security professionals second.
Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.