1

A friend in the business sector recently asked me for advice on "IT security in a large charity". Being a developer not specialized in security, I could see his difficulty in finding someone qualified to hire to counsel him.

Struggling for answers, the only example I could advance was the following: if you're seriously asked to give out your password for an audit to be conducted (and this not being a "test", of course), you're probably dealing with someone who doesn't know what they're doing.

What are some helpful tips and pointers you could give a non-technical manager in choosing a competent / avoiding choosing (and hiring) an incompetent professional?

I am aware this question might be off-topic, but the purpose of this question is to give some general resources to non-technical decision makers to hire someone qualified.

Jonathan Allard
  • 111
  • 4
  • It's not clear what the scope of your question is. What do you mean by 'help'? Are they looking to hire? Are they looking for policy design? Are they wanting guidance on policy enforcement? – schroeder Aug 06 '13 at 21:25
  • Ultimately, looking to hire, yes. But to get there, maybe they could have to find someone to hire someone. – Jonathan Allard Aug 06 '13 at 22:11
  • 2
    I'm voting to close this as "Too broad" as there are literally hundreds of examples that can be listed. –  Aug 07 '13 at 00:39
  • This is not an unusual problem. There is a growing market for a 'Consulting CISO', one who comes on board to advise, guide, and ultimately to find a person or to train an existing group to take on the appropriate role within the organization. Right now, resources are slim to find someone with the right set of skills (business and security) willing to be a temporary adviser. Reach out to the professional organizations in your area (ISACA?) to ask for help. – schroeder Aug 07 '13 at 01:21

2 Answers2

0

a security professional knows that "secure" is a state that one will never reach to 100%. Its about reducing the attack surface on a daily basis. Security is a ongoing process and "secure" can be considered as a snapshot.

enigma
  • 1,858
  • 1
  • 12
  • 14
0

The answer to this question encompases more-or-less the sum total of all IT security. It's a bit broad.

But to answer a broad question with a broad answer, here's what he should do:

Hire somebody who is competent and whom you can trust.

Everything else is just footnotes to that.

tylerl
  • 83,435
  • 26
  • 152
  • 232