Secure Coding mailing list archives

Hiring folks that are familar with SC practices

From: gwc at acm.org (George Capehart)
Date: Mon, 05 Jun 2006 00:15:27 -0400

McGovern, James F (HTSC, IT) wrote:

Figured I would ask the list a question that I haven't figured out the answer to. How have other enterprises that 
seek architects and developers knowleedgable in secure coding software development practices articulated it to their 
internal HR recruiting arm? We have been seeking candidates with this background but haven't ran across much on our 
side of town.


James,

Believe me when I say this . . . I'm not trying to be a wiseass, but it
takes one to know one.  My experience with recruiters and HR types is
that the ones who are best able to identify suitable candidates are
those who once were themselves.  There are a blue million "Monster.com
droids" who can download a bazillion resumes and grep for a particular
word or phrase.  Those folks are less than worthless.  A good recruiter
or HR person has spent some time in the discipline for which they are
recruiting.  I have had the pleasure of working with them.  They are
knowledgable of the subject matter and the players in the discipline.
They can tell after one phone call whether a candidate is a good fit or
not.  But the interviewer /*must*/ have had some experience in the
discipline.  Otherwise they are clueless.  They have no basis on which
to make discriminations and can't tell from reading a resume whether the
candidate is a good fit or not.

Now, I'm going to put the shoe on the other foot and say that the
individual who is searching for talent must know enough about the skills
the candidate needs in order to clearly articulate them to the
recruiter.  If the individual who is trying to fill a job really doesn't
know what skills and background the candidate needs to have, it's going
to be the luck of the draw if a hiree does actually fill the bill.  So,
in the end, the person who is doing the hiring must be knowledgeable and
able to articulate precise requirements and the HR person/recruiter must
have enough of a background in the discipline for which s/he is
recruiting that s/he can actually read a resume and conduct a phone
interview with a candidate and know whether the candidate fits the
requirements.  Having some drone in HR grep through a bunch of resumes
for two or three key words is /*not*/ the way to winnow candidates.

FWIW,

/g

Current thread:

Hiring folks that are familar with SC practices McGovern, James F (HTSC, IT) (Jun 02)
- Hiring folks that are familar with SC practices ljknews (Jun 04)
  - Hiring folks that are familar with SC practices Gunnar Peterson (Jun 04)
- Hiring folks that are familar with SC practices George Capehart (Jun 04)
- <Possible follow-ups>
- Hiring folks that are familar with SC practices Peter G. Neumann (Jun 05)