"It's not a requirement, but it helps," Braun says. "Often times, you'll find an individual who is coming from the military or a federal government agency who has received a variety of cyber security training that is not yet attainable in the commercial realm."
"Military experience is good to see," Frymier says. "In fact, the security director that we hired last year is ex-military intelligence. The ability to use these [security information and event management] systems and track down persistent threats are skills more closely aligned with the intelligence community than with the IT community."
Verizon has members of its security breach investigation team with military intelligence and law enforcement experience. "The law enforcement are great at interviews...If it's an inside job, they can usually spot the guilty party," Sartin says. "The military people are more process oriented."
3. Learn SAML.
The issue of information security, identity and access management in the cloud is a major concern for CIOs, who are deploying software-as-a-service applications such as Salesforce and Concur to complement their enterprise applications. They are looking for employees who understand how to extend their directory services to control access to cloud applications.
"We want individuals who understand the technology, who understand the policy and who understand the intelligence side of things," Braun says. "If someone has experience deploying security solutions in a new business model, such as the cloud model, that's very valuable."
One specific skill related to cloud security that's in demand: SAML. The Security Assertion Markup Language is an emerging standard that allows enterprises to extend their directory, authentication and identity management systems into cloud-based applications.
"You can learn SAML very quickly, and it's incredibly applicable because almost all the [Software-as-a-Service] companies support a SAML interface," Frymier says. "We've implemented a SAML product in the last year and half or so. It allows us to create an interface to an LDAP store like Microsoft Active Directory and in a secure manner expose account information from Active Directory to SaaS applications. We can do account management inside our Active Directory and have that immediately reflected in our SaaS applications."
4. Master mobile security.
As more organizations adopt Bring Your Own Device policies, they are facing a host of challenges including how to secure information stored on a range of devices that they don't own.
Mobile device management "is a sweet spot for me," Frymier says. "I'm the executive of interest for our consumerization effort because it has such security aspects to it....We have a Bring Your Own Device program, and now 4,000 employees have their own iOS devices. We have got them set up in a way that's secure using Microsoft ActiveSync."
Unisys also is focusing on security in its mobile application development efforts.
"The people who understand mobility at a very deep level tend to be very young, often right out of college. What we find is that we need to pair them up with more senior people who understand backend systems," Frymier says. "You have all of these sexy streams of data on mobile apps. You need to understand how it gets in and how it gets out and how authentication is done and who has access to it."