Tracking down and retaining the right security people poses problems for companies
- Article 16 of 33
- SC Magazine, May 2009
If there's one thing almost everyone seems to agree on, it's that, despite the recession, few are going to be cutting back on security expenditure.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages
7. It provides a process for ongoing risk management, allowing you to regularly review and analyse risk objectively.
8. It provides a process for security monitoring and improvement, allowing you to demonstrate the benefits of security and to justify investment in security.
9. It complements other management standards, such as ISO 9001, ISO 14001 and ISO 20001, allowing you to work with and understand other disciplines.
10. Every organisation that implements ISO 27001 has found that it has improved its management of information security - you can make a tangible, positive difference to the business.
CASE STUDY - BSKYB
It was in 2003, before the famous security breaches of recent years, that Mike Maddison (left) was asked to establish a security function for satellite broadcaster BSkyB. It had decided that as a FTSE 20 company, IT security was a required element and it needed someone to provide security and governance.
Reporting directly to the CFO, Maddison found he had a "complete green field" site to work with. As a start, he took the "classic approach" of understanding the degree of risk first, before deciding how to put together his security team.
Once he knew what he needed, Maddison recruited both internally and externally. "Initially, I began by looking at people doing the work anyway as part of their day job. I found out who was interested in doing it, and who had the talent and the capabilities." In particular, he was looking for a broad range of skills, not just technological, but regulatory and legal.
Externally, he looked to people he had worked with, and people he had heard of through word of mouth. As well as subject area expertise and experience of change management, he had other criteria. "I look for people with quality degrees and with a proven track of development - people who had taken ownership of their development."
Maddison says the degree subject didn't matter so much as its quality. "I hired someone with a degree in law from Cambridge and someone with an engineering degree from Edinburgh." He believes degree quality shows whether someone is a "smart cookie" and whether they can learn.
He also looked for good communication skills and business-facing capabilities, not just excellence at implementing technology. "I needed people with business polish, people who could go into meetings, put across ideas and talk in terms the business understands."
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages