I have two vacancies in the information security department, and I've been hunting for good candidates for what seems like months and coming up empty. But my search got me thinking about how I manage the people I have. I don't want to lose any of them.
I've been a manager for about 16 years. At first, I was the supreme micromanager. I wanted daily status reports. I looked over shoulders. I constantly asked questions.
Looking back, I'm embarrassed at how poorly I managed people. By the time I was managing security people, I had learned a lot.
First of all, these guys (that's an all-inclusive, male-and-female "guys") are really smart. Most are smarter than their manager, so pretending you know everything is an unwise approach. You should know enough to converse intelligently and to understand the issues. But you can't know everything about every device on the network. You just need to know which security issues should be addressed and have a good idea of how to address them.
I used to think that a good manager of technical people has to also be fairly technical. But I've found that no matter how hard I try, I can't keep up with the pace of technological innovation. Every innovation has a security component.
If I spend a weekend learning the nuts and bolts of designing a customized virtual private network, I fall behind on understanding the security implications of Microsoft's latest operating system.
So, here are my three simple rules for managing the smart guys.
No. 1: Hire really good people
What is a "good hire"? That varies depending on what you want. I want people I can trust. Trust implies all kinds of things: commitment and dedication to the job, to the agency, to the project and to the team. I want to be able to trust that my employees are going to show up every day, work hard and stay all night when the network goes down.
I want my employees to be dedicated to teamwork, meaning that I can trust them to help out a colleague and not undermine others' work. They must tell the truth, the whole truth and nothing but the truth, no matter how unpleasant it may be.
How do I determine that someone is trustworthy? Job history tells a lot. References are helpful. But most of all, I rely on looking the applicant squarely in the eye and evaluating what I get back. Is that fuzzy logic? It certainly is a gut-instinct thing.
You can usually spot a fishy situation if you're paying attention. Someone who lies on a resume, doesn't have good references, doesn't pass a background check or just can't back it all up in an interview is not to be trusted.
Give candidates plenty of opportunities to talk and maybe bury themselves. Ask questions like, "What was your best and worst experience in doing security work?" What you're looking for is information on how the candidate handles pressure and whether he tends to blame others or accept responsibility.
I don't waste my time asking things like, "Show me the command lines to configure a DMZ on a Cisco Pix firewall." Anyone can look that up in two seconds. The ability to store command lines in your head is indicative of nothing other than a great memory. Besides, most of these guys have a direct link from their brains to the keyboard and won't necessarily be able to come up with the answer in an interview situation.
After trustworthiness, I look for intelligence. I want someone who can work through a complicated scenario independently and come up with a good answer or a number of options, with all the pros and cons thought through.