Security specialists in demand
Increasing network threats drive the need for professional experience and certifications
As information security threats intensify and become more pervasive governmentwide, agencies are seeking to hire information technology security professionals with advanced skills while strengthening the abilities of existing employees.
With new threats arising on an almost daily basis, IT security professionals are trying to be active instead of reactive to protect federal networks and infrastructure, said Mark Brown, deputy chief information security officer at the Health and Human Services Department.
“Where we used to be generalists, we now recognize there are key areas — whether it be communications, endpoint protection or dealing with particular threats — in which we now need individuals who have drilled down and understand these areas in detail,” he said.
More colleges and other educational institutions now train students in the skills that IT security professionals should have, Brown said. IT experts are also tapping into professional certification programs that teach basic or advanced skills.
“We’re now getting more people on Day One with the skills that they need, and then they are building those skill sets in a way that is more relevant to the [agency] environment that they settle into,” he said.
In addition, as agencies learn to think about security as more than complying with policies and regulations, they are looking for managers who understand organizations’ missions and can define their risks, said Patrick Howard, CISO at the Nuclear Regulatory Commission.
“There’s also a growing need for people to see the bigger picture — not just going through and doing specifically what the [National Institute of Standards and Technology] guidance calls for, but having the analytical skills and broad perspective to identify risk, quantify it and remediate it,” he said.
When the Federal Information Security Management Act (FISMA) began requiring agencies to achieve some IT security capabilities several years ago, agencies had to focus on compliance to gain an understanding of what was needed, he said.
“With FISMA, we may have overextended in defining things as compliance-based instead of continuing to look at it in terms of risk,” Howard said. “Now that we have mastered that, we can get back to the basics of looking at risk.”Beyond book learning
IT security professionals learn some of those skills through professional accreditations, such as the Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager, two of the most popular.
The credentials are a good starting point, Howard said. They teach the basics, such as determining the threats in a given situation and the organization’s vulnerabilities and then calculating them in business terms and making recommendations about what controls to implement and how to remediate risk. But IT security managers have to look at the operational and management aspects of risk as well, he added.
“You don’t get that from reading a book,” Howard said. “You need to be able to maneuver and pass the examination. You can only usually do that once you have some level of experience behind you.”
The IT security profession is a dynamic field, said Lynn McNulty, director of government affairs at (ISC)2, an IT security education and training organization. McNulty also leads the organization’s Government Advisory Board, which ensures that the government’s needs are included in certification programs.
“Technically, technology is always changing, but security people are being accepted into the upper levels of agency and organizational management so they need to prepare themselves so they can function as a senior C-suite manager,” he said.
The CISSP training and examination review sessions that (ISC)2 provides consist of comprehensive reviews of the 10 technical domains of information security. They provide a good background for someone entering the field or who needs a refresher course, McNulty said.
(ISC)2 also offers review classes for those who are already certified. Some classes deal with specific, contemporary issues, such as privacy matters or maintaining security in a Web 2.0 world.
The organization offers a self-assessment guide so IT security professionals can identify the areas in which they are strong and the ones in which they might need more work. To earn CISSP certification, professionals must have five years of hands-on IT security experience or four years of experience and a higher educational degree, he said.Security as an HR issue
When agencies hire IT security professionals, they want them to be certified, Howard said, adding that he typically hires people who already have substantial experience and are ready to take on a lot of responsibility.
“Those are the kind of people that you want to already have the credential to provide that assurance that you have a quality, experienced person that you can turn loose and let them operate independently,” he said.
Providing opportunities for training and certification contributes to retaining employees, Howard added. Agencies must be willing to provide that to attract the candidates who have the necessary skills and credentials. Part of agencies’ training budgets should be dedicated to helping employees maintain their skills and keep their credentials, he said.
“There’s a kind of professional career ladder, and credentials build on each other or help fill voids that someone may have,” Howard said. After career professionals join an agency, new credentials can help them support the organization’s mission and improve their personal performance. Those opportunities are part of building an effective individual development plan, he said.
To assist organizations in selecting skilled IT security professionals, (ISC)2 published the “Hiring Guide to the Information Security Profession” earlier this year. The guide is geared toward human resource offices and hiring managers, McNulty said, and a lot of the information is applicable to government agencies.
Although information security is a fairly new career field, it has grown rapidly, he added. Two studies by (ISC)2 have shown that by 2010, 2 million people will be working in that career field in the public and private sectors. Cybersecurity has become a national-level problem for both sectors, so new jobs are being created in that field, he said.
“In many cases, people who work in HR in public and private organizations don’t understand what the [information security] profession is about,” McNulty said.
Although CISOs and chief information officers work with human resource offices during the hiring process, McNulty, said he has found that some human resource managers do not fully understand the position descriptions or skills of the people CISOs want to hire.
(ISC)2’s hiring guide provides industry and government best practices for recruiting candidates and working with CISOs and CIOs “to bring qualified people on board in the shortest amount of time and retain them once you have them on board,” McNulty said.
Brown said the guide could make it easier for agencies to write position descriptions to prepare for recruiting and selecting IT security professionals. Brown said he has been involved in developing position descriptions, interviewing new hires, and matching people to position descriptions or requirements.
Support from senior agency leaders is crucial to making human resource managers understand the importance of hiring skilled IT security professionals, Brown said. Senior leaders are beginning to recognize the extent of cybersecurity threats and the need for IT security capabilities.
“As that is being discussed in those senior-level meetings in which HR senior management takes a part and is listening, they’re becoming more aware of the need for them to have some clearer knowledge of what is required when they hire an individual,” he said.
As a result, human resource managers are reaching out to CISOs and CIOs, and the relationship is getting stronger, he said.
“It plays out more as we start creating the position descriptions or do a hire that the back and forth is much more regular, or the discussion or the collaboration is more tightly woven because they want to make sure that they understand what the need is,” Brown said.