A network executive finds a candidate with the perfect technical qualifications. He makes an offer. The candidate considers the offer so low it's an insult. Negotiations break down. The candidate storms out, threatening, "In three months, you'll be sorry you didn't hire me."
Unfortunately, the candidate had been interviewing for a job in information security. And interviewers had told him some of the network configuration to make sure he could do the job.
"I told that hiring manager, 'You'd better check your logs carefully,' " says Michele Crabb, a senior security architect who oversees Cisco's internal network. Crabb recently heard this story at an information security conference.
Other managers tell of less frightening but similarly frustrating stories. "A lot of candidates out there claim to know what they're doing, but they really don't," says Paul Raines, vice president of electronic security for the Federal Reserve Bank of New York.
All of which begs the question: How do you hire a competent IT security professional?
According to Crabb and others, much of the process is similar to hiring any technologist: Background checks, skills tests and several interviews to gauge if the candidate makes a good fit. But security specialists should also possess a healthy amount of paranoia and be trustworthy enough to guard your valuable information assets.
To find such people, companies like Microsoft lean toward hiring from inside.
Fast-paced firms engaged in e-commerce want only seasoned security professionals who can get up to speed quickly. But low-margin organizations, like the Federal Reserve, hire recent college graduates. Raines starts by looking for students with extracurricular activities that show they're adaptable.
"There's one guy I interviewed who'd just graduated from Rensselaer Polytechnic Institute in Troy, N.Y. He didn't have any security experience, but he had built an electric car by himself. And he'd put in a LAN in his house," Raines explains. "I knew the guy had smarts, and I hired him. He's a star performer on our Red Team." The Red Team is a group that attacks the Fed's network to test security.
Raines also looks for specific technical coursework: Mainly Unix, networking, NT, Cisco and Java.
When it comes to hiring from within, it's easy enough to find candidates, says Howard Schmidt, Microsoft's chief information security officer. "The tough part is weeding out the wannabes from those who can really do the job," he says.
Schmidt and his staff are always looking for IS staffers who can think out of the box. For example, the employees who catch Microsoft's Red Team testing internal systems and notify his department are the ones he targets for future hiring.
During interviews, Schmidt and his team quiz candidates to see what they would do under certain circumstances. This shows if a candidate grasps overall system architecture as opposed to isolated vulnerabilities.
While it's best to hire within the organization, start-up firms or companies launching e-commerce sites can't afford to take the time to train, says Tracy Lenzner, owner of Lenzner and Associates, a Las Vegas-based job placement firm that specializes in information security professionals. These companies need seasoned infosec analysts, which calls for the most rigorous screening processes.
If you hire from outside, look among your peers, Crabb advises. If that doesn't turn up anyone, advertise at technical and security conferences, or call a headhunter. And when you find the right candidate, screen, screen, screen. Then put all the interviewers together to compare notes. Look for personality traits like drive, energy, determination and integrity; professional traits like dedication and analytical skills; and a strong understanding of the business at hand.
"Security is a hard sell," Crabb says. "So security analysts must be able to explain to management and other departments how to do things the right way."
(Radcliff is a freelance writer in Northern California. She can be reached at DeRad@aol.com.)