News
John Colley, (ISC)2: Managing Careers as Well as Risks : Obligations for Employers
February 2008 by John Colley, Managing Director, EMEA, (ISC)2
Career choices for people in information security are growing. At the same time, the profile of the people choosing this career is changing: Where information security professionals previously moved over from another profession, bringing with them business-world experience, today more young professionals are choosing information security as a first career, bringing a post-graduate degree and little experience. Those that are coming over from other areas are coming from a broader set of backgrounds, bringing with them a variety of career and personal development expectations. Given a heightened priority for the information security function overall, demand for professionals continues to outstrip supply putting pressure on salaries and opening up opportunities for less experienced individuals. For the hiring manager providing an effective professional development environment for the people they have employed is a growing challenge.
Research conducted by the International Information Systems Security Certification Consortium (ISC)2 suggests that companies are dedicating more of their information security budgets to personnel, education and training, and that they are increasing their investment in this area. For training and education specifically, nearly 40% of respondents to the most recent global information security workforce study, conducted by industry analysts on behalf of (ISC)2 , said they would be increasing their budgets, with an average increase of 31% for 2007. Protecting this investment in people will require a formalised approach for professional development that reflects both expectations of the individual and the opportunities of the company.
To be effective, professional development strategies should reflect the changing environments in which people are working, and must acknowledge some clear challenges to forging a career in the field. As a relatively new discipline, most companies have a flat information security organisation. There are the senior managers and the people in the field with few levels in between, providing little room for traditional promotion—a more creative approach is required. Demanded skills change rapidly, making the risk of becoming obsolete a constant concern. Skills are polarising, requiring many to specialise. And, despite a heightening priority, information security is still perceived to deliver little value to the organisation by the majority of stakeholders, which undermines self-esteem.
Opportunity in Experience
By contrast, information security is entering the mainstream with well established governance and compliance, increasing public awareness and more and more business processes going online. Concrete development opportunities therefore come from the experiences managers can offer the people on their team. Training can be designed to ensure competencies are tied to the experience gained in a given professional’s development plan. People are motivated by the flexibility they gain in their working environment, often choosing an acceptable work/life balance and interest in their work over aggressive promotion. Loyalty to an organisation is more likely sown by the ability to progress a desired skill set, new influence in more parts of the business, and flexibility, than by an increase in salary alone.
Workforce Plan
Addressing the issue, information security and department managers should develop a workforce plan that maps requirements while acknowledging the interest of the individuals involved. The plan should reflect the skill profile needed—managerial, technical and business—cover the experience and qualifications desired, then review how the existing team compares, setting out actions for achieving the desired state. This plan must then be communicated to the people involved to shape their personal development plan, allowing them to both feel comfortable expressing their interests and understand where they are going. Individual plans can reflect areas for developing additional responsibility, and allocate subject area champions. The plan should also lay out an acquisition strategy, defining whether skills are to be ‘bought in’ through recruitment or home grown.
Promote Security
Outside the actual information security department, managers must look to promote security across the organisation. They must proactively make security a part of the business, by developing an overall security business strategy and running the department as if it was a business. Prioritising and describing risk in business terms, and communicating value to the business units, they will obtain not just the budgets required, buy-in, co-operation and even enthusiasm from across the organisation.
Just as individuals understand they must take control of their own careers, companies also have an obligation to support and develop the people they rely on to provide the most effective information security program for their company. While most companies struggle to recruit the experienced staff they need, every organisation faces different requirements and will meet this challenge with their unique approach. However, with a formalised plan that focuses on opportunities across the business, and development of an appreciation for the information security function, the foundations a in place to effectively manage careers as well as risks.
John Colley, CISSP, is the Managing Director for EMEA and Co- Chair of the European Advisory Board for (ISC)2, a non-profit professional consortium which represents over 54,000 members worldwide, approximately 8,400 of which reside in the EMEA region. www.isc2.org.
