http://www.eprairie.com/news/viewnews.asp?newsletterid=11552 By James Carlini ePrairie.com 6/15/2005 As more organizations see security and compliance as their top issues, they don't see where security really fits on the organization chart. There is a big secret that few executives know about in most organizations: Security is not a techie issue. It goes beyond knowing virus scans and firewalls. Security should be at an executive level because it's a business strategy and not a low-level function. In several semesters of network security classes, attendees from various organizations have debated this observation. For some reason, security is viewed as a job that's accomplished by adding some firewalls and making sure everyone's computer has the latest patches applied. The overall consensus after so much debate is that it's a much broader job that encompasses making policy and procedures as well as adding software to protect assets. HR's Quest For the Purple Squirrel Job descriptions that have high-level strategy and policy-making requirements along with technical requirements are the equivalent of looking for purple squirrels. You're never going to find one, and with that mix of skill sets required for the job, any candidate that fills the job is doomed for failure. Some human resource professionals look for the easy way out and require certificates. A certificate doesn't guarantee anything. You may be losing out on the best candidates if you're too focused on paper and not real experience. Many HR departments have become too reliant on certificates instead of trying to understand and search for the real skill sets needed for many jobs. Looking for project management professional (PMP) certificates for project management and technical certificates for Cisco and Microsoft, some HR people have become too focused on certificates instead of looking at the experience of the total individual. As one candidate pointed out to me in a phone conversation, a certificate doesn't guarantee a level of expertise to do the job. Real experience points out that "I already did the job" the certificate says I should be able to do. The question becomes: "Have organizations become too concerned about certificates and nothing else?" The answer is yes. More important, the rigid requirement for certificates doesn't guarantee any level of quality in candidates. This is something for some HR departments to evaluate again in their approach to screening and hiring candidates. A Typical Failed Job Description Here's a typical request for someone who's as rare as a purple squirrel. This was from a company that failed a Sarbanes-Oxley compliance test and is now looking for a new person to fill the role of security administrator. Read through the requirements and look at the disparity between the techie skill sets needed and the policy and procedures expertise that's also needed to understand and support Sarbanes-Oxley compliance issues. It's hard to find all that rolled into one person. Position: Security administrator Location: Anywhere in the U.S. Job Description: Our client is seeking a highly motivated individual who will function as a lead technical security administrator. Will have responsibility for overall security of the client's applications and operating environment. Must be able to manage and perform security reviews and audits, application-level vulnerability testing, risk analysis and security code reviews. Will be expected to evaluate and architect information security plans. Will be expected to own the information security operational, procedural and policy documentation. Will be responsible for ongoing review of security alerts and vulnerabilities and assessing applicability to applications, systems and operating environments supporting the business unit. Will have direct responsibility for responding to all security-related events, leading the client's technical event activities and acting as the liaison with other central and corporate security teams. Will be expected to track security-related events, vulnerabilities, applicability, remediation activities and provide ongoing status reporting. Will be expected to maintain a security-focused mindset within the client's IT team, provide training and necessary communication to the team. Will be expected to maintain currency on information technology security products and infrastructure. Will design and recommend security initiatives including custom-developed and commercial-protection technologies. * Must have a strong foundation and in-depth technical knowledge in security engineering, computer and network security, authentication and security protocols and cryptography * Must have a strong understanding of firewalls, intrusion detection, strong authentication, content filtering and enterprise security management * Five years of technical experience with increasing responsibility * Twp years of experience focused on information security * Detailed knowledge of common security protocols and network security topics * Intimate knowledge of system security vulnerabilities, network-based attacks and their mitigation * In-depth knowledge of common security protocols * Excellent organizational, written and verbal skills * Results oriented This company has focused on the technical skills but hasn't detailed what it needs from a compliance standpoint. In this case, the security will have to somehow understand the issues and impacts of Sarbanes-Oxley but those job attributes have yet to be clearly defined. My recommendation is that the company should break up the position into an executive-level and technical-level job. If this isn't done, the company is doomed to repeat its mistakes. A technical person isn't going to understand some of the higher-level issues and the high-level person isn't going to be able to keep up with all the techie issues. I have seen the same dilemma at several small financial firms. You can't give two full-time jobs to one person and expect them both to get done. Will people listen to opinions like mine? No. They won't until they suffer enough economic pain through fines and non-compliance disciplinary sanctions. Carlinism: Companies find better candidates when they look beyond certifications and into real-world experience. -=- James Carlini is an adjunct professor at Northwestern University. He is also president of Carlini & Associates. Carlini can be reached at carlini @ northwestern.edu or 773-370-1888. Copyright 2005 Jim Carlini _________________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 23-28 - 2,000+ international security experts, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Thu Jun 16 2005 - 00:28:35 PDT