Get 4 FREE months of Conformio to implement ISO 27001

What to look for when hiring a security professional

Besides proper procedures and technologies, counting on good professionals can make all the difference during implementation and operation of any process or project. The “Apollo 13” movie shows what skilled men can do when procedures and technology fail (remember the “mailbox” device). On the other hand, what are the chances that even the most well-designed racecar can win the championship in the hands of the average driver?

So, in the field of information security, what would make a good professional for your organization? Although this area has become a huge interconnection of knowledge and skills, there are some common attributes found in professionals who stand out from the crowd, which can provide a CEO or HR department head a good start in selecting the proper professional. Let’s talk a little about them.

Competence according to ISO 27001

As the leading framework for management of information security, ISO 27001 has clauses that provide a solid start regarding the use of competencies to achieve desired security outcomes. For example, ISO 27001 clause 7.2 a) requires the organization to define competences that are needed for managing its information security. However, while this clause can be a good requirement for a proposed management system in organizations of any kind/size (defining what is to be done), it does not help a lot in an implementation (how to specify these competencies) – at most, it will help you to define security roles.


What competencies should you look for?

You can define “competency” as a group of four aspects:

  • Knowledge: what you know about a specific issue.
  • Skills: what you can perform based on the knowledge you have or because of a natural aptitude.
  • Experience: what you learned during the time or number of executions of a specific activity.
  • Attitude: behavior that reflects a state of mind or disposition toward something or someone.

A common step in any information security selection is to look for technical knowledge, skills, and experience, and for those you can use certifications as the main reference criteria. The profiles established by certifications like ISO 27001 Lead Auditor, ISO 27001 Lead Implementer, CISSP, CISM, CISA, and CBCI, among others, can help you spot promising candidates, or at least define a set of technical knowledge and skills that a professional should have to fit your organization’s needs (for more information, see: How personal certificates can help your company’s ISMS). Specifically, for the role of Chief Information Security Officer (CISO), we have these two articles you may find interesting: What is the job of Chief Information Security Officer (CISO) in ISO 27001? and Chief Information Security Officer (CISO) – where does he belong in an org chart?

For an organization to increase its chances to find a proper candidate, or for a security professional to increase his/her visibility as one who can add value to a business, there are six characteristics I consider critical to a security professional’s performance:

Business focus and understanding: a security professional should be able to think and demonstrate how security solutions can add value to the business. To do that, he or she must understand the industry, the organization’s market environment, and relevant regulatory and legal requirements.

Systemic view: a security professional should be able to see the overall security needs of an organization, how they can converge or be in conflict, and how single-point changes can affect overall security.

Empathy: a security professional should be able to put himself or herself in the shoes of various users and think about what their needs are. How will they use a process or technology? How will they accidently or intentionally misuse it? By doing that, he or she can better identify risks and find solutions for those identified issues.

Constant learner: a security professional should always seek to learn new ideas and technologies to help users make well-based risk decisions. This is valid for self-improvement, too. He or she must consider his or her career development as a personal business.

Negotiation and communication skills: a security professional should be able to transmit the right idea about how security can add value to a person’s task/process, considering different publics. And as the ideal security is a utopia, he or she should also seek an acceptable compromise between security and usability.

Ethics statement: Why this? You may think this is a pre-requisite for any job position (in truth, for life), and you are right. The point is that saying you are an ethical person is easy, so you should be able to elaborate and present a solid ethical statement to clearly show your beliefs and how you stand by them.

Seek what goes beyond the obvious

Naturally, technical competencies are the logical place to start when selecting a security professional, or to become one that organizations seek to hire, but these tell only part of what makes a great information security professional. To find a professional who is welcomed in any part of the organization as a competent advisor and partner in finding high business value security solutions, the organizations should seek, and practitioners in the market should become, those who are able to understand and work with business units to safely achieve their goals, balancing interpersonal, organizational, and technical competencies.

To see how security skills are integrated as ISO 27001 requirements, try our free online course:  ISO 27001:2013 Foundations Course.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.