Skirting the underskilled

When dealing with a security staffer with limited skills, you've got to limit his potential to blow everything up. This approach is called "putting a skirt on him" by the don't-quote-me crowd, but there's a more positive spin to put on it. Anthony Scalzitti, a security engineer at a major security software company, says it's all about limiting potential mistakes by assigning tasks on less critical systems -- for example, investigating suspicious log activity or IDS reports.

Another useful security role that won't get a limited-skill staffer into trouble is to attend meetings of other business teams to make sure the security group is aware of upcoming projects. Having a security representative sit in on team meetings can also help to remind colleagues to build security in from the design phase instead of shoe-horning it in after design and development.

"Take a newer [security staffer], or a younger one, to be that person," Scalzitti says. "Even if they don't contribute a lot, if they're in the meeting, those people say 'Oh, we have security here,' and they feel obliged to think about security. The person may not contribute a lot, but that's when a more experienced part of the [security] team tells them what to say next."

As it is, many organizations have struggled to integrate security as an element of quality in application development, alongside speed, failure resistance, scalability and the need to meet business requirements. Having a warm security body on hand can thus serve not only to educate the security newbie and keep him out of trouble, but also to get security's voice heard.

"These are useful roles, and mistakes generally don't impact business," Scalzitti says.

Deflating prima donnas

Security prima donnas are the opposite of security boobs, but they're still a pain to work with. These are the staffers who regard certain tasks as unworthy of their time, including reviewing logs or activity alerts, doing simple configuration reviews or meeting with other business groups.

In handling such divas, Scalzitti has had success putting them to work researching security incidents that appear in the media. The point, he says, is to get the security elite to discover that 80% of incidents are a result of simple attacks on low-hanging fruit.

"In information security, there are so many opportunities for an attacking hacker to pick a company," he says. "Unless they [have a grudge against a particular] company, they're going to go for low-hanging fruit. Having [prima donnas] research low-hanging fruit, it may take some time, but they come to realize the basics of how things happen."

The last resort

It's good to have tools to deal with security's bad apples, but one ounce of prevention is worth a pound of cure. Many organizations have a 90-day probation period policy for new hires. Once past the 90 days, most states make it difficult to dismiss an employee without jumping through hoops to establish cause. The lesson: Watch new security employees like a hawk during their first 90 days in order to avoid getting stuck with security flunkees.