In-Depth

Solutions Hiring: IT Compliance Skills in Growing Demand

For years companies have been requiring more business know-how in technical positions. But demand for compliance-specific knowledge is a relatively recent development. What sorts of training should IT professionals consider to stay relevant?

• By Linda Briggs
• 09/06/2005

It's not news that businesses are demanding more and more business knowledge from technical professionals. That's a trend that's been evolving for years. But what about specific compliance knowledge? How can employers screen for the right compliance skills in prospective IT employees? What sorts of training should an IT professional consider adding to stay relevant?

We talked with Matthew Sullivan, branch manager for Robert Half Consulting Services, one of the largest IT staffing and consulting services firms in the world, about compliance knowledge and IT.

Are you seeing a growing need for IT professionals with some sort of compliance knowledge?

We definitely are seeing increased demand for IT professionals who have an understanding of corporate compliance, federal compliance, and specific industry compliance, depending on which industry they work in. That dovetails into IT security, data integrity and data protection.

Within Sarbanes-Oxley, for example, there's the financial portion of the audit work... coupled with an IT audit perspective. That IT audit can occur in two [ways]—a pure technical systems audit, or an IT systems audit as it pertains to the business practices.

Given that trend, what sorts of things should IT professionals in the areas you mentioned know about compliance issues?

They need to understand the requirements around SOX compliance regulations, the COSO framework [Committee of Sponsoring Organizations of the Treadway Commission, an organization with guidelines on financial reporting] and how IT works within that framework, as well as what each [individual] industry's requirements are.

We have clients that are being hit with dual compliance issues—the Gramm-Leach-Bliley Act, for instance, in addition to SOX because they're a public company. So they've got two different views of data protection from two very different standards. The core overlap there is data security, and security itself.

Is that the hottest compliance-related skill for IT right now? Security?

From our perspective in the marketplace… security is the main topic. It's [also about] how security pertains to IT from a SOX compliance perspective, and how security pertains to HIPAA, and to other acts like the Gramm-Leach-Bliley Act.

From an IT professional's point of view, then, is security as it relates to compliance the sort of skill that companies are going to be asking for?

If companies do IT staffing across multiple areas within the IT organization or the business units, not all those areas require some sort of compliance or security knowledge. But when [the skill] is specific to security or specific to compliance, yes. [Companies are] looking for those who have been involved in, or have some sort of training or certification, in security as it applies to the compliance pieces.

What sorts of job titles might require some sort of compliance skills?

[One example is] a Chief Security Officer. That's a newly developed role within many types of organizations—small, medium and large. Security for the past 10 years or so has been handled by a network administration team or network engineering team, because [companies were mainly interested in] infrastructure security. Or in the past, someone on the application side would handle Web security for secure transactions for some kind of e-commerce package.

Now we're seeing our clients coming to us [to help fill] a position carved out in the organization specifically for… security throughout the IT architecture—hardware and software, as well as business processes related to financial transactions or purchasing.

Are there other compliance-related titles that have sprung up in addition to that?

Not so much on the title side, but many of the Web services positions we deal with [require] some kind of security training, or security skill and experience—that's in encryption, as well as secure Web transactions. We're seeing [security needs] with application development, and e-commerce development teams. We're also seeing [a need for] traditional network engineer and network administrator policies and procedures development for secure data.

Those are some fairly technical positions. So this is a continuation of the trend in which someone technical also needs some business knowledge?

That's a trend we've been seeing for 10 years, from the technology boom through the dot-com era… "Technology for technology's sake" type spending is no longer taking place. Technology is continually being driven toward solving business issues. In order follow that path, technology professionals need to have an understanding of… not all businesses, but certainly the business with which they're working.

If you work within financial services, for example, being the next gee-whiz-bang Exchange administrator is great, but how does that impact the overall business? How many confirmations are being made by email for trades? Are they being sent in a timely manner? Are they being sent with the right encryption setting so they can't be hacked midway through a transmission? How does that impact the overall business, and eventually the overall bottom line?

Given what you're saying about the importance of business and compliance knowledge, how does an IT professional acquire these skills? Are there courses? Certifications?

If you're a technology professional, it certainly doesn't hurt to enroll in a local university or community college and take some basic business courses. That way, you can learn what's important to business professionals, either in finance, marketing, sales or operations. It gives you a better understanding of the lexicon of business, which is drastically different from the jargon that's used in the IT department.

It's incumbent on the IT professional to learn the business side, [because] few operational folks are going to learn about IT.

From the management side, what should managers be looking for in terms of finding someone with good compliance knowledge in specific areas? What's reasonable to expect, and how do you assess it?

It always helps to find someone who has had that kind of experience with another organization. That way, they can do two things. One, they don't need to be trained on compliance from the ground up; and two, they've experienced compliance challenges and issues in another organization, so they bring an outside look, a breath of fresh air to your situation.

Are there some compliance certifications out there?

From an IT standpoint, there's CISA—Certified Information Systems Auditor. That's been around for a few years. It's traditionally been [obtained] by an IT finance person [who performs] IT audits. But it would be helpful for an IT manager to get that same certification, because it will help round off the business side for them.

Also, for the hardcore network infrastructure people who would be doing your infrastructure and security audits, there's the traditional CISSP [Certified Information Systems Security Professional] certification. That's a heavily security-focused certification.

Also, there's a new process that doesn't deal with IT security so much as it does best practices and efficiency for data center management and infrastructure management, called ITIL [the IT Infrastructure Library]. It doesn't have an audit function to it; it focuses on IT best practices… setting up the infrastructure properly to be easily audited, and so forth.

Are there enough people out there who have skills in these kinds of things?

No. There's not. And it's incumbent upon IT professionals to identify where they can incorporate those skills into their own skill set. It's also going to be incumbent upon companies to offer training, or provide funding for training for their current IT staff, to help them get to that point. Companies are going to have to invest in their current staff, in addition to adding new staff that may have these skills.

You can balance that against the discussions over the last few years about outsourcing…. I think issues like security and compliance are the next evolution in types of positions that U.S. IT professionals can move into.