North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: How to get better security people

  • From: Stephen J. Wilcox
  • Date: Tue Mar 26 13:39:53 2002

Surely you're looking for someone who can tell you what they are trying to
protect from ie hacking, DoS, DDoS and how and why that is a security

Then I guess you want them to have had sufficient experience to know how
the different security products address these issues.

No other major points really..

Product specialisations must be a distraction - if their knowledge and
training comes from Checkpoint training then they may not know the details
of the attack method and are more familiar with config'ing a checkpoint
than what it is doing and in what areas it lacks..

And qualifications should never outnumber instances of hands on
experience, what good is an academic with little knowledge in the field!


On Tue, 26 Mar 2002, Sean Donelan wrote:

> On Tue, 26 Mar 2002, Avleen Vig wrote:
> > On Tue, 26 Mar 2002, LeBlanc, Jason wrote:
> > > On that note, Etrade layed off their entire net sec team a few months back.
> > > I don't trade there no more. ;)
> >
> > Fewer and fewer companies are paying attention to network security with
> > the right mindset. They all want peopl who have been in the field for
> > 7-10+ years, with 10+ years of general systems admin skills.
> I attended my first IETF meeting in 1991.  There were 384 attendees.
> There are very few people who really have 10+ years experience in this
> industry.
> If I was looking for top security talent, what would I ask for whether
> I was hiring directly or outsourcing?  Do I want a bunch of ex-miltary,
> ex-law enforcement, ex-banker, lots of certifications (CISSP, GIAC) none
> of which have existed for 10 years, published papers, can answer tricky
> questions about checkpoint firewalls (why is a confusing firewall
> configuration a good thing?), a college degree in crypto, big 5
> accounting firm (or is that now big 4 accounting firm)?
> The problem right now is if you advertise for a job, you will get
> blasted with literally tens of thousands of resumes.  What should I
> be telling the HR department to look for?
> Likewise, if I was going to outsource.  What should I be looking for
> in a security management provider?
> The best information security person I've ever met/worked with/etc was
> at Disney Imagineering.  I've yet to find anyone at a security consulting
> firm or other company that came close to matching him.

Stephen J. Wilcox
IP Services Manager, Opal Telecom
Tel: 0161 222 2000
Fax: 0161 222 2008