North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: How to get better security people

  • From: batz
  • Date: Tue Mar 26 15:00:18 2002

On Tue, 26 Mar 2002, Sean Donelan wrote:

:If I was looking for top security talent, what would I ask for whether
:I was hiring directly or outsourcing?  Do I want a bunch of ex-miltary,
:ex-law enforcement, ex-banker, lots of certifications (CISSP, GIAC) none
:of which have existed for 10 years, published papers, can answer tricky
:questions about checkpoint firewalls (why is a confusing firewall
:configuration a good thing?), a college degree in crypto, big 5
:accounting firm (or is that now big 4 accounting firm)?

I would ask for personal referrals. They are generally the only thing
worth counting. 

The accounting firms have brand recognition, but the way the business 
works, you are rolling dice the same way you would using a boutique. 

Certifications are handy from a diligence perspective, but shouldn't 
be a deal breaker. Product knowledge is handy, but doesn't demonstrate
expertise. Published papers will show expertise, but not indicate 
reliability or business focus. Industry specific experience will 
demonstrate business focus, but not neccesarily show clue.  Academic
credentials will show persistance and some clue, but probably won't
ultimately help you sell more widgets.   

:Likewise, if I was going to outsource.  What should I be looking for
:in a security management provider?

Track record over the last 3 years, and personal referrals. This on
top of whatever criteria you have for requiring one in the first 

Brands mean very little in the face of a referral from someone
you trust, or have paid enough to trust. Services companies only real 
asset is their staff, and many will debase their brand by diluting
their talent pool to deliver a more reliable recurring revenue stream
to investors. 

This means fewer high clue people delivering complex but high return
services, and more middle to low end consultants delivering simple
managed services to a much broader customer base. Think of it as a 
race to the bottom.   

So, it depends on the solution you need. If you need enterprise network 
architecture, customised IDS and incident response solultions, and 
bleeding edge technology to defend your network against theoretical threats
and imagined hostile governments, find a geek-boutique of people 
who speak at blackhat briefings, tell spook stories, and can show signifigant
contributions in openbsd change logs. I hear some will even throw in a tinfoil
hat, gratis. 

If you need reasonably reliable, cost effective anti-virus, managed 
IDS, and a checkmark or smiley face on your next audit, but aren't 
terribly concerned about specific threats, read some Gartner Group 
reports and pick one that seems reasonable. 

I suppose this could just have been summed up by saying, get a personal
referral, as the industry hasn't been around long enough to really judge 
from track records, who can provide the best service.