Your small business is growing—and so is the amount of sensitive data you're storing. Whether it's employee health plan data or customer credit card numbers, the time has come to hire a dedicated information technology (IT) professional. But without IT expertise of your own, how can you be confident you're getting the right person for the job? Here are some tips for finding the security superstar you need, from job posting to job offer and beyond.
Be sure of what you're looking for. Security specialist D.J. Vogel suggests, "Ask yourself: What goals does the organization want to achieve? What is the primary role, and what are its requirements?" For example, a hiring a college student with less formal experience may be a great financial choice, but you may need an experienced specialist who has encountered similar situations in the past.
Don't assume that a single person can do it all. It's not realistic to expect a new hire to have all the information and a firm grasp of all the tools necessary from their first day.
"Security has such a wide breadth of knowledge that no candidate can be an expert in everything."D.J. Vogel, security and compliance specialist at the Chicago professional services firm Sikich LLP
Know the difference between talent and skill. Good IT security specialists can't just be technical—they need to understand the full spectrum. Businesses often hire individuals because they are skilled in a particular tool or technology, but they may not understand the core procedures and processes. "Find someone who understands how and why breaches happen, and best practices for preventing or responding to them," Vogel says. "Don't focus on whether they are certified in your brand of firewall—someone who knows the 'why' can learn your specific tech."
Look at experience in addition to certifications. According to Vogel, "Certifications can demonstrate a baseline level of knowledge, but they're not a replacement for experience." Don't post the job—or let human resources post it—with a laundry list of required skills and certifications.
Never skip the background/reference check. The person who fills this position will have access to your company's most sensitive data and processes—so be as sure as possible they can be trusted with it. On the other hand, make sure you're obtaining and using that information legally.
Know the right questions to ask. If you're not a technology expert, consider someone with experience (even an outside expert) to help perform job interviews. You want to get a sense of a candidate's troubleshooting skills and organizational agility, their ability to correctly gauge risk and prioritize tasks, and their customer focus. Make sure the candidate fits the organization's security approach (e.g., a compliance vs. testing background). Finally, ask, "What do you like about IT? What frustrates you?" These open-ended questions will elicit some broad answers that can reveal red flags.
And speaking of red flags, if you see any of these issues with a potential candidate, they're your cue to look elsewhere:
- Only using buzz words, talking over the knowledge of the audience, or not being able to communicate technical ideas in a simple manner. There's no point in hiring a security expert no one else at the company can understand.
- Strong opinions about particular technologies. Whether they're good or bad, opinions that are centered around a specific technology usually miss the mark on the core knowledge a candidate needs to have.
- A poor attitude about users who don't understand security. It's important to remember that some security ends up being rather esoteric, and it's easy for security specialists to forget that other staff may have different primary concerns.
You may not be a technology whiz yourself. But following these tips can help you find one to keep your company—and your company's data—safe.