Security also suffers from paper tigers. "We hire guys with wonderful degrees who are just idiots," says one security vendor who requested anonymity. "We've had guys in here who've got degrees and certifications and they can't even wire a network. They know the words, but they don't know how to sing the song."
"For years now, people were getting certifications left and right," Maley agrees. "They might have five different acronyms after their name.... Honestly, [in] the certification industry, there are brain-dump sites. People can get certified without having experience."
Maley says that from what he can tell, hiring managers see the acronyms, get impressed and let extensive vetting slide. To avoid hiring paper tigers, employers have to look at a resume and then map the experience back to the listed certifications, he says.
That said, Maley would hire CISSPs (Certified Information Systems Security Professionals), CISAs (Certified Information Systems Auditors) or CISMs (Certified Information Security Managers) -- if he could afford them, that is.
"CISSP, I wish I could say I'm hiring them," Maley says. "I can't pay those guys enough." As far as CISAs or CISMs go, Maley says that typically CISSPs have those certifications, which reflect what he calls built-in experience. "You can't get those unless you show you have that experience," he says.
Getting what you pay for
Speaking of not being able to afford CISSPs, Maley says that not being able to afford qualified security staff has been "one of his biggest challenges" in heading up cybersecurity for state government. In fact, Maley estimates that there's a pay differential of anywhere from 20 per cent to 100 per cent between the public and private sectors.
"I lost a gentleman who doubled his salary when he went to the private sector," Maley says. "For me to get a security expert in, even if I would take them up to the highest step in their pay category, it doesn't come close to what they could get in the private sector." And Maley can't entertain the notion that a given hire will stay with him for the long haul.
What he does to get around having an inexperienced security staff is to hire those who are "a little wet behind the ears" -- sometimes right out of college -- but who show promise.
The lure for such hires is the chance to work in an enterprise environment where security staffers have the chance to spot cyberattacks as they hatch. In the past six months, for example, his security team has seen three variants of the Storm Trojan come in that hadn't been spotted elsewhere. That's not surprising, given Symantec's April 8 Security Threat Report (download PDF), which cites a shift in attacks aimed at sites that are likely to be trusted by end users, such as social networking or government sites.
"I've got a team that has the opportunity to fight that kind of stuff, analyze it and be on the leading edge in the fight between the bad guys and us," he says. Recruits get hands-on experience on projects that are both significant and "exciting," including a penetration-testing rollout partially automated with Core Security technology in response to repeated interruptions from virus outbreaks, Maley says.
Maley also coaches his green recruits at building their resumes. He knows that eventually they'll leave, but if they're adding to their resumes, having fun and learning in the meantime, chances are they'll stay that much longer -- a trick that any revenue-challenged organization can employ to good effect.