By James Carlini
As more organizations see security and compliance as their top issues,
they don't see where security really fits on the organization chart.
There is a big secret that few executives know about in most
organizations: Security is not a techie issue. It goes beyond knowing
virus scans and firewalls. Security should be at an executive level
because it's a business strategy and not a low-level function.
In several semesters of network security classes, attendees from
various organizations have debated this observation.
For some reason, security is viewed as a job that's accomplished by
adding some firewalls and making sure everyone's computer has the
latest patches applied. The overall consensus after so much debate is
that it's a much broader job that encompasses making policy and
procedures as well as adding software to protect assets.
HR's Quest For the Purple Squirrel
Job descriptions that have high-level strategy and policy-making
requirements along with technical requirements are the equivalent of
looking for purple squirrels. You're never going to find one, and with
that mix of skill sets required for the job, any candidate that fills
the job is doomed for failure.
Some human resource professionals look for the easy way out and
require certificates. A certificate doesn't guarantee anything. You
may be losing out on the best candidates if you're too focused on
paper and not real experience.
Many HR departments have become too reliant on certificates instead of
trying to understand and search for the real skill sets needed for
many jobs. Looking for project management professional (PMP)
certificates for project management and technical certificates for
Cisco and Microsoft, some HR people have become too focused on
certificates instead of looking at the experience of the total
As one candidate pointed out to me in a phone conversation, a
certificate doesn't guarantee a level of expertise to do the job. Real
experience points out that "I already did the job" the certificate
says I should be able to do.
The question becomes: "Have organizations become too concerned about
certificates and nothing else?" The answer is yes. More important, the
rigid requirement for certificates doesn't guarantee any level of
quality in candidates. This is something for some HR departments to
evaluate again in their approach to screening and hiring candidates.
A Typical Failed Job Description
Here's a typical request for someone who's as rare as a purple
squirrel. This was from a company that failed a Sarbanes-Oxley
compliance test and is now looking for a new person to fill the role
of security administrator.
Read through the requirements and look at the disparity between the
techie skill sets needed and the policy and procedures expertise
that's also needed to understand and support Sarbanes-Oxley compliance
issues. It's hard to find all that rolled into one person.
Position: Security administrator
Location: Anywhere in the U.S.
Job Description: Our client is seeking a highly motivated individual
who will function as a lead technical security administrator. Will
have responsibility for overall security of the client's applications
and operating environment. Must be able to manage and perform
security reviews and audits, application-level vulnerability testing,
risk analysis and security code reviews. Will be expected to
evaluate and architect information security plans.
Will be expected to own the information security operational,
procedural and policy documentation. Will be responsible for ongoing
review of security alerts and vulnerabilities and assessing
applicability to applications, systems and operating environments
supporting the business unit.
Will have direct responsibility for responding to all
security-related events, leading the client's technical event
activities and acting as the liaison with other central and corporate
security teams. Will be expected to track security-related events,
vulnerabilities, applicability, remediation activities and provide
ongoing status reporting.
Will be expected to maintain a security-focused mindset within the
client's IT team, provide training and necessary communication to the
team. Will be expected to maintain currency on information technology
security products and infrastructure. Will design and recommend
security initiatives including custom-developed and
* Must have a strong foundation and in-depth technical knowledge in
security engineering, computer and network security, authentication
and security protocols and cryptography
* Must have a strong understanding of firewalls, intrusion detection,
strong authentication, content filtering and enterprise security
* Five years of technical experience with increasing responsibility
* Twp years of experience focused on information security
* Detailed knowledge of common security protocols and network security
* Intimate knowledge of system security vulnerabilities, network-based
attacks and their mitigation
* In-depth knowledge of common security protocols
* Excellent organizational, written and verbal skills
* Results oriented
This company has focused on the technical skills but hasn't detailed
what it needs from a compliance standpoint. In this case, the security
will have to somehow understand the issues and impacts of
Sarbanes-Oxley but those job attributes have yet to be clearly
My recommendation is that the company should break up the position
into an executive-level and technical-level job. If this isn't done,
the company is doomed to repeat its mistakes. A technical person isn't
going to understand some of the higher-level issues and the high-level
person isn't going to be able to keep up with all the techie issues.
I have seen the same dilemma at several small financial firms. You
can't give two full-time jobs to one person and expect them both to
get done. Will people listen to opinions like mine? No. They won't
until they suffer enough economic pain through fines and
non-compliance disciplinary sanctions.
Carlinism: Companies find better candidates when they look beyond
certifications and into real-world experience.
James Carlini is an adjunct professor at Northwestern University. He
is also president of Carlini & Associates. Carlini can be reached at
carlini @ northwestern.edu or 773-370-1888.
Copyright 2005 Jim Carlini
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.