The Lusty Month of May.

Folks, it’s been a banner week in the life here. I don’t even know where to start. Think of this as a “rant of consciousness”.

Notable:

A huge thank you to everyone who commented on last week’s post. I was fairly sure that there were people reading, but having some actual connection is gratifying and inspiring. I’m guessing that including a little bit of insight/mentoring in posts (and returned comments) has some cache amongst you the readers… expect more in the future.

I have this friend… we’ll call him “Unicorn Chaser” who’s been having a hella bad time with auditors of late. Any one care to vent their rage at those darlings of the big 4 who seem to have monocular vision (peeping out through their own navels).

(micro rant)The point of an audit (SAS70 or Sect 5970) is to hold an organization up to it’s own policies and standards and validate that it is compliant. The minor issue that the accounting industry went through near the beginning of this century has negatively impacted this fundamental point and you now have auditors declaring their own standards on a per-firm, per-partner basis. They’re doing this in order to protect their own asses. They’re doing this because they were caught simultaneously with their hand in the cookie jar and their pants down by the whole world. The problem is that they are assessing technical configuration risk using their own matrices rather than according to the risk adjudication of the organization under audit. The time for this is frankly over. Until the audit firms agree to utilize an industry standard framework (ISO 17799 / ISO 2700x) and technical standards which have been agreed upon as reasonable (a pass rate of 80% on the Center for Internet Security Standards) it is incumbent uponCSOs, CISOs, CIOs, CTOs and audit committees to push the accounting firms into pulling up their socks and either being professionals about doing the computer auditing portion of their work or stepping out of doing computer auditing unless and until they have a designation which promotes computer auditing -ie: in Canada a Chartered Accountant must have a CISA before being authorized to do a black box audit. I’d really like the CICA (Canadian Institute of Chartered Accountants) to get together with the community and sort this out. It’s past time.(end micro rant)

I hope that “Unicorn Chaser” can stick-handle his way past this one without losing his soul. We’re all pulling for you man.

The mentoring point of the week comes from yet-another-interviewing-related-issue.

The quality of resumes that I’ve been getting lately is off the chart bad. Here’s several ways that you can make it easier for me to read your resume.

Short and Sweet: I got one resume this week – I swear to you that it was 6 pages in 9pt type. SIX FREAKIN PAGES. Guess what buddy – I’m not reading past the 2nd page and I’m not interested in what you were doing in the 80s. Think 3 pages – who you are and what you’re about, what you’ve done lately, what you’ve done in the past that makes you well rounded. If you’ve been a busy monkey lately, stretch the 2nd page to 2 pages and give me 4, but resist the urge to go past 4 pages. If your font dips below 11pts, you’re cramming. Don’t cram.

Buzzword Compliance: I know that you need to put in the buzzwords to get past the HR filters. When you get to the part where you’re telling me all about how you know every technical standard and tool on the market, it would be better if you spelled them correctly. If you can’t spell it, you probably haven’t run it.

KISS: Keep it simple. Most of the resumes I’ve seen lately have been from recruiters who do murderous things to formatting in an effort to “brand” the candidate. Generally, they’re going to put on a crappy lowrez logo on it somewhere near the top, they’re going to ship it in MS-Word format, and they’re generally going to screw with the font. Make sure that your resume can survive being edited by an idiot.

Tell me about you: It’s not just what you’ve done (although that’s important too), it’s who you are. Don’t bother putting it in a cover letter, I cannot remember seeing a cover letter in the last 2 years. In the body of your resume somewhere, consider giving me the kind of information that I tend to look for in an interview – what kind of security professional are you? If your resume is interesting to me, I’m more likely to at least do a screening call with you. If you don’t look like someone I can work with, I can save us both a ton of time.

Google yourself: If I can’t find you in Google (insert other cool search engine here), I’m going to have a harder time gauging who you are and what you’re about. Don’t make it harder for me. And remember that HR departments are starting to figure this out too.

One last point.

Please try contributing to Security Analogies — I’ve had very good luck with using them to communicate difficult (and one could say intentionally difficult) concepts to people who are otherwise perfectly smart and just completely un-interested in trying to learn all there is to know about infosec.

I hope all of you have had a better week than most. Looking forward to your comments and expect more next week.

[tags]ranting