Reproduction permitted for personal use only. For reprints and reprint permission, contact firstname.lastname@example.org.
As more organizations see security and compliance as their top issues, they dont see where security really fits on the organization chart. There is a big secret that few executives know about in most organizations: Security is not
a techie issue. It goes beyond knowing virus scans and firewalls. Security should be at an executive level because its a business strategy and not a low-level function.
In several semesters of network security classes, attendees from various organizations have debated this observation.
For some reason, security is viewed as a job thats accomplished by adding some firewalls and making sure everyones computer has the latest patches applied. The overall consensus after so much debate is that its a much broader job that encompasses making policy and procedures as well as adding software to protect assets.
HRs Quest For the Purple Squirrel
Job descriptions that have high-level strategy and policy-making requirements along with technical requirements are the equivalent of looking for purple squirrels. Youre never going to find one, and with that mix of skill sets required for the job, any candidate that fills the job is doomed for failure.
Some human resource professionals look for the easy way out and require certificates. A certificate doesnt guarantee anything. You may be losing out on the best candidates if youre too focused on paper and not real experience.
Many HR departments have become too reliant on certificates instead of trying to understand and search for the real skill sets needed for many jobs. Looking for project management professional
(PMP) certificates for project management and technical certificates for Cisco and Microsoft, some HR people have become too focused on certificates instead of looking at the experience of the total individual.
As one candidate pointed out to me in a phone conversation, a certificate doesnt guarantee a level of expertise to do the job. Real experience points out that I already did the job the certificate says I should be able to do.
The question becomes: Have organizations become too concerned about certificates and nothing else? The answer is yes. More important, the rigid requirement for certificates doesnt guarantee any level of quality in candidates. This is something for some HR departments to evaluate again in their approach to screening and hiring candidates.
A Typical Failed Job Description
Heres a typical request for someone whos as rare as a purple squirrel. This was from a company that failed a Sarbanes-Oxley compliance test and is now looking for a new person to fill the role of security administrator.
Read through the requirements and look at the disparity between the techie skill sets needed and the policy and procedures expertise thats also needed to understand and support Sarbanes-Oxley compliance issues. Its hard to find all that rolled into one person.
Position: Security administrator
Location: Anywhere in the U.S.
Job Description: Our client is seeking a highly motivated individual who will function as a lead technical security administrator. Will have responsibility for overall security of the clients applications and operating environment. Must be able to manage and perform security reviews and audits, application-level vulnerability testing, risk analysis and security code reviews. Will b expected to evaluate and architect information security plans.
Will be expected to own the information security operational, procedural and policy documentation. Will be responsible for ongoing review of security alerts and vulnerabilities and assessing applicability to applications, systems and operating environments supporting the business unit.
Will have direct responsibility for responding to all security-related events, leading the clients technical event activities and acting as the liaison with other central and corporate security teams. Will be expected to track security-related events, vulnerabilities, applicability, remediation activities and provide ongoing status reporting.
Will be expected to maintain a security-focused mindset within the clients IT team, provide training and necessary communication to the team. Will be expected to maintain currency on information technology security products and infrastructure. Will design and recommend security initiatives including custom-developed and commercial-protection technologies.
Must have a strong foundation and in-depth technical knowledge in security engineering, computer and network security, authentication and security protocols and cryptography
Must have a strong understanding of firewalls, intrusion detection, strong authentication, content filtering and enterprise security management
Five years of technical experience with increasing responsibility
Twp years of experience focused on information security
Detailed knowledge of common security protocols and network security topics
Intimate knowledge of system security vulnerabilities, network-based attacks and their mitigation
In-depth knowledge of common security protocols
Excellent organizational, written and verbal skills
This company has focused on the technical skills but hasnt detailed what it needs from a compliance standpoint. In this case, the security will have to somehow understand the issues and impacts of Sarbanes-Oxley but those job attributes have yet to be clearly defined.
My recommendation is that the company should break up the position into an executive-level and technical-level job. If this isnt done, the company is doomed to repeat its mistakes. A technical person isnt going to understand some of the higher-level issues and the high-level person isnt going to be able to keep up with all the techie issues.
I have seen the same dilemma at several small financial firms. You cant give two full-time jobs to one person and expect them both to get done. Will people listen to opinions like mine? No. They wont until they suffer enough economic pain through fines and non-compliance disciplinary sanctions.Carlinism:
Companies find better candidates when they look beyond certifications and into real-world experience.
James Carlini is an adjunct professor at Northwestern University
. He is also president of Carlini & Associates
. Carlini can be reached at email@example.com
This article has been syndicated on the Wisconsin Technology Network courtesy of ePrairie
, a user-driven business and technology news community distributed via the Web, the wireless Web and free daily e-mail newsletters.
The opinions expressed herein or statements made in the above column are solely those of the author, & do not necessarily reflect the views of Wisconsin Technology Network, LLC. (WTN). WTN, LLC accepts no legal liability or responsibility for any claims made or opinions expressed herein.