RE: How to get better security people
On that note, Etrade layed off their entire net sec team a few months back. I don't trade there no more. ;)
-----Original Message----- From: Sean Donelan [mailto:sean@donelan.com] Sent: Monday, March 25, 2002 7:05 PM To: nanog@merit.edu Subject: How to get better security people
According to a recent salary survey telephone companies have some of the lowest paid information security professionals in comparison with other technology corporations, federal government, or financial companies. When the US Transportation Security Administration (aka, the agency in charge of airport screeners) is paying their computer security people more than telephone companies, its hard for phone companies to attact top security talent.
Customers need to let companies know that security and responsiveness affects their purchasing decisions. I think some companies are getting the message. But in today's market, with tight budgets and layoffs, security is often viewed as overhead. A lot of providers are lucky if they have one network engineer who does security stuff in her spare time. Full-fledge security departments are rare.
UUNet, by far is the best. I've had mixed results with Sprint. A couple of years ago I had to deal with Hurricane Electric and the tech was really good about it - he added in the ACL I needed right over the phone.
Also, I know of a couple providers in the upper midwest
On Mon, 25 Mar 2002, Eric Whitehill wrote: that are pretty
good at working with DOS stuff. Email me off list if you are interested.
On Tue, 26 Mar 2002, LeBlanc, Jason wrote:
On that note, Etrade layed off their entire net sec team a few months back. I don't trade there no more. ;)
Fewer and fewer companies are paying attention to network security with the right mindset. They all want peopl who have been in the field for 7-10+ years, with 10+ years of general systems admin skills. I'm 21. I have 5 years of combined network security and sysadmin experience. No-one is interested. I spent 5 months looking for a job, applied at at least a few hundred locations, only to be told each time that I didn't have enough experience. I know around 100 other security admins, and I think 2 have that much experience. It's semi-understandable when a MNC wants that kind of experience, but when your run of the mill start up wants to too, it gets rather sick. These people aren't going to get what they're looking for. They'll realise it too late I guess. I dropped out of security and went back to sysadmining. I prefer the job I have now to any I've had in the past, and I wouldn't trade it for a security job with some of these firms in 10 lifetimes. -- Av Go here, now - http://www.ircnetops.org/smurf
On Tue, 26 Mar 2002, Avleen Vig wrote:
On Tue, 26 Mar 2002, LeBlanc, Jason wrote:
On that note, Etrade layed off their entire net sec team a few months back. I don't trade there no more. ;)
Fewer and fewer companies are paying attention to network security with the right mindset. They all want peopl who have been in the field for 7-10+ years, with 10+ years of general systems admin skills.
I attended my first IETF meeting in 1991. There were 384 attendees. There are very few people who really have 10+ years experience in this industry. If I was looking for top security talent, what would I ask for whether I was hiring directly or outsourcing? Do I want a bunch of ex-miltary, ex-law enforcement, ex-banker, lots of certifications (CISSP, GIAC) none of which have existed for 10 years, published papers, can answer tricky questions about checkpoint firewalls (why is a confusing firewall configuration a good thing?), a college degree in crypto, big 5 accounting firm (or is that now big 4 accounting firm)? The problem right now is if you advertise for a job, you will get blasted with literally tens of thousands of resumes. What should I be telling the HR department to look for? Likewise, if I was going to outsource. What should I be looking for in a security management provider? The best information security person I've ever met/worked with/etc was at Disney Imagineering. I've yet to find anyone at a security consulting firm or other company that came close to matching him.
Surely you're looking for someone who can tell you what they are trying to protect from ie hacking, DoS, DDoS and how and why that is a security problem.. Then I guess you want them to have had sufficient experience to know how the different security products address these issues. No other major points really.. Product specialisations must be a distraction - if their knowledge and training comes from Checkpoint training then they may not know the details of the attack method and are more familiar with config'ing a checkpoint than what it is doing and in what areas it lacks.. And qualifications should never outnumber instances of hands on experience, what good is an academic with little knowledge in the field! Steve On Tue, 26 Mar 2002, Sean Donelan wrote:
On Tue, 26 Mar 2002, Avleen Vig wrote:
On Tue, 26 Mar 2002, LeBlanc, Jason wrote:
On that note, Etrade layed off their entire net sec team a few months back. I don't trade there no more. ;)
Fewer and fewer companies are paying attention to network security with the right mindset. They all want peopl who have been in the field for 7-10+ years, with 10+ years of general systems admin skills.
I attended my first IETF meeting in 1991. There were 384 attendees. There are very few people who really have 10+ years experience in this industry.
If I was looking for top security talent, what would I ask for whether I was hiring directly or outsourcing? Do I want a bunch of ex-miltary, ex-law enforcement, ex-banker, lots of certifications (CISSP, GIAC) none of which have existed for 10 years, published papers, can answer tricky questions about checkpoint firewalls (why is a confusing firewall configuration a good thing?), a college degree in crypto, big 5 accounting firm (or is that now big 4 accounting firm)?
The problem right now is if you advertise for a job, you will get blasted with literally tens of thousands of resumes. What should I be telling the HR department to look for?
Likewise, if I was going to outsource. What should I be looking for in a security management provider?
The best information security person I've ever met/worked with/etc was at Disney Imagineering. I've yet to find anyone at a security consulting firm or other company that came close to matching him.
-- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008
On Tue, 26 Mar 2002, Stephen J. Wilcox wrote:
And qualifications should never outnumber instances of hands on experience, what good is an academic with little knowledge in the field!
Finally, people who agree with me. How many management personnel are out there who don't have degrees? Very few I imagine. How many techies are out there without degrees? Quite a high number. This industry is such that (IMHO) experience is *FAR* more valuable than any piece of paper. A piece of paper won't tell you what to do what you have someoen in your system, how to watch them, what to do, who to call.. -- Avleen Vig Network Security Officer Smurf Amplifier Finding Executive: http://www.ircnetops.org/smurf
On Tue, 26 Mar 2002, Sean Donelan wrote: :If I was looking for top security talent, what would I ask for whether :I was hiring directly or outsourcing? Do I want a bunch of ex-miltary, :ex-law enforcement, ex-banker, lots of certifications (CISSP, GIAC) none :of which have existed for 10 years, published papers, can answer tricky :questions about checkpoint firewalls (why is a confusing firewall :configuration a good thing?), a college degree in crypto, big 5 :accounting firm (or is that now big 4 accounting firm)? I would ask for personal referrals. They are generally the only thing worth counting. The accounting firms have brand recognition, but the way the business works, you are rolling dice the same way you would using a boutique. Certifications are handy from a diligence perspective, but shouldn't be a deal breaker. Product knowledge is handy, but doesn't demonstrate expertise. Published papers will show expertise, but not indicate reliability or business focus. Industry specific experience will demonstrate business focus, but not neccesarily show clue. Academic credentials will show persistance and some clue, but probably won't ultimately help you sell more widgets. :Likewise, if I was going to outsource. What should I be looking for :in a security management provider? Track record over the last 3 years, and personal referrals. This on top of whatever criteria you have for requiring one in the first place. Brands mean very little in the face of a referral from someone you trust, or have paid enough to trust. Services companies only real asset is their staff, and many will debase their brand by diluting their talent pool to deliver a more reliable recurring revenue stream to investors. This means fewer high clue people delivering complex but high return services, and more middle to low end consultants delivering simple managed services to a much broader customer base. Think of it as a race to the bottom. So, it depends on the solution you need. If you need enterprise network architecture, customised IDS and incident response solultions, and bleeding edge technology to defend your network against theoretical threats and imagined hostile governments, find a geek-boutique of people who speak at blackhat briefings, tell spook stories, and can show signifigant contributions in openbsd change logs. I hear some will even throw in a tinfoil hat, gratis. If you need reasonably reliable, cost effective anti-virus, managed IDS, and a checkmark or smiley face on your next audit, but aren't terribly concerned about specific threats, read some Gartner Group reports and pick one that seems reasonable. I suppose this could just have been summed up by saying, get a personal referral, as the industry hasn't been around long enough to really judge from track records, who can provide the best service. -- batz
-----Original Message----- From: LeBlanc, Jason <Jml@ebay.com>
On that note, Etrade layed off their entire net sec team a few months back. I don't trade there no more. ;)
Let me guess, eBay is moving into securities trading next.... Your "facts" about eTrade are wrong, very wrong. -Jim P.
participants (6)
-
Avleen Vig
-
batz
-
Jim Popovitch
-
LeBlanc, Jason
-
Sean Donelan
-
Stephen J. Wilcox