So you want to hire an InfoSecurity professional? [Part 1]

The following posting is an opinion piece.  It's based on personal experiences and anecdotal information.  deal with it.

So your organization is looking to hire one or more Information Security Professionals.  Maybe you are growing your InfoSec organization, adding to your IT organization, or realizing that, yes, you need to create an InfoSec group.  (all those big breaches in the news have you running scared)

Do you have a good idea of what you need in terms of skills, knowledge, and experience?  Do you have a good idea what kind of role you are trying to fill?  Do you have an idea of salary candidates with the skills you need are expecting?  You best figure this out soon. (hopefully you've consulted with professionals to help you out, and I don't mean recruiters.)  Here are some things to consider.

Now, a word of warning.  It may seem that I am stating the obvious at several points, and in a condescending manner.  But the sad thing is that in speaking with recruiters and HR people is that they don't seem to understand these points.  As an infosec professional, this p*sses me off, and so I feel I need to state the obvious for those who don't get it.

ISSA's Cybersecurity Career Lifecycle

At the recent ISSA International Conference in Orlando, they rolled out a new program, the Cybersecurity Career Lifecycle (CSCL).

The CSCL is meant to be an industry-wide initiative to bring a level of professionalism.  It defines and maps the five stages of the cybersecurity career lifecycle.  For each of these stages, the framework defines the knowledge, skills, aptitudes and responsibilities, thereby allowing cybersecurity professionals to identify the current stage of their career.

The first stages are:

• pre-professional (students, young adults), 
• entry level (1-2 years)
• mid-career (3-7 years)
• senior level (7+ years)
• executive level (12+ years)

More is coming, and this looks very interesting.

Article on it at Security Week.