[ISN] To Find Solid Security Candidates, Look Beyond Tech Certificates

InfoSec News isn at c4i.org
Thu Jun 16 03:15:34 EDT 2005


By James Carlini

As more organizations see security and compliance as their top issues, 
they don't see where security really fits on the organization chart. 
There is a big secret that few executives know about in most 
organizations: Security is not a techie issue. It goes beyond knowing 
virus scans and firewalls. Security should be at an executive level 
because it's a business strategy and not a low-level function. 

In several semesters of network security classes, attendees from 
various organizations have debated this observation. 

For some reason, security is viewed as a job that's accomplished by 
adding some firewalls and making sure everyone's computer has the 
latest patches applied. The overall consensus after so much debate is 
that it's a much broader job that encompasses making policy and 
procedures as well as adding software to protect assets. 

HR's Quest For the Purple Squirrel

Job descriptions that have high-level strategy and policy-making 
requirements along with technical requirements are the equivalent of 
looking for purple squirrels. You're never going to find one, and with 
that mix of skill sets required for the job, any candidate that fills 
the job is doomed for failure. 

Some human resource professionals look for the easy way out and 
require certificates. A certificate doesn't guarantee anything. You 
may be losing out on the best candidates if you're too focused on 
paper and not real experience. 

Many HR departments have become too reliant on certificates instead of 
trying to understand and search for the real skill sets needed for 
many jobs. Looking for project management professional (PMP) 
certificates for project management and technical certificates for 
Cisco and Microsoft, some HR people have become too focused on 
certificates instead of looking at the experience of the total 

As one candidate pointed out to me in a phone conversation, a 
certificate doesn't guarantee a level of expertise to do the job. Real 
experience points out that "I already did the job" the certificate 
says I should be able to do. 

The question becomes: "Have organizations become too concerned about 
certificates and nothing else?" The answer is yes. More important, the 
rigid requirement for certificates doesn't guarantee any level of 
quality in candidates. This is something for some HR departments to 
evaluate again in their approach to screening and hiring candidates. 

A Typical Failed Job Description

Here's a typical request for someone who's as rare as a purple 
squirrel. This was from a company that failed a Sarbanes-Oxley 
compliance test and is now looking for a new person to fill the role 
of security administrator. 

Read through the requirements and look at the disparity between the 
techie skill sets needed and the policy and procedures expertise 
that's also needed to understand and support Sarbanes-Oxley compliance 
issues. It's hard to find all that rolled into one person. 

 Position: Security administrator 
 Location: Anywhere in the U.S. 

 Job Description: Our client is seeking a highly motivated individual 
 who will function as a lead technical security administrator. Will 
 have responsibility for overall security of the client's applications 
 and operating environment. Must be able to manage and perform 
 security reviews and audits, application-level vulnerability testing, 
 risk analysis and security code reviews. Will be expected to 
 evaluate and architect information security plans. 

 Will be expected to own the information security operational, 
 procedural and policy documentation. Will be responsible for ongoing 
 review of security alerts and vulnerabilities and assessing 
 applicability to applications, systems and operating environments 
 supporting the business unit. 

 Will have direct responsibility for responding to all 
 security-related events, leading the client's technical event 
 activities and acting as the liaison with other central and corporate 
 security teams. Will be expected to track security-related events, 
 vulnerabilities, applicability, remediation activities and provide 
 ongoing status reporting. 

 Will be expected to maintain a security-focused mindset within the 
 client's IT team, provide training and necessary communication to the 
 team. Will be expected to maintain currency on information technology 
 security products and infrastructure. Will design and recommend 
 security initiatives including custom-developed and 
 commercial-protection technologies. 

* Must have a strong foundation and in-depth technical knowledge in 
  security engineering, computer and network security, authentication 
  and security protocols and cryptography 

* Must have a strong understanding of firewalls, intrusion detection, 
  strong authentication, content filtering and enterprise security 

* Five years of technical experience with increasing responsibility 

* Twp years of experience focused on information security 

* Detailed knowledge of common security protocols and network security 

* Intimate knowledge of system security vulnerabilities, network-based 
  attacks and their mitigation 

* In-depth knowledge of common security protocols 

* Excellent organizational, written and verbal skills 

* Results oriented 

This company has focused on the technical skills but hasn't detailed 
what it needs from a compliance standpoint. In this case, the security 
will have to somehow understand the issues and impacts of 
Sarbanes-Oxley but those job attributes have yet to be clearly 

My recommendation is that the company should break up the position 
into an executive-level and technical-level job. If this isn't done, 
the company is doomed to repeat its mistakes. A technical person isn't 
going to understand some of the higher-level issues and the high-level 
person isn't going to be able to keep up with all the techie issues. 

I have seen the same dilemma at several small financial firms. You 
can't give two full-time jobs to one person and expect them both to 
get done. Will people listen to opinions like mine? No. They won't 
until they suffer enough economic pain through fines and 
non-compliance disciplinary sanctions. 

Carlinism: Companies find better candidates when they look beyond 
certifications and into real-world experience. 


James Carlini is an adjunct professor at Northwestern University. He
is also president of Carlini & Associates. Carlini can be reached at
carlini @ northwestern.edu or 773-370-1888.

Copyright 2005 Jim Carlini

More information about the ISN mailing list