Ask The Information Security Expert: Questions & Answers

Best practices for choosing an information security team new hire

searchSecurity.in

I'm a security manager who's looking to bulk up my security team. The executives at my company would like me to try to promote someone internally from our help desk. Many of the IT pros there have years of experience, but not in security. Are there certain qualities or experiences I should look for in a candidate?
There are two main things that you should look for when hiring an information security professional: Someone who can think like a security person and someone who can be flexible enough mentally to pick up new ideas quickly.

By thinking like a security person, I don't mean "thinking like a hacker." While hacking skills are useful in some contexts, there is much more to security then that. Thinking like a security person means putting one's self in the shoes of various users and thinking about what their needs are. How will they use the software? Also, how will they accidently or intentionally misuse the software? Then it's a matter of finding solutions that address identified issues.

It's also important for the candidate to be able to think like a business person, or a programmer, or any other type of end user. Most imp

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information:

By joining searchSecurity.in you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

ortantly, however, he or she must understand that, in reality, security is about finding an acceptable compromise between perfect security and usability.

In order to achieve this compromise, the potential team member should be able to absorb new ideas and technologies quickly so he or she can help users make intelligent risk decisions. So in reality, those two traits I mentioned a minute ago are one in the same.

This mental agility, in my book, is far more important than years of experience. If someone has the right mindset, then he or she can learn the specific technologies or regulations required for the job. Working with this sort of person is far easier then breaking someone out of a solid mold.

For more information: