Security Careers: 10 Reasons Why Security Professionals Get Hired

Top security executive outlines what he looks for in new hires. How do you measure up?

[
About the author: Greg Thompson is vice president of enterprise security services at Scotiabank. This article appears as a special to Dark Reading courtesy of the
(ISC)2 Advisory Board of the Americas Executive Writers Bureau
.
]
As an IT security executive, I am constantly asked, What do you look for when hiring?
Naturally, certification as an accredited security professional helps get job candidates to the table -- there are many respected credentials, such as those offered by (ISC), ISACA, and SANS, to name a few. And it’s easy to point to the skills and qualifications that we articulate in our job postings.
But credentials are only part of what makes a good information security pro. Too often, information security professionals are seen by our colleagues in other areas of IT management not as partners, but as Dr. No who puts the kibosh on new projects and business initiatives because of security concerns. This is no longer an acceptable stance in most companies. Todays security pro must be able to work with business units to safely achieve their goals.
With this in mind, here are the top 10 qualities I look for when hiring future security leaders:
1. Results focus (i.e., a demonstrable track record of getting things done)
I am looking for people who can demonstrate to me that they not only know and understand information security, but they have implemented successful programs or have led business-driven initiatives to successful completion. When I interview candidates, I routinely dig deep in this area to try to gauge whether the individual truly has a track record of success.
2. Passion
Frankly, I expect to hear from candidates that they are passionate about information security -- but that’s not necessarily what I want to know. What I really want to know is, what is their passion? It could be music, sports, or art. It doesn’t matter -- I just want to know that the individual has depth and is passionate about something. From my perspective, someone who has a passion for something -- anything -- is a person who I find interesting and will excel professionally.
3. Operational experience in multiple IT disciplines
Operational experience provides a critical foundation in IT management. Knowledge of and experience in operational processes -- in areas such as mainframe operations, networking/communications, logical access, and application development -- provide valuable and tangible experience that enriches the individual’s capacity to understand complex IT-related business problems.
4. Commitment to continuous personal development
Candidates often come to me and say how interested they are in information security -- but when I ask them what steps they have taken to learn about the profession, they tell me that they plan to sign up for training at some point. I like to see people who have shown commitment by actually completing training or are achieving a professional certification. Participation in security-focused user groups, volunteer work, or other related areas of academic study also demonstrates this commitment.
5. Self-awareness
Its often difficult for me to give direct feedback to an individual who earnestly believes he or she is the best candidate -- but is clearly nowhere near ready for the job in question. Self-awareness is a leadership trait that requires individuals to take stock of their skills, understand how they are perceived by their peers and their managers, and develop a personal development plan. Seeking feedback, accepting constructive criticism, and demonstrating a willingness to act on this feedback are all fundamental to success in a security position.
6. Strategic thinking
Sun Tzu, in the oft-quoted Art of War, had it right when he said, Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat. The ability for individuals to understand how their tactical efforts support and influence the success or failure of the strategy is important -- and it becomes increasingly more important as you move up the food chain. Here, I’m looking for the candidate to talk to me about how his or her strategic focus enabled the team to achieve a stretch goal, and how his or her tactics and direct leadership influenced a positive outcome.
7. Ability to lead change
Leading change is a fundamental leadership skill. As innovation marches forward, so, too, do the threats that we have to deal with. Dealing with the constantly evolving threat landscape requires innovation by information security professionals, who often must help to re-engineer business processes or deploy new technologies to mitigate the ever-evolving risks. I expect a candidate to be able to articulate his or her experience as a leader of change. I want to know how they did it -- and what the outcome was.
8. Ability to strategically influence others
This leadership trait seems to come naturally to my 11-year-old daughter, who seems able to get me to do whatever she wants. She knows what makes me tick. I look for individuals who are resourceful, who can leverage their personal network of peers, and who can mobilize and garner support for projects or initiatives in support of my overall strategy. I ask candidates to describe instances when they used their strategic influencing skills, what techniques they used, and what the outcomes were.
9. Communication skills
Effective security awareness communication, management reporting, and trend analytics are some of the key aspects of a strong information security communication program. It is difficult to find security professionals with the ability to speak articulately, to interpret complex trend analysis, and to draw conclusions from that data tailored to a specific audience (e.g., techie groups versus non-techie groups). Nonetheless, when done right, this kind of skilled communication yields amazing results. Candidates should be able to describe their communication techniques and demonstrate their abilities.
10. Strong personal ethics
At the end of the day, we are in the business of trust. I demand a high degree of personal ethics. I believe that as information security professionals, we must hold ourselves to a higher standard. As a CISSP, myself, I know that I am held to a code of ethics. A professional credential that stipulates such a code, while no guarantee, is a good start toward finding the right candidate.
Thats my top 10 list. Ive tried to rank these characteristics, but, frankly, they are all important. Their relevance is dictated by the position description and level of the job in question. In the end, these characteristics form the basis of a well-rounded professional/leader in any profession. But as security matures and takes a lead role in our respective organizations, we must set the bar high to ensure we are seen as leaders first -- and information security professionals second.
Have a comment on this story? Please click Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Security Careers: 10 Reasons Why Security Professionals Get Hired