Solid Security is Beyond Tech Certificates

Solid Security is Beyond Tech Certificates

In several semesters of network security classes, attendees from
various organizations have debated this observation.

For some reason, security is viewed as a job that's accomplished by
adding some firewalls and making sure everyone's computer has the
latest patches applied. The overall consensus after so much debate is
that it's a much broader job that encompasses making policy and
procedures as well as adding software to protect assets.

HR's Quest For the Purple Squirrel

Job descriptions that have high-level strategy and policy-making
requirements along with technical requirements are the equivalent of
looking for purple squirrels. You're never going to find one, and with
that mix of skill sets required for the job, any candidate that fills
the job is doomed for failure.

Some human resource professionals look for the easy way out and
require certificates. A certificate doesn't guarantee anything. You
may be losing out on the best candidates if you're too focused on
paper and not real experience.

Many HR departments have become too reliant on certificates instead of
trying to understand and search for the real skill sets needed for
many jobs. Looking for project management professional (PMP)
certificates for project management and technical certificates for
Cisco and Microsoft, some HR people have become too focused on
certificates instead of looking at the experience of the total
individual.

As one candidate pointed out to me in a phone conversation, a
certificate doesn't guarantee a level of expertise to do the job. Real
experience points out that "I already did the job" the certificate
says I should be able to do.

The question becomes: "Have organizations become too concerned about
certificates and nothing else?" The answer is yes. More important, the
rigid requirement for certificates doesn't guarantee any level of
quality in candidates. This is something for some HR departments to
evaluate again in their approach to screening and hiring candidates.

A Typical Failed Job Description

Here's a typical request for someone who's as rare as a purple
squirrel. This was from a company that failed a Sarbanes-Oxley
compliance test and is now looking for a new person to fill the role
of security administrator.

Read through the requirements and look at the disparity between the
techie skill sets needed and the policy and procedures expertise
that's also needed to understand and support Sarbanes-Oxley compliance
issues. It's hard to find all that rolled into one person.

 Position: Security administrator
 Location: Anywhere in the U.S.

 Job Description: Our client is seeking a highly motivated individual
 who will function as a lead technical security administrator. Will
 have responsibility for overall security of the client's applications
 and operating environment. Must be able to manage and perform
 security reviews and audits, application-level vulnerability testing,
 risk analysis and security code reviews. Will be expected to
 evaluate and architect information security plans.

 Will be expected to own the information security operational,
 procedural and policy documentation. Will be responsible for ongoing
 review of security alerts and vulnerabilities and assessing
 applicability to applications, systems and operating environments
 supporting the business unit.

 Will have direct responsibility for responding to all
 security-related events, leading the client's technical event
 activities and acting as the liaison with other central and corporate
 security teams. Will be expected to track security-related events,
 vulnerabilities, applicability, remediation activities and provide
 ongoing status reporting.

 Will be expected to maintain a security-focused mindset within the
 client's IT team, provide training and necessary communication to the
 team. Will be expected to maintain currency on information technology
 security products and infrastructure. Will design and recommend
 security initiatives including custom-developed and
 commercial-protection technologies.

* Must have a strong foundation and in-depth technical knowledge in
  security engineering, computer and network security, authentication
  and security protocols and cryptography

* Must have a strong understanding of firewalls, intrusion detection,
  strong authentication, content filtering and enterprise security
  management

* Five years of technical experience with increasing responsibility

* Twp years of experience focused on information security

* Detailed knowledge of common security protocols and network security
  topics

* Intimate knowledge of system security vulnerabilities, network-based
  attacks and their mitigation

* In-depth knowledge of common security protocols

* Excellent organizational, written and verbal skills

* Results oriented

This company has focused on the technical skills but hasn't detailed
what it needs from a compliance standpoint. In this case, the security
will have to somehow understand the issues and impacts of
Sarbanes-Oxley but those job attributes have yet to be clearly
defined.

My recommendation is that the company should break up the position
into an executive-level and technical-level job. If this isn't done,
the company is doomed to repeat its mistakes. A technical person isn't
going to understand some of the higher-level issues and the high-level
person isn't going to be able to keep up with all the techie issues.

I have seen the same dilemma at several small financial firms. You
can't give two full-time jobs to one person and expect them both to
get done. Will people listen to opinions like mine? No. They won't
until they suffer enough economic pain through fines and
non-compliance disciplinary sanctions.

Internet Security News Home