Wednesday 3 October 2007

How not to hire a security consultant

Brand Killer Robots reveal::
So this IT security guy at a major investment bank in London says, "hello Mr X, thank you for coming along today to interview for the position of security consultant with ABC Merchant Bank".

He says, "what we're really looking for is someone who has a good level of understanding of business level security matters, because the current IT team are only really competent in Microsoft technology level security". Mr X replies, "so what do you mean by business level security". After a brief pause the IT security guy says "well i don't mean site security or business contiguency security, i guess we're really talking about is any other type of security beyond IT, office and disaster recovery". Mr X replies, "so what specifically do you mean?".

IT security guy finally cracks and says, "well...... we're really concerned that nobody is in control of the gaps which exist between the different areas of security specialism in our company". "What really frightens us, is that if this information leaks out and we become a target for every one and its cat, from our most fierce competitors to the hacker guy working out of his basement in Atlanta.

"I see", said Mr X, "so when do you want me to start?". By this time IT security guy has built up sufficient confidence in the candidate Mr X, to offer him the job on the spot.

Several days later, the recruitment agent calls to say that the company in question has had second thoughts about hiring Mr X, as the information gleened from the interview had lead them to the conclusion that they must restructure their entire security operations forthwith.
Had Mr X been a black hat, he might have sought revenge in a multitude of different ways, from hacking their highly visible UNIX systems, to dropping a line or two to some interested parties or perhaps even having a whisper in the chief executives ear.

No comments: