The IT Security Hiring Labyrinth
Picking the right IT personnel is just the start. Some practical tips on navigating a process that is fraught with pitfalls.
Laws such as Sarbanes-Oxley are driving forces, particularly as stories about violations of privacy and lost business enthrall the media. No company wants to end up on the front page.
And yet, frequently when we hire individuals, we are not adequately training them to adhere to the security policies we have created. It isn't unusual for companies to have the new hire sign the necessary policy papers. But more often than not, nothing is spoken of about the policy, how it's enforced or how it impacts the company as well as the employee in day-to-day affairs.
This kind of activity is creating an environment for failure in the long run. There are a few things to consider just before hiring a new person into your IT team(s). Now while these are tried and true statements, they need to be statements that are actually done, not just said to be done. You may not think it's part of IT security but remember, the person that's being hired will manage your servers, and those servers are what keep your company in business.
It makes sense to ensure that the new hire will meet the standard that's needed to keep things secure.
When asking for references, actually perform a check. It's amazing as to how often companies ask for references and don't follow-up with those references to find out what the person is like. These should be work-related references and not friends, family or professors.
Perform the appropriate background checks, but don't expect absolute perfection. The fact that someone got a speeding ticket doesn't mean that they can't do the job they are being considered for. It just means they like to drive fast and got caught doing so.
Verify where they have worked and that the position they worked is as they described. This is important, as it will give you an idea as to how strong their security mindset is before you even offer them the job.
Verify certification standings as well as ensure that degrees are valid. In some cases it may require them to bring in the original certificate, which can then be notarized by the hiring team. In others, such as the CISSP from ISC2, the certifying body should be able to verify if an individual matches the certification number. There could be an issue of identity theft.
Degrees also need to be verified. Grade averages may not be important or necessary but verifying that the person actually got their degree from a reputable institution is worthwhile. There has been one case involving the Department of Homeland Security where one of it's higher ranked officials had purchased their degree.
Now this may seem like a lot of work and it is. But they are necessary steps to ensure that your company is protected. While skills can be taught, it's harder to ingrain the security culture of your company into someone. It's helpful to know whether your new potential employee will fit in beforehand or not.
So when a new employee starts, they should not just start with technical training, but also policies and procedures. Do not just expect them to read the document. While we put the onus on the employee, it's better for the company to invest in a little bit of education (a half-day session) than deal with the PR disaster that might happen 6 months down the road.
Here are a few items to consider.
Ensure that they know what is acceptable and what isn't as far as company resource usage is concerned. Some companies have stricter policies than others. An employee who is vaguely told what to do and what not to do may not be truly aware or attentive of what is required of them. They may assume that it's OK to use instant messaging tools at work or access personal email because they had done it in their previous employers work environment.
Ensure that the employee knows where to find the policy internally and/or externally if need be. They should also be aware of how often the policy is updated.
Make the new hire aware of the consequences of not following the policy. What does it mean for them if it's put into their employee record? What impact could it have on future raises or promotions? You should also include an indication as to the cost to the company for violating the policy (and it does cost the company in resources as well as image).
Technologically speaking, make the employee aware as to how far their responsibility goes in dealing with certain ethical situations and the potential legal ramifications they may face. It is also an opportune time to set limits, delineate roles and spell out what they are and aren't responsible for. This can help them make decisions that will better help the company in the long run.
After the employee has been with your company for a period of at least two to four weeks, ask them as to what they see is working and what isn't. Feedback from them, as the newest set of eyes, may help identify problem areas as well as what is working. This can be helpful for overall policy implementation and updating. Additionally, this will heighten the importance of the policy to the employee and show them how important security is to the company.
It's always been said that it's not about the technology, the policy or the people but rather about the combination of all three. Many enterprises are good at getting the right people, purchasing the right technology and developing a good policy but the combining and integrating of the three is an area that many organizations continue to fall behind.
Your business needs to be proactive in its security implementation, rather than reactive. It may mean that your PR firm will only distribute good news about the company. That's not all bad, is it?
This article was first published on Enterprisesecurityitplanet.com.