Vous êtes sur la page 1sur 4

(ISC)²® Case Study: Securing the Right Information

Security Team
How UBS Investment Bank in Switzerland Creates Joint
Responsibility between HR and Line Management in Security
Professional Placement

The ever-increasing reliance on the Internet for global commerce and information exchange has
created a fundamental business need for qualified information security personnel who create,
implement and monitor effective security policies and processes as well as choose, install and
monitor software and hardware functions.

There’s a lot on the line for any organization. If internal and external threats are not mitigated
and breaches occur, they can destroy a company’s reputation, violate a consumer’s privacy,
result in the theft or destruction of intellectual property, lead to lawsuits and, in some cases,
endanger lives. Highly trained security professionals can minimize these business risks and
maximize return on investments and business opportunities.

With the increasing convergence of physical and information security, and things such as identity
and access control frequently part of the systems network, it becomes ever more challenging to
find and hire qualified professionals who are knowledgeable about not only information systems
security but also about issues such as business continuity planning and disaster recovery. As
these two worlds of security increasingly coincide, professionals need to be able to take a holistic
view toward security.

Regardless of which area of security they’re focused on, finding the right information security
professional for a specific position can be a daunting task, especially in a highly competitive job
market and with the increasing range of specialized security skills organizations require.

Alessandro Moretti, a Certified Information Systems Security Professional (CISSP), serves as


executive director for IT Security Risk Management at UBS Investment Bank in Switzerland,
where he leads a global risk analysis, risk management and IT forensics team of 25 people
working from several international UBS offices. Moretti is tasked with overseeing the
individuals entrusted with protecting the information assets of UBS Investment Bank , one of the
world’s largest and most respected financial institutions.

Moretti needs the most qualified, ethical professionals available to secure critical UBS
infrastructure and customer information. To find these individuals, he works closely with
his HR department to get the right combinations of skills and personality to fill an information
security position.

“Empowering HR with the information they need to understand the objectives and nuances of a
particular position increases the likelihood that they will be able to pull together a candidate pool
that is appropriately qualified and a strong fit culturally, before we even begin the first round of
interviews,” said Moretti.

At the UBS Switzerland office, the security line managers and all company stakeholders,
including HR, technical and business representatives, get together in regular information sessions
to explain the current issues security is facing. Ben Harrison, an HR recruiting manager for
UBS, says the sessions enable UBS recruiters to better target the employee market and talk to
recruitment agencies, explaining to them exactly what the security department is looking for.

“It’s so important for those of us in HR to have an open, continuous dialogue with the line
managers,” Harrison said. “With the amount of variance between technical qualifications and
roles, we have found that a cookie cutter approach does not work for an area as dynamic as
information security.”

“If we really understand the function of a particular department and what’s special about the kind
of people they’re seeking, we can take a proactive approach to sourcing candidates," Harrison
said.

Moretti says the information security field has become more sophisticated in recent years in
response to growing threat complexity and organizational needs. As the need for information
security has expanded, so have the responsibilities and titles in the information security
profession. For Moretti, the variety of roles in his department includes developers,
administrators, risk analysts, architects and team managers. Each role requires different skill sets
and qualities.

“My objective has been to help HR develop not just an understanding of the basic skills and
qualities I desire in my team but also provide them with an appreciation of the diverse
employment opportunities in the department,” Moretti said.

Harrison works closely with Moretti on understanding the skill needed to fill positions in his
department. Harrison said there are certain qualifications that are highly beneficial for HR to
know, such as industry certifications like (ISC)²’s CISSP, considered the global “gold standard”
credential for information security managers.

In the initial phase of the hiring process, HR may offer advice to streamline or “pep-up” the
language in the job requirements and advertising.

