Hire the hacker.
I've seen a bunch of job postings lately for security folks, and almost universally they're a big cup of #fail.
Lets say you're a fortune 500 company, and you're seeing your software and systems being used repeatedly to demonstrate whatever new zero-day attacks come up. Maybe you don't know why the hacker crowd is picking on you, but you know they are. Your executives are getting angry about being in the press for yet another security failure and so they say, “hire someone qualified”.
So what does that mean? Most of the postings I'm seeing are asking for a Masters degree, 10+ years experience, a handful of industry certifications, secret level clearance, and are titled “Manger|Director|Chief of Security”... they also typically pay less than 6 figures. See the problem?
The person hacking your stuff is probably a high school drop-out who spent the last 5-10 years refining his/her craft and participating in a hacker counter-culture that isn't taught in schools. They're the type who could steal millions from a credit card company, but for some reason never do. If you put a contest up and say, bet you can't hack this ( eg pwn2own ), they'll descend on you from around the world.
Consider this; by the time your desired educationalist chief got their masters degree and 10 years experience, thanks due to the age of the computer industry, it means that they were trained in a time when most folks were still using dial-up to connect to networks. If you assume it took that graduate 8 years to get that advanced degree, then we're talking a full 18 years ago, back then the biggest threat to your business was Kevin Mitnick tricking your secretary into reading the numbers off the modem.
Needless to say, one would hope those classically trained folks refined their skills as time marched on, but the sad reality is many, maybe even most, simply don't. More importantly, what they learned 18 years ago has no technical relevancy today. So you've got this long list of qualifications, designed to get you the best possible security specialist, yet you've totally ignored the social dynamics of the industry.
So what do you do? Hire the hacker and put 'em in charge. You read the Care and Feeding of Hackers, and The Hacker Ethic, and understand what drives your hacker. You channel Dan Pink on the science of motivation. Autonomy, Mastery and Purpose. You throw out the idea that a degree is a success predictor in this industry.
Can you manage security folks with burndown charts, and performance analysis? Can you tell them what to work on? Give em bonuses for completing a security project on time? Nope. You have to say, this is yours, protect it, don't embarrass yourself and then hire the right people with the skills to do the job.
So what do you need to know about hiring security folks?
- No responsibility without authority. (This is why the US cant keep a cybersecurity czar)
- Pay top dollar, but don’t offer incentives. (Your hacker will resent being patronized)
- Make them public-facing and use the reward of public acknowledgement and the fear of public embarrassment.
- Keep the MBA's away from them. (No they will not pick a story from the board or estimate how long a security review will take)
- Self-assembling teams work best.
- Have a clear chain of command, but this does not mean routine task assignment, but rather is only a mechanism for dispute resolution.
- Schedules are meaningless, results are the only thing that matter.
- Fund them properly. Security can be expensive, but being hacked is more. Security should be a percentage of your overall operating budget, and cannot be considered a series of capital projects.
- There are very few real hackers, and a lot more script kiddies, know how to tell the difference.
Security is not hard, but it requires aligning your business with the industry, and hiring people who are driven by the desire to be the best. Until then, well, good luck with this approach.