Re: How to get better security people

[Roger Marquis <marquis () roble com>]

"E.B. Dreger" <eddy+public+spam () noc everquick net> wrote:
> Service patches were never applied.  When some suspicious
> happenings left said server inoperable, they just installed
> Win2000 and went on, not caring what had happened or why.
>
> No, I was not the employee.  A friend of mine worked there before
> getting fed up and quitting.

We see this a lot too.  It is, IMHO, why good security people who
are not in finance, defense or other security-conscious sectors
tend to be consultants.

Consultant or not IS security gurus are no different than other
in-demand technical specialists.  You have to 1) pay them appropriately,
2) have a decent working environment (no windowless cubicles, junk
food cafeterias, inflexible hours, unskilled management, etc), and
3) provide constant training opportunities (conferences, classes,
good assignments).

Don't expect them to have programming degrees or be interested in
coding.  Those would be security developers as opposed to security
analysts.  Finally, NEVER ask a Unix literate engineer to use an
MS Windows PC...

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/