Page 2
“But I’ve found that the longer we’ve been providing a recruiting service to the customer group,
the less I have to do in this regard,” Harrison said. “The line manager knows best what qualities
are most desirable in a candidate, such as degrees, certification and technical experience
requirements.” Certifications remove uncertainty about a candidate’s qualifications. Many
certifying bodies require holders to meet stringent experience requirements, be endorsed by a
fellow professional and keep up with ongoing continuing education to stay certified, assuring
employers that their certified staff are qualified and keeping up to date with the latest threats and
technologies to combat them.

While job specifications are generally defined by the line managers, Harrison says HR can help
focus on issues such as the work environment, team dynamics and the personal characteristics
that would be a “good fit” for the information security team and the corporate culture of UBS.

“For example, the Swiss UBS information security team works with several international offices,
so candidates should either have previous experience working in an international environment or
demonstrate that they possess the qualities that would lend themselves well to quickly learning
the rigours of working in such a diverse environment,” Harrison said. Credentials such as
(ISC)²’s that are certified under standards such as ISO/IEC/ANSI Standard 17024 have global
applicability, ensuring that certification holders are held to a common measure.

“We must also consider our UBS corporate culture, where there is an expectation that employees
will proactively develop their careers,” Harrison continued. “We always conduct an assessment
process that covers the applicant’s job aspirations and see how those aspirations would fit with
the future needs of the department and company.”

Harrison says that HR has insight into larger market tendencies than line managers, such as up-
to-date salary requirements for certain skills.

“If a line manager is aware of salary increases for certain skill sets, he can consider what action
to take for current employees with those skills, as well as plan on how he will allocate future
resources,” Harrison says. The 2006 (ISC)² Global Information Security Workforce Study
showed the average salary for information security professionals around the world to be
US$81,072. “He may need to get a head start to find additional funding for this skill set.”

Since it’s critical for information security to retain highly ethical employees, HR provides a key
value to information security departments by initially vetting candidates. Since certified
professionals must abide by a code of ethics, HR considers this a significant qualification when
taking the first look at a candidate. “If you’re in the security area, you have to be clean. We need
to know if we’re opening the organization up to additional risk” Harrison said.

Page 3
As the CompTIA 5th Annual Security Study has shown that 42 percent of breaches stem from
human behavior, the HR-information security partnership can be an extremely effective tool in
protecting the organization.

The UBS HR, information security and IT departments also work on career development for the
new hire using the Career Development Framework, an information repository UBS
implemented for collaborative career planning between individuals and team managers. It
identifies the types of roles someone might have and a career path within the organization. For
example, the Career Development Framework might specify the types of technical qualifications
expected of someone to have on their career roadmap at UBS.

HR and information security didn’t work closely on recruitment until the last couple of years at
UBS. Before that time, Moretti would make his own inquiries into the professional information
security community but felt he needed the support of an HR team.

“HR provides the expertise to go out there and attract the right candidate,” Moretti said.
“They’ve got a lot of links into the recruitment portals, know where to advertise, and are adept at
vetting the resumes when they come in. They also participate in the interviews so we can hear
their opinion on whether a candidate is a good fit for the post. Credible certifications help both
HR and the hiring manager speak the same language when screening and interviewing
candidates.”

UBS company policy dictates that hiring for all permanent positions must be a joint decision
between HR and line management, while contract positions can be recruited without approval
from HR. The frequent turnover of contractors compared to permanent employees results in a
larger volume of contractor recruitment. Moretti relies upon his colleagues in HR for input in all
of his hires, not just the permanent positions that require the mandatory stamp of HR approval.

Both men agreed that the key to obtaining high-quality candidates for effective security has been
the emphasis on a shared responsibility between information security and HR in hiring a new
employee. Hiring and seeking candidates who hold credentials makes it easier to scrutinize the
other individual factors involved in the hiring decision.

“My relationship with HR has helped the information security hiring process become more
efficient and on target, taking into account the breadth of traits that go into defining the right hire
for my team,” Moretti said.

Page 4

Vous aimerez peut-être aussi