Want a security pro? For starters, get politically incorrect and understand geek culture

MIAMI -- While complaints can be heard far and wide that it's hard to find the right IT security experts to defend the nation's cyberspace, the real problem in hiring security professionals is the roadblocks put up by lawyers and human resources personnel and a complete lack of understanding of geek culture, says security consultant Winn Schwartau.

Take Janet Napolitano, U.S. secretary of the Department of Homeland Security, who has said the country can't find the right people for network defense. The real problem is a misunderstanding of computer geeks, their personalities, habits and their backgrounds, said Schwartau today during his talk at the Hacker Halted information security conference here.

NEWS: Gartner: 10 critical IT trends for the next five years 

MORE: Ernst & Young's IT Security survey shows struggle to secure mobile, social media, cloud

Computer geeks are discriminated against under hiring rules and legal niceties that often categorize them as undesirables. "We do not fit the mold. We at the outer limits of normal," Schwartau said.

According to Schwartau, there's a gauntlet of hiring obstacles today that actually work to discriminate against computer geeks who have the expertise to do the job of protecting government networks. Demands for college degrees and IT certifications and the ability to get IT security clearances should not be a priority in hiring, said Schwartau. "Forget education," he said, adding, "We need to re-design clearances -- they're a Cold War relic designed for nuclear secrets and 1950s crypto." The era of 9-to-5 is also over, he added.

He said what's holding up hiring IT security professionals can be found in the thinking of human resources departments that frown on conditions such as attention deficit disorder and autism, or obsessive-compulsive personalities which are typical of computer geeks willing to focus on an issue through the night. And although hiring rules in place tend to go the extra mile to accept alcoholism, the slightest type of illegal drug infraction makes it tough for job applicants. "We've got to start getting politically incorrect if we want to get the job done," said Schwartau.

If there are tests that need to be done to probe the basic trustworthiness of job applicants for sensitive network security jobs in government or industry, said Schwartau, it would be better to try industrial psychological profiling, making it clear that anyone that passed it and got hired would be subject to it over and over again during the time they were in their job.

Computer geeks could be asked something like, "If your wife and daughter were kidnapped, will you turn against my company?" he suggested. The answer would likely need to be "yes," because "anything else is deceptive."

"Do you need a secret clearance to defend a network? They say you do," said Schwartau, alluding to government rules. But the government is competing against private industry and, yes, the criminal world, for the kind of talent held by those who really know about network weaknesses.

"HR's job is to find something wrong so they don't have to hire you," said Schwartau. It could be money you owe, or your age if you're older, or personality traits seen as either too meek or too aggressive. But he says some of these rules should be tossed out to find the right IT security skills. Computer geeks are often socially awkward, they may be accustomed to blurting out whatever they're feeling with brutal honesty, and they "won't kiss ass," said Schwartau.

"HR and lawyers need to get over it," Schwartau concluded.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Ernst & Youngbusiness issuesIT security careersWinn SchwartauHacker HaltedIT security jobsIT careersIT jobshackergeek culturepersonnelHacker Halted conferencecorporate issuesDepartment of Homeland Securitysecurity

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place