But I still haven’t found what I’m looking for.
(By the way, to hear a hilarious oompah version of the song, listen to this clip on Amazon.de)
Previous entry aside, it’s just not enough when you’re hiring a security person to say that you’re looking for “Smart, and Gets Things Done.” I was gratified to hear one of my top executives describe his search criteria as “talent” and “speed,” and add that he “know[s] it when [he] see[s] it.” I know the feeling. But that still doesn’t make for a decent job posting.
So, what do I ask for? I’m biased, admittedly: I tend to think that the best hands-on security analysts have a system administration background. I look for candidates who have a certain number of years’ experience in at least three of five areas: network admin/support/design, OS admin/support/design, database admin/support/design, application development/support, and “Internet technologies” (email, web, etc.) admin/support/design. It’s especially important that I see at least some design work in there, because I know of too many support people who just run what they’re given and don’t really understand it.
On top of that, I look for a minimum amount of experience with admin/support/design of the usual security infrastructure: firewalls, IDS/IPS, encryption, VPNs, and so on.
I weight the sysadmin experience more heavily than the actual “security” experience, though. To my surprise I’ve discovered that there now exists a breed that I’ll call the “security technician”: someone who can install and run VPNs and firewalls without really understanding the security principles behind them. Someone like that might look good on paper, with six years or so installing commodity firewalls, but when you get them into the interview, they fall flat in the conceptual areas. (A tipoff is when you ask them to describe how public key encryption works, they start talking in terms of SSL certificates being installed on a server. Another is if they spend a lot of time talking about security in terms of tools. “Well, to solve this problem you fire up the IDS ...")
I can take a good sysadmin and train her up in the security area, because if she’s a good sysadmin, she’s already tackled a lot of those areas and just needs to focus more on them. But a top-down “security” person just doesn’t turn out as well in my organization.
After the technical skillsets (which includes the ability to explain complicated technical issues using little teeny words), I look for people skills. Once in a while I will take a real introvert if he’s extremely good technically, but in general, I need all my security folks to be able to work on Layer 8 as well as the other layers. Security is tricky enough without having a personality on my team that pisses people off for no good reason. Let’s face it: a lot of security work involves breaking the news to people that they’re doing things Wrong. That takes finesse. Also, someone who doesn’t have good people skills won’t make a good team member, and I want my team to play nicely with each other as well as with the rest of the organization.
This is just my set of filters, though. I’m not a vendor installing security products for the masses, and I don’t have a large team where I can afford to have too many specialists. Most of the time I get lucky and find a combination of people who are strong in different parts of the “Five Areas,” and they make a good mix.
Being able to quote Real Genius isn’t strictly necessary, but it helps.
(1) Comments • Permalink •
