The InfoSec Blog

A sign of the times

Posted by Anton Aylward

It seems that many people in HR don't realise that the interview is a two-way street. Not only are they trying to find out if the candidate is suitable, but the candidate wants to know about the position, the firm, the job and the people he will be working with. The most sucessful intervvvews are when both parties realise this and work accordingly.

Thirty plus years ago the company I worked for out of university assumed that the hires were there for their career. As such they invested in them. Training for middle management and beyond began quite early.

One of the first thing we got was interviewing skills, that is DOING the interviewing. You might wonder why this was so early on. I was told that part of interviewing was determining if the candidate would fit in with the team. (How different from the attitude where hiring 'gurus' and
'whiz-kids' for their individual excellence is the only criteria.) Hence the candidate needed to meet the team and so the team had to understand how to interview.

But today? How many companies invest in training in that strategic manner?
The last couple of decades have been ones where job-hopping is the norm, so why should a company invest in training someone who will shortly be gone? Most people look to their own training, hence the rise of the training companies.

Hence also the rise of evaluating applications by their training record, and in some cultures the attitude that training is a ticket and certification is a ticket to a job. Many of have seen on other forums people posting

"I want to get into security - which should I take first,
a CISSP, CISA or CISM?"

Its really hard, I've found, to convince people with this cultural background and set of assumptions that its experience that counts.

I wonder if the same applies to HH/HR/screeners?

I ask because I'm one of those people who isn't good at classroom learning. I'm better off taking things apart and experimenting. In the classroom I'm a pest, I ask questions as my mind races ahead and "off on irrelevant tangents" - which amounts to next weeks lesson! You're never going to see a long list of courses taken and certifications earned on any of my resumes.

I'm off doing the "I wonder what if ..".   I think in terms of 'ability' rather than skills with specific pieces of equipment and software.    I'm more like the guy in Asimov's short story "Profession".

Well, it takes all sorts.

Reblog this post [with Zemanta]

Encyclopedia of IT terms

Posted by Anton Aylward

CMP ChannelWeb have an on-line encyclopaedia of IT terms. This is a useful addition to my toolbar for composition, along with a more conventional dictionary.

ChannelWeb Logo

The definition of 'information security' seems limited to access control, which is very disappointing. The definition for 'computer security' is more comprehensive. Never the less, to a security professional both these definitions are lacking.

What screams out to me, and this is very obviously my bias, is the lack of any mention of INTEGRITY in these definitions. As I keep pointing out, if you don't have integrity, any other efforts at security, be it information security, or "Gates, Guards, Guns and Dogs" physical security, be it backup and disaster recovery, be it access control, be it 1024-bit SSL, are all going to be pointless.

Its not until we follow a few links at the Encyclopaedia do we come to a mention of Donn Parker's six fundamental and orthogonal attributes of security is there mention of 'integrity'. Even so, that definition has only a like to 'data integrity'. There is a separate definition for 'message integrity'. While these specific items are important, they are details. What is lacking is a general definition of "Integrity". Once again, Fred Cohen's seminal 1997 article on the importance of Integrity comes to mind.

No, a much better reference is Rob Slade's "Dictionary of Information Security", which, of necessity, encompasses many IT terms.

Enhanced by Zemanta