Monday, June 16, 2014

Why HR Cannot Hire Good Security People

There are a lot of posts that are more or less begging to be written; much of the behind-the-scenes things, such as consolidated notes, bookmarks, text fragments, etc., is done, and the post would be at least somewhat timely. In some cases, that might involve a flight of posts. Languages worth learning, from a security worker perspective, comes to mind. Embedded Lua interpreters, for instance, turn up frequently. Another Java post is definitely needed.

The list of potential language posts goes on for quite a bit, especially when you consider how broad a term 'security worker' is. It is entirely possible to devote an entire career to statistics, yet fall within plausible definitions of a 'security worker': consider risk analysis, breaking data annonymization, etc. R, various Python-based tools, etc. (all related to technical computing), would then become quite important.

I have attempted to get a grip on what a 'security worker' might be, hence what the qualifications might be, for several years. On at least one occasion, it was in response to an HR request for specific instructions regarding hiring a counterpart in a foreign country. This is a hard problem; to take a random example, the Law of Large Numbers is important in surprisingly many security fields, but it is obviously nowhere near being a useful universal selector.

What else goes wrong in HR, from an applicant's perspective? My top three contenders, on an on-going basis are

  • Requiring five years experience with something that has only existed for two years
  • Requiring experience with something which is completely irrelevant
  • Being driven by marketing fashion, not fundamentals

HR doesn't operate in a vacuum. Someone (likely an over-worked developer, sysadmin, or entry-level supervisor of either) provided those bogus requirements. The knock-on effects are that

  • The best candidates will likely never make it to an interview
  • If the person who defined bogus requirements is part of the interview team, defensiveness is likely to fail the best remaining candidates

The best candidates have now been weeded out. HR often takes the heat, through no fault of their own, while much Internet drama is conducted in the various technical cognoscenti fora. The evil HR director Catbert, made famous in the Dilbert comics, exists. I have run into a few, over the years. However, Catbert is the exception, not the rule.

That seemingly throw-away point above? "Being driven by marketing fashion, not fundamentals?" That is a whole topic in itself. It may be the greatest challenge facing the security industry today.

No comments:

Post a Comment

Comments on posts older than 60 days go into a moderation queue. It keeps out a lot of blog spam.

I really want to be quick about approving real comments in the moderation queue. When I think I won't manage that, I will turn moderation off, and sweep up the mess as soon as possible.

If you find comments that look like blog spam, they likely are. As always, be careful of what you click on. I may have had moderation off, and not yet swept up the mess.