How to get better security people
batz
batsy at vapour.net
Tue Mar 26 19:50:02 UTC 2002
On Tue, 26 Mar 2002, Sean Donelan wrote:
:If I was looking for top security talent, what would I ask for whether
:I was hiring directly or outsourcing? Do I want a bunch of ex-miltary,
:ex-law enforcement, ex-banker, lots of certifications (CISSP, GIAC) none
:of which have existed for 10 years, published papers, can answer tricky
:questions about checkpoint firewalls (why is a confusing firewall
:configuration a good thing?), a college degree in crypto, big 5
:accounting firm (or is that now big 4 accounting firm)?
I would ask for personal referrals. They are generally the only thing
worth counting.
The accounting firms have brand recognition, but the way the business
works, you are rolling dice the same way you would using a boutique.
Certifications are handy from a diligence perspective, but shouldn't
be a deal breaker. Product knowledge is handy, but doesn't demonstrate
expertise. Published papers will show expertise, but not indicate
reliability or business focus. Industry specific experience will
demonstrate business focus, but not neccesarily show clue. Academic
credentials will show persistance and some clue, but probably won't
ultimately help you sell more widgets.
:Likewise, if I was going to outsource. What should I be looking for
:in a security management provider?
Track record over the last 3 years, and personal referrals. This on
top of whatever criteria you have for requiring one in the first
place.
Brands mean very little in the face of a referral from someone
you trust, or have paid enough to trust. Services companies only real
asset is their staff, and many will debase their brand by diluting
their talent pool to deliver a more reliable recurring revenue stream
to investors.
This means fewer high clue people delivering complex but high return
services, and more middle to low end consultants delivering simple
managed services to a much broader customer base. Think of it as a
race to the bottom.
So, it depends on the solution you need. If you need enterprise network
architecture, customised IDS and incident response solultions, and
bleeding edge technology to defend your network against theoretical threats
and imagined hostile governments, find a geek-boutique of people
who speak at blackhat briefings, tell spook stories, and can show signifigant
contributions in openbsd change logs. I hear some will even throw in a tinfoil
hat, gratis.
If you need reasonably reliable, cost effective anti-virus, managed
IDS, and a checkmark or smiley face on your next audit, but aren't
terribly concerned about specific threats, read some Gartner Group
reports and pick one that seems reasonable.
I suppose this could just have been summed up by saying, get a personal
referral, as the industry hasn't been around long enough to really judge
from track records, who can provide the best service.
--
batz
More information about the NANOG
mailing list