(ISC)²® Case Study: Securing the Right Information Security Team How UBS Investment Bank in Switzerland Creates Joint Responsibility between HR and Line Management in Security Professional Placement The ever-increasing reliance on the Internet for global commerce and information exchange has created a fundamental business need for qualified information security personnel who create, implement and monitor effective security policies and processes as well as choose, install and monitor software and hardware functions. There’s a lot on the line line for any organization. If internal and external threats threats are not mitigated and breaches occur, they can destroy a company’s reputation, violate a consumer’s privacy, result in the theft or destruction of intellectual property, lead to lawsuits and, in some cases, endanger lives. Highly trained security professionals professionals can minimize these business business risks and maximize return on investments and business opportunities. With the increasing convergence of physical and information security, and things such as a s identity and access control frequently part of the systems network, it becomes ever more challenging to find and hire qualified professionals who are knowledgeable about not only information systems security but also about issues such as business continuity planning and disaster recovery. As these two worlds of security increasingly coincide, professionals need to be able to take a holistic view toward security. Regardless of which area of security they’re focused on, finding the right information security professional for a specific position can be a daunting task, especially in a highly competitive c ompetitive job market and with the increasing range of specialized security skills organizations require. Alessandro Moretti, a Certified Information Systems Security Professional (CISSP), serves as executive director for IT Security Risk Management at UBS Investment Bank in Switzerland, where he leads a global risk analysis, risk management risk management and IT forensics team of 25 people working from several international international UBS offices. Moretti is tasked with with overseeing the individuals entrusted with protecting the information assets of UBS Investment Bank , one of the world’s largest and most respected financial institutions. Moretti needs the most qualified, ethical professionals available to secure critical UBS infrastructure and customer information. To find these individuals, he works closely with
his HR department to get the right combinations of skills and personality to fill an information security position. “Empowering HR with the information they need to understand the objectives and nuances of a particular position increases the likelihood that they will be able to pull together a candidate pool that is appropriately qualified and a strong fit culturally, before we even begin the first round of interviews,” said Moretti. At the UBS Switzerland office, the security line managers and all company stakeholders, including HR, technical and business representatives, get together in regular information sessions to explain the current issues security is facing. Ben Harrison, an HR recruiting manager for UBS, says the sessions enable UBS recruiters to better target the employee market and talk to recruitment agencies, explaining to them exactly what the security department is looking for. “It’s so important for those of us in HR to have an open, continuous dialogue with the line managers,” Harrison said. “With the amount of variance between technical qualifications and roles, we have found that a cookie cutter approach does not work for an area as dynamic as information security.” “If we really understand the function of a particular department and what’s special about the kind of people they’re seeking, we can take a proactive approach to sourcing candidates," Harrison said. Moretti says the information security field has become more sophisticated in rece nt years in response to growing threat complexity and organizational needs. As the need for information security has expanded, so have the responsibilities and titles in the information security profession. For Moretti, the variety of roles in his department includes developers, administrators, risk analysts, architects and team managers. Each role requires different skill sets and qualities. “My objective has been to help HR develop not just an understanding of the basic skills and qualities I desire in my team but also provide them with an appreciation of the diverse employment opportunities in the department,” Moretti said. Harrison works closely with Moretti on understanding the skill needed to fill positions in his department. Harrison said there are certain qualifications that are highly beneficial for HR to know, such as industry certifications like (ISC)²’s CISSP, considered the global “gold standard” credential for information security managers. In the initial phase of the hiring process, HR may offer advice to streamline or “pep-up” the language in the job requirements and advertising. Page 2
“But I’ve found that the longer we’ve been providing a recruiting service to the customer group, the less I have to do in this regard,” Harrison said. “The line manager knows best what qualities are most desirable in a candidate, such as degrees, certification and technical experience requirements.” Certifications remove uncertainty about a candidate’s qualifications. Many certifying bodies require holders to meet stringent experience requirements, be endorsed by a fellow professional and keep up with ongoing continuing education to stay certified, assuring employers that their certified staff are qualified and keeping up to date with the latest threats and technologies to combat them. While job specifications are generally defined by the line managers, Harrison says HR can help focus on issues such as the work environment, team dynamics and the personal characteristics that would be a “good fit” for the information security team and the corporate culture of UBS. “For example, the Swiss UBS information security team works with several international offices, so candidates should either have previous experience working in an international environment or demonstrate that they possess the qualities that would lend themselves well to quickly learning the rigours of working in such a diverse environment,” Harrison said. Credentials such as (ISC)²’s that are certified under standards such as ISO/IEC/ANSI Standard 17024 have global applicability, ensuring that certification holders are held to a common measure. “We must also consider our UBS corporate culture, where there is an expectation that employees will proactively develop their careers,” Harrison continued. “We always conduct an assessment process that covers the applicant’s job aspirations and see how those aspirations would fit with the future needs of the department and company.” Harrison says that HR has insight into larger market tendencies than line managers, such as upto-date salary requirements for certain skills. “If a line manager is aware of salary increases for certain skill sets, he can consider what action to take for current employees with those skills, as well as plan on how he will allocate future resources,” Harrison says. The 2006 (ISC)² Global Information Security Workforce Study showed the average salary for information security professionals around the world to be US$81,072. “He may need to get a head start to find additional funding for this skill set.” Since it’s critical for information security to retain highly ethical employees, HR provides a key value to information security departments by initially vetting candidates. Since certified professionals must abide by a code of ethics, HR considers this a significant qualification when taking the first look at a candidate. “If you’re in the security area, you have to be clean. We need to know if we’re opening the organization up to additional risk” Harrison said.
Page 3
As the CompTIA 5th Annual Security Study has shown that 42 percent of breaches stem from human behavior, the HR-information security partnership can be an extremely effective tool in protecting the organization. The UBS HR, information security and IT departments also work on career development for the new hire using the Career Development Framework, an information repository UBS implemented for collaborative career planning between individuals and team managers. It identifies the types of roles someone might have and a career path within the organization. For example, the Career Development Framework might specify the types of technical qualifications expected of someone to have on their career roadmap at UBS. HR and information security didn’t work closely on recruitment until the last couple of years at UBS. Before that time, Moretti would make his own inquiries into the professional information security community but felt he needed the support of an HR team. “HR provides the expertise to go out there and attract the right candidate,” Moretti said. “They’ve got a lot of links into the recruitment portals, know where to advertise, and are adept at vetting the resumes when they come in. They also participate in the interviews so we can hear their opinion on whether a candidate is a good fit for the post. Credible certifications help both HR and the hiring manager speak the same language when screening and interviewing candidates.” UBS company policy dictates that hiring for all permanent positions must be a joint dec ision between HR and line management, while contract positions can be recruited without approval from HR. The frequent turnover of contractors compared to permanent employees results in a larger volume of contractor recruitment. Moretti relies upon his colleagues in HR for input in all of his hires, not just the permanent positions that require the mandatory stamp of HR approva l. Both men agreed that the key to obtaining high-quality candidates for effective security has been the emphasis on a shared responsibility between information security and HR in hiring a new employee. Hiring and seeking candidates who hold credentials makes it easier to scrutinize the other individual factors involved in the hiring decision. “My relationship with HR has helped the information security hiring process become more efficient and on target, taking into account the breadth of traits that go into defining the right hire for my team,” Moretti said.
Page 4
