Cutter Consortium :: A Focus on Information Security in the Job Search

Cutter Consortium helps companies leverage IT for competitive advantage and business success through its comprehensive range of consulting, training and content, provided by the leading expert practitioners in business and IT.

28 August 2007

A Focus on Information Security in the Job Search

by John Berry, Senior Consultant, Cutter Consortium

Reading job postings for senior security executives, you will certainly be exposed to a monotonous, almost boilerplate recitation of the requisite skills, experiences, and education sought by the hiring company. Less often will the job spec require the applicant to document the information security value delivered to the current organization for which he or she currently works. Why is this?

Some organizations are simply not wired into the value imperative. Their organizational perspective is dialed to inputs such as the amount of money spent on security and staff devoted to information security issues, not the impacts of those inputs realized. A lack of focus on value likely means those organizations do not take seriously the principles of investment assessment such as ROI, nor the governance surrounding this theme. Value creation is important to everybody the way the environment is important to everybody. But value creation is really important to companies that do the heavy lifting needed to actually create it.

An organization committed to the value story and the management principles behind it should be interested in very different information than what is commonly solicited in the hiring process. Education levels, technical credentials, size of budgets and staffs managed, and complexity of the information security challenge are all important dimensions of assessing qualifications. Yet, how have these metrics translated into information security value for the organization the applicant seeks to leave? Although this subject might find its way into the job interview, why shouldn't it be part of the job spec?

A talent hunt focused on information security value might ask for the following information:

Percentage reduction in risk events. By what amount did risk events drop on your watch versus that of your predecessor? This is not a perfect metric, because the raw number of attempted risk events the organization was subject to might have increased drastically. The total number of events might have increased. Nevertheless, the number of risk events taken in the context of all known attempts at information attacks focuses the discussion clearly on value.
Senior management engagement. This can manifest itself in several ways: did the applicant's reporting structure change directly to senior management over the course of his tenure? Or was there a demonstrable increase in senior management involvement in information-security-related issues such as occasional status reports where none existed before?
Management innovation. What changes in governance or information security management did the applicant implement and to what end? This could include everything from the scope and depth of security audits to the implementation of a measurement program to chart information security progress over time or a technology review committee charged with keeping up with all the potential tech-related solutions to information security problems. No direct link with information security value creation here, yet measurable management improvements are valuable in themselves as they serve as important catalysts to value creation.

An understanding of information security management quality in the context of job requirements for senior security executives serves three constituencies:

Applicants should steer resumes and contact with the hirer in a value creation direction. Talk about outputs rather than inputs. If the hiring company doesn't seem focused on this, all the better, since you might have the opportunity, if you have the goods, to make them focus on it. It will only differentiate you more.
Hiring organizations not focused on information security value should start. It is a small shift in perspective with a potentially big shift in management.
Organizations committed to management from a value creation perspective should request as much of this kind of information as possible when hunting for information security personnel. It can only improve your information security posture.

I welcome your comments on this issue of the Cutter Edge and encourage you to send your insights on the market in general to me at jberry@cutter.com.

Sincerely,
John Berry, Senior Consultant
Business-IT Strategies Practice
E-mail: jberry@cutter.com

A Focus on Information Security in the Job Search

SITEMAP SEND FEEDBACK NEED HELP?

Cutter Consortium, founded in 1986, is a global IT advisory firm helping organizations forge solutions to the business technology challenges they face. Through its research, consulting, and training, Cutter assists enterprises as they create, implement, and maintain IT systems and organizations that support business objectives and encourage innovation. Cutter pushes the thinking in the field by fostering debate and collaboration between thought leaders from different domains, countries, and disciplines. As a completely independent entity that has no special ties to vendors, Cutter Consortium is beholden to no one and dedicated to providing completely objective, unbiased information to its clients. Cutter Consortium gives you access to the top thinkers in IT.

Cutter Consortium, 37 Broadway, Suite 1, Arlington, MA 02474, USA. Phone: +1 781 648 8700, Fax: 781 648 8707