Finding qualified personnel to secure corporate networks can be difficult, especially for HR professionals who may not understand how the industry works and what qualities they should be looking for in a candidate.
After all, IT security is a complex field, and cyber-threats are constantly evolving.
Industry organization, the International Information Systems Security Certification Consortium or ISC(2) has responded to this growing problem.
The non-profit Consortium is set to publish a guide for HR professionals and recruiters to help them navigate through the alphabet soup of certifications out there, what they mean and how they may (or may not) fit into a particular job description.
The guide will be available in the next week or two.
Palm Harbour, Fla.-based ISC(2) has certified more than 54,000 information security professionals in 135 countries. Founded in Founded in 1989, the organization issues the Certified Information Systems Security Professional (CISSP) and related certifications.
“Our experience in talking to our members is that HR professionals don’t have time to do that research,” said Sarah Bohne, director of communications and member services with ISC(2). “What we’re trying to prevent is someone who might be qualified being cast aside because there’s not enough understanding of the qualifications and credentials necessary to fulfill the position.”
Everyone who earns ISC(2) certifications or many other certifications on the market has to subscribe to a code of ethics of some kind, and if they’re in violation they’ll be stripped of their certification for life.
But Bohne says a lot of HR professionals don’t know that.
“We’re trying to bring that to the forefront of people’s minds and open a dialogue about how these departments can work together in an increasingly complex threat environment where audits are becoming commonplace, where regulations and compliance are governing business practices.”
She said as HR and IT are at the core of those operations, it makes sense that they be more in sync and draw on each other’s expertise to reduce risks across the organization.
ISC(2) is hoping the guide will help HR professionals develop more accurate job placement ads, stronger recruiting efforts, and better employee retention.
In the past few years human resources has begun to play a much stronger role in the recruitment process, said Joyce Brocaglia, CEO of Alta Associates, an executive search firm that specializes in information security, IT risk management and privacy.
“They’re taking ownership for the actual recruitment process, specifically information security.”
The information security profession as a whole is evolving rapidly, so the roles and responsibilities of information security officers today are vastly different than they were five years ago.
When Alta Associates does searches, it’s replacing technical security personnel with those who have a much more holistic view of risk and executive management skills around communication, negotiation and collaboration.
Brocaglia says – from an HR perspective – there are a number of ways to identify who has these kinds of new skill sets.
“Certainly certifications are an indication for human resources folks, at a bare minimum, of a person’s dedication to the field and commitment to the community and to a common body of knowledge that they will have a certain level of expertise in.”
Because of the evolution of IT and security, HR professionals should work with hiring managers and consider bringing in an outside subject matter expert, since there are so many nuances to security roles – from programmers to forensics and e-discovery to application security.
“Companies are beginning to recognize these certifications as a part of their qualifying process,” said Brocaglia.
Most companies, however, won’t turn someone away if they aren’t certified, but it’s beginning to be used as a bar of a standard level of skill and commitment.
HR professionals should understand that these positions from a supply and demand standpoint – and especially from a compensation standpoint – are quite different than the generalist IT positions they might be filling, she said.
This is especially the case in hot areas such as application security or identity and access management, or areas in demand right now. “These people are harder to find and they’re in small supply and high demand.”
However, according to one Canadian analyst, it’s difficult to make a blanket statement, that if you have the certification, you are more likely to get a job or move up within a company.
“Certainly there are companies where that is true, but I could then point to companies where that’s not true,” said Dave Senf, director of Canadian security and software research with IDC Canada in Toronto.
“And in Canada, if you look at something like ITIL or COBIT, areas where you can get certification, not many organizations are focused as an IT organization on those rigid processes and best practices that will help them do their job better.”
Senf believes it’s also an awareness issue: How many people know about specific certifications, and how many care?
“If you’re in a larger institution, certainly in financial services in Canada, it’s a must,” he said. “If you don’t have these certifications and you want to work in that field, you’re going to have a really tough time.”
But, according to the IDC analyst, the same cannot be said for mid-market or small firms.
“Security alone is just a lower priority overall for most organizations, so what’s the level of priority for certification relative to that? Well, it’s even lower.”
He noted that smaller firms may also not have the money to pay a person what they think that certification makes them worth.