It's good times for those in the information security profession, with demand for their services rising. The 2006 (ISC)²/IDC Global Information Security Workforce Study indicates that the number of professionals in the career world-wide will increase to about two million by 2010, representing a compound annual growth rate of 7.8 per cent from 2005. In the main this demand is due to businesses and organisations realising how much they need a specialist to look after and protect their IT infrastructure and data. In some sectors, such as insurance, it's a legal requirement.

Well publicised losses of data at major firms and government have emphasised the problems of protecting information from the whole gamut of problems that can affect an organisation.

That is why it's so important to choose wisely when hiring someone for the job. However the job category is so specialised that those in the market for information security employees are often befuddled by the various certifications. To help them, the non-profit International Information Systems Security Certification Consortium, known as (ISC)², has published a 32-page hiring guide.

I like the way the guide does not assume a prior overall knowledge of the profession. It starts off very basic and runs through in a very readable manner how to go about hiring the right employee for the position. One interesting point (ISC)² makes relates to the expanded role of the information security worker in an organisation.

They must now work closely with human resources, legal, audit, IT and other areas of business to mitigate risk throughout the organisation. Such security-specific roles could be vested in forensics specialists, security architects, chief information security officers, information assurance managers, IT security managers, certification and accreditation specialists, risk managers and compliance officers.

"The early role of security engineer now has expanded to include numerous areas of specialisation, such as identity and access management, vulnerability management and application security," (ISC)² says. "These positions require extensive technical backgrounds, as well as business risk analysis so the security controls appropriate to the specific organisation can be developed." The chapter on 'Crafting a Job Description' points out that a common misconception that still exists in many HR departments is that information security is part of information technology.

"In fact, because of expanding business requirements, the information security profession has splintered into many different facets beyond IT and offers specialisation in process, auditing, policy, compliance and other topics," says (ISC)². "As with many fields, even a position with the identical job title in two departments of the same company can have different requirements."

The chapter then goes on to outline some of the requirements a job description may include. Certifications are one part of the equation. Employee competency and quality of work remain the top reasons that employers and hiring managers place emphasis on security certifications. Company policy and regulations are becoming critical reasons as well.

Such qualifications include the Certified Information Systems Security Professional (CISSP) from (ISC)². The CISSP was developed by information security workers in the early 1990s. It includes a six-hour exam on a regularly updated info on global information security topics. It also requires the candidate to have five years of experience in at least two domains of the sub-areas, obtain endorsement by an (ISC)² certified worker, subscribe to the organisation's code of ethics, and complete annual continuing training course.

Other qualifications include the Certified Information Security Auditor (CISA) and Certified Information Security Manager (CISM) from the Information Systems Audit and Control Association, and the Global Information Assurance Certification (GIAC) from the SANS Institute.

"Today, driven by legal and regulatory compliance and the desire to maximise global commerce, hiring first-rate information security staff is critical to mitigating risks that can destroy a company's reputation, violate privacy, result in the theft or destruction of intellectual property, and, in some cases, even endanger lives," (ISC)² warns.

The (ISC)² site is a useful resource not only for businesses but also for those in the field or students who are considering entering the profession. The (ISC)²'s career guide, career path handbook and the new hiring guide are available as free downloads at www.isc2.org/HRCenter.

You can also download a white paper on creating partnerships between human resources and information security, a case study on how UBS in Switzerland created joint responsibility between HR and line management in security professional placement, and the annual Global Information Security Workforce Study, which gives details on salaries, among other information.

"HR departments often fail to recognise that salary scales for information security professionals are higher than general IT practitioners, resulting in the extension of offers that are below market value and ultimately rejected," the organisation warns.

Send your comments on this or any other IT topic to elamin.ahmed@gmail.com.