Wednesday, January 11, 2012

Security Careers: What Employers Look For in Security Professionals

A VP of Information Security Shares

A recent conversation with a VP of Information Security provided me with information I must pass along.  While talking to this VP of Information Security, she was kind enough to share her point of view that is put into motion when she is hiring to fill cyber security jobs in her organization.

Company Profile

Let me provide a little background information before getting to the specific list of attributes this decision maker looks for when filling security jobs.

This VP of Information Security is in a company that is broken down into 33 distinctly different business units in the financial services sector.  Security professionals who work in this organization do not survive unless they have highly developed interpersonal skills. 

Security Certifications -vs- Business Skills

While there is ongoing debate regarding the value of security certifications, this VP specifically stated that while a CISSP is an interesting certification for a prospective new hire to bring to the table, she looks for highly developed Soft Skills.

She looks for candidates who have strong Business Sense and she always puts more emphasis on measuring a candidate’s Business Acumen than she places on an individual’s list of certifications.

Security’s Value Proposition

Why? Because every role on this VP’s team is customer-facing in a fast-paced financial services organization that has to be customer-focused.  Her department exists to provide value to 33 different business units.  The business people she and her team serve in each business unit don’t want to know only about bits and bytes when they hear from a security professional.
They want to know how their customer’s data is going to be protected and they want to understand how they can operate their business without having to worry about roadblocks put in place by security professionals. 

As a Vice President of Security for North America in a 125,000 person global high-tech company recently told me:

"You can’t protect what you don’t understand"

Security Professionals Who Have Chops

This VP of Information Security told me that she specifically looks for information security professionals who “have the chops to talk information security with clients”.  She looks for security professionals who understand how to follow the money.  What she means by that is that she looks for people who understand the various lines of business in her company to the extent that they can see the flow of money across the organization.  Her group’s job is to protect the money the company already brings in while also coming up with ways to assist line of business owners in making new money.

Where Do “Soft Skills” and “Business Acumen” Come From?

Through my work with David Lam, Vice President of ISSA-LA, I’ve found an information security leader who recognizes that there is a gap between the hard technical skills information security professionals concentrate hardest on developing and the combination of hard skills and soft skills that employers actually need in the business environment. 

David has worked with the president of his chapter, Stan Stahl, PhD, to build the vision of the information security community of the future. That vision includes human skills which will help security professionals become ever so much better at their jobs.

It is most often the soft skills that don’t receive enough attention as security professionals grow.  The leadership at ISSA-LA recognizes that development of soft skill and business acumen in information security professionals must receive more attention.  Do you?'s Security Recruiter Blog