[rmac]

The problem with open source security tools (e.g., bro, suricata, brakeman) is that they require security expertise to operate, continually. In my experience many small/medium organizations who actually care about security don't have such expertise in-house and can't find good security people to hire. This limits them to buying commercial solutions which (also in my experience) tend to blow.

We need more security engineers, but the problem is I don't even know what that job title requires. The author pokes fun at CISSP, but how else can I figure out if someone is 'good' at security? They are already so rare and mostly employed by google (joke).

[tptacek]

Your CISSP point has an is/ought flaw. It would indeed be nice if there was a sticker you could look for on a candidate to know if they were qualified to do security work. But that sticker does not exist. The competence of candidates with the CISSP sticker varies wildly, all the way down to barely- computer- literate. Over time, the top end of that range is trending downwards, as well, so to the extent it's a signal, it's a negative signal. (It's such a weak signal that I wouldn't make any kind of decision about it. There are very smart people that have CISSPs.)

[jenandre]

I saw a good job post for a modern security engineer the other day from slack https://jobs.lever.co/slack/dfd75111-97a6-4edb-a21a-b8388a46...

[dsacco]

>> The author pokes fun at CISSP, but how else can I figure out if someone is 'good' at security?

I'm the author.

If you are hiring a security consultant for your firm and you know how to judge infosec skill, use a work sample and check references.

If you're hiring a security consultant to perform a penetration test or audit for your (non-infosec) company, hire people who have a healthy mix of the following:

1. Public, verifiable work (e.g. bug bounties).

2. Solid references and past experience with clients who themselves understand what to look for in a security consultant. You obviously check these references. Alternatively, a solid reference that the candidate worked at NCC Group, Accuvant, Leviathan, etc.

3. Research in the field, such as discovering a new class of vulnerability, publishing vulnerabilities in ubiquitous software, etc.

Prioritize #2, because not all adept security folks like to conduct research or participate in publicly verifiable work.

Of the certifications you can have, the Offensive Security[1] certs are pretty rigorous. For example, the OSCP is a good indicator that a candidate knows what they're doing to offensively test a client's network. That's about it. Almost all other certifications are run by people who have, at best, textbook knowledge of information security. People who get the CISSP can probably accurately describe a cross-site scripting attack to you in an interview, but there is no guarantee they can practically find it or defend against it.

The other issue is that while some certifications are good, a lot of folks in infosec just don't care for them. They can find high paying jobs in prestigious companies without a degree or a certification of any kind, so they simply don't bother, even though they could pass it. This means that you can't reliably throw out candidates with no certifications...which circles back to my original recommendation. Work samples, references and public work are the best ways to judge a candidate's talent. I'm directly aware that this system is used at Matasano and Accuvant, and it's likely the norm at the other "quality" security consultancies.

'tptacek would have a lot of great advice to contribute on this matter as well.

[1]: https://www.offensive-security.com/information-security-cert...

[sprkyco]

+1 for anything from OffSec I failed their OSCP once and after some reassessing I will not be taking for another year or so. However, there are many companies that list if not require a CISSP and other CISSP holding individuals are hesitant to degrade the efficacy of the cert.

[tptacek]

Generally: a requirement that candidates hold CISSP is a strong negative signal about the job. This observation would have qualified as "insightful" 10 years ago, but in 2015 it's verging on conventional wisdom.