| |
|
|
Recruitment of staff for security
Security professionals, security recruitment consultants security guard
recruitment
David Saul, the top executive & CIO , had a serious threat from
a virus that was attacking the company’s firewalls, he had to engage a
dozen IT experts away from their regular task to combat the virus. The
problem came under control after 2 days and the damage was limited. This
was an eye opener for Saul, to handle such a situation in future he increased
the number of his full time IT security staff.
This exposure is a growing widespread threat. In a survey conducted by
Computer Security Institute and FBI in 2001, large corporations and government
agencies had detected security breaches, due to which they suffered considerable
financial losses.
The damage the evil doers can inflict has not limit, therefore it is
need of the times to have full time IT staff to handle information security.
Tim Mitchell, CIO of Sarnoff, A company in electronic, biomedical and
information technologies in Princeton, N.J., believes that people responsible
for IT security should be working in teams under a leader and having specific
policies and procedures.
Recruitment of trained IT security
professionals can be difficult and providing training in
–house to IT staff can be costly and time consuming therefore Outsourcing
is another option.
A Guide for recruitment
It is a difficult task to hire experienced , skilled security people and
there is a big gap between demand and supply.
Good news is that the economic downturn improved the situation after 2001
and it became easier to find skilled people. But companies require to
know as to how to get the best candidates. Here are some clues.
You need to figure out what is the company’s need. No security professional
would like to work in a company that’s not clear about why he is being
recruited. Get a thorough study or assessment done by a consultancy or
specialized recruiters. Best option is to take services of specialized
recruiters who have wide contacts and good database.
For entry level people Universities are a good options.
Once you Get the guys next what?
Once the right kind of people are found, you need to retain them. Best
way to retain them is by tools awards and salary.
Latest technology tools really make professionals feel on top of security
pyramid. Old tools really frustrate them.Most desirable tools for security
personnel is Nessus (a cutting-edge network scanner), Snort (a leading
intrusion-detection tool) and RAT (a system-tester for routers).
Make people feel wanted and loved. Conduct good training programmes &
also introduce certifications and conference attendance for the staff.
Sending security people to one good conference atleast or training program
a year, keep them happy.
Security staff also love to get recognition. Allow them to present their
work at a conference.
Security staff also requires support of management otherwise they can
lose motivation. Within reason, incase of conflict between security and
regular staff CIO needs to back security people.
Skilled professionals should also be paid competitive salaries. Best way
of benchmarking salaries is by knowing from specialized recruiters and
through networking among peers who’ve recruited similar security staff.
Inside Moves
Existing regular IT staff has got good amount of technical skills and
knowledge of security concepts and issues. Internal transfers with adequate
training and motivation can help to get full time IT security personnel.
People are likely to respond to the security as part of their regular
IT duties. But how should one get started?
First, one should look for volunteers. .
Interpersonal skills along with technical skills also matter, one should
look for honesty, dedication and ethics, as the security
professional has to work out differences with internal staff
over security needs versus business requirements. An individual with the
right frame of judgement will be sensitive towards business needs and
will find a solution which will not affect the interest of the company
and will not annoy the fellow staffer.
Once the best candidates have been identified their thorough training
is required. Training is to given in 101 issues such as networking security
and security forensics, Training can be provided in speciality fields
such as firewall administration and intrusion detection. Several ways
of training are there which includes the following.
The staff can be trained by your consultants . As Training new security
people can take months. But in between someone has to handle security
needs of the company, so that responsibility can be handled by the consulancy.
Certification courses can be offered. This can be valuable as it brings
dedication and motivation along. It should not be expensive. Broad based
training is offered by Institutes like Computer Security Institute, Information
Systems audit & control association, International Information Systems
Security Certification Consortium and SANS offer wide training that offer
certification.
Vendors can also be appointed for providing training. Vendors such as
Check Point Software Technologies, Cisco Systems and Symantec give extensive
Tools training and some of them have their own certifications. Vendor
Training can be expensive.
Arrange internships. Sending security people to other companies for internship
with experienced professionals. There is another opportunity which some
companies offer called secondment where the companies provide free training
in excange for your staff person’s efforts..
Keep track with the latest happenings. As security is a fast changing
field, make sure that the staff is taking benefit of online threat-tracking
resources such as SANS’s Incidents.org and Bugtraq at Security-Focus.com.
Most important conferences like RSA Conference and the SANS Conference
should also be attended by the staff, where they can also network with
peer groups . A weekly update by security staff on new threats is necessary.
A consciousness for security in entire IT system is necessary only then
the above points can be effective. Security has to be embedded deep within
everything one does in IT.
|
|
|
