More of the same
As I was ruminating about these sad turn of events, a trusted friend who is the CSO at a large Fortune 100 company called to vent about exactly the same issue. This CSO is the type of boss any of us would want to work for. He's an above-average intelligent guy who loves computer security, protects his team from the politics, and gets his staff involved with all the cool toys. When you join this team, you're surrounded by other smart security experts. It's a dream job with a nice salary.
So my friend called up a trusted computer security headhunting firm, gave them the qualifications of his desired candidate, and waited to interview the preselected cream of the crop. His findings? Exactly the same as mine. He was befuddled by the poor showing across the entire group of candidates. He thought 90 percent of them were wholly unqualified. He was so tired of getting security-certified people that could not answer basic questions -- and we're not talking rocket-science inquiries.
Example: "Tell me what you know about Conficker." Most responded that they didn't know that much about "Conflicker" (note the added "l"), except that it had infected a lot of computers and was overhyped. Another example: "Tell me five things you would do to harden a Windows computer." He expected he'd have to cut off most of the candidates, thinking they'd have an exhaustive list of techniques to recite. Heck, I can name five things I'd do related to password policy alone. Instead, none of them came up with five items. Most only came up with two or three things. One asked for the question to be repeated. Yeah, he didn't get the job.
Hire knowledge, not certificates
These anecdotes reinforce my belief that security certifications do not guarantee the overall quality of a candidate. Holders of the No. 1 most popular -- and overrated -- certificate (you know which one I'm talking about) ran the gamut from adequate to nearly clueless. How did they pass that exam?
I will say that, from my experience, any of the SANS certification courses tend to turn out very knowledgeable candidates. The organization is one of the few doing it right. Any job candidate with a SANS cert should be given special move-to-the-head-of-the-line consideration.
[ Find out which IT certifications are hot in this cool job market. ]