Want security people? Then grow them.
I have been in and around the topic of IT security in one form or another for close to 30 years, and there has been one constant: good security people do not come from courses, and that's not just because of the quality of some courses which are more designed as tickbox revenue generators and as means to bypass frankly hopelessly overtaxed HR staff.
Security is IMHO an attitude. There are a few aspects to security staff that signal that you may have a live one:
- an "always on" attitude. Security is not something to switch off as you come home, pretty much because the threat doesn't and you, family and friends also live in that dangerous world that you see.
- responsibility. "Pure" IT people lack this empathy sometimes, but your job is ultimately not cranking the handle on processes, although this is what management sees as security. Your actual job is to protect people from electronic danger, which also means taking into account that you're working with people - you should have already dealt with the IT angle..
- curiosity. Having a hacker attitude and aptitude matters, because you're in an arms race. The words "that's funny" should make you interested, because anomalies is where ye wiley hacker has screwed up and enables you to unearth an APT. The hacker attitude should enable you to increase the number of traps in the system.
- strong but direct character. Security people often have to say "no" against overwhelming odds called "budget" and "management". It takes a certain personality style to cope with that, and still get meaningful results. Understanding political dynamics in a company is important, and knowing the difference between making a difference and being set up to be the fall guy (not getting the required resources is a hint) is vital :). Good security people have leadership skills (and usually a fairly developed, slightly dark sense of humour).
- IT skills, and by that I don't mean the ability to use MS Office. Security may be a process, but it also relies on knowledge to direct people. IT security means knowing about IT at at least a structural level (you don't need to be able to quote opcodes for the 6502 CPU).
As for recruitment, I go back to a hacker adage that is at least 2 decades old, if not longer:
it takes one to know one
Any HR staff who doesn't involve security people in the final screening process is not only wasting their time, they are actively endangering their company. The good news is that the bigger companies are indeed doing that now.
Now, how do you GROW a security person? I have audited many companies in London, and I started to take along IT colleagues. Some picked it up and became good security consultants, others were more comfortable remaining behind a screen, but in one instance I was consulting alone at a rather large law firm when the question of recruiting security staff came up (and from what I found it was an urgent requirement). I told them they probably already had the resources in house if they were willing to grow them - during the building walkthrough I came across the Tripwire security exploit poster (sadly no longer available from their website) which was a good hint that whoever sat at that desk had the required interest. On examination, I was right. In another instance I found the right person in a large stack of CVs marked "no" left behind in a HR desk (movers had brought it to our floor without checking) - reading between the lines I saw all the signs of someone with the right aptitude but HR came up with some "would not culturally fit in" story when asked. Turns out he was indeed *perfect* for the job, and thus got recruited.
I've built full government networks, done M&A audits, worked in finance, in the military and even in manufacturing: the above continues to apply. You can't manufacture security people with courses and certificates. Sure, there is a certain skill set that is essential, but the aptitude to *deploy* those skills is what can lift security above the "bad to average" level I found in many organisations.
Last but not least: there is also the matter of budget. Good people cost good money. If you're not prepared to pay that, you should not complain about the results...
Comments?