Tom Clancy quoted the above from Louis Pasteur in what eweek writer Dennis Fisher termed "a rambling and somewhat odd keynote speech at the Gartner IT Security Expo".
I wasn't at the talk, so can't comment on whether it was rambling of not, but the basic thought sounds right to me. For IT, get people who are smart and know things outside of just their technical discipline. This holds true especially in the security field.
Why? Well in security it's because you're dealing with a lot more than bits and bytes. That's not to say that knowing the technical isn't a pre-requisite, it definitely is, but it's often not enough. More than a few times I've been asked to hire people with all the right certifications and college degrees that just didn't seem to 'get' INFOSEC despite their training. They were terrific on tasks they'd been specifically trained to complete, but got low marks on extrapolation and ability to acquire new skills.
That's not to say anyone with a certificate doesn't know what they're doing, it's a reminder that the certificate may not tell the whole story. Here's what I look for when hiring a security professional:
1. Technical experience with the products or systems to be managed or installed
2. Solid networking or application development knowledge (depending on what they're being hired to secure)
3. Technical security specific training or experience
4. Ability to learn new things - security's changing all the time, security professionals have to stay up to date
5. A passion for security technology and solutions - if someone's passionate about security they'll be educating themselves constantly
6. Very strong people skills- because much of security depends on 'the other half of the equation' the people using and trying to attack the systems
7. Ability to communicate technical and security concepts to the lay person - the jargon heavy 'dolphin speakers' get tuned out by users and management alike
8. Common sense - The most secure technology in the world isn't going to be worth a hill of beans if users don't use it properly. Security admins that force end-users to select 'strong' passwords and change them every thirty days may be following best practices but I'll bet you a lot of their users are following their own best practices and putting sticky notes with those 'strong passwords' up on their monitors
9. Business sense - security is about keeping the business running and profitable, it's not about installing the latest or coolest technology or spending more to protect less
10. A prepared mind - scary things happen in the world of security IT and being ready for them, by having the skills mentioned above, means being prepared to handle them with grace, elegance, and maximum efficicency.
And at the end of the day, IT security is really about risk management and being prepared for the inevitable failures, attacks, and curveballs. Look beyond just certifications for that preparedness, the certs help, but they aren't the only requirement.
Posted by Diana at June 2, 2003 06:00 PM