[46384] in North American Network Operators' Group
Re: How to get better security people
daemon@ATHENA.MIT.EDU (Kelly J. Cooper)
Tue Mar 26 14:54:48 2002
From: "Kelly J. Cooper" <kcooper@genuity.net>
Message-Id: <1020326195411.ZM19063@burlma1-sshare2.gtei.net>
Date: Tue, 26 Mar 2002 19:54:11 +0000
In-Reply-To: Sean Donelan <sean@donelan.com>
"Re: How to get better security people" (Mar 26, 2:15pm)
To: nanog@merit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Errors-To: owner-nanog-outgoing@merit.edu
On Mar 26, 2:15pm, Sean Donelan wrote:
> Subject: Re: How to get better security people
*
*On Tue, 26 Mar 2002, Tony Wasson wrote:
*> >> If I was looking for top security talent, what would I ask for whether
*> >> I was hiring directly or outsourcing?
*>
*> I agree with Steve Wilcox, incidents are important. I would ask for a
*> description of the 3 most interesting incidents they've ever worked on, and
*> what they contributed.
*
*I'm sorry, but that's confidential information and I can't disclose it.
*
*Would you hire a "security" person, who will likely be involved in the
*most embarrassing slip ups your company makes, if he tells people about
*"interesting" incidents at previous employers.
*
*Maybe, it depends on what he says.
Long ago and downstairs, when I used to interview people for Operations
Security, I asked each candidate whether s/he had ever handled a Denial
of Service attack or an intrusion, and if so, could they describe in
general terms how they handled it?
I would specifically ask them to NOT provide any identifying info, just
the process (and an explication of the attack) so I could gauge their
understanding of the situation.
I also had a short list of other questions that I used to try and get
a feel for the person's "security minded-ness" (my term, I invented it
a'ight?). Because when it comes to ISP security, there's a very
limited pool of talent so candidates are unlikely to come in with the
right skillset native.
But if the person comes in and s/he is someone who thinks about
scenarios and contingency plans and has a working knowledge of
networking/computing, then I can teach him/her everything else.
Kelly J.
--
Kelly J. Cooper - Security Engineer, CISSP
GENUITY - Main # - 800-632-7638
3 Van de Graaff Drive - Fax - 781-262-2744
Burlington, MA 01803 - http://www.genuity.net
