This is an excellent question, and one that I think is not so black and white. When adding to the security team, I tend to look at the person holistically, assessing experience, certifications, and perhaps most importantly, future potential. The fit to the organization is also a key ingredient for a hire in education, as the environment and challenges are unlike the corporate world.
As for certifications, it once again differs as the role that needs to be filled. Surely the CISSP is the gold standard, and can be of value for all roles. However, more technical certification, such as GIAC may be more appropriate for the bits and bytes roles of the security team, working on the architecture and monitoring of the network. Individual solution or technology certifications are considered when a need arises in a concise area, but that rarely occurs now. I also have roles in policy and awareness that certifications don’t apply. For these roles, creativity, web design, and highly tuned communications skills are paramount. Experience is always necessary, but it does not have to be in security.
As I stated, future potential comes in to play when assessing a candidate that may not have had direct security expertise. I also look beyond the certificates as well, for excellent communication skills, as well as some soft skills like marketing and sales. Much of what we do is convincing the university community to do the right thing, and to think securely. That’s a function of every member of my group, and is a key to be hired and for continued success.
I also look at education, and I’m keen on hiring MBA’s in to my security group. The successful completion of an MBA indicates to me the candidate has a deep knowledge of the business aspects that security supports, as well as exposure to group work, meeting deadlines, prioritization, the economics of decisions, and the need for risk based decision making.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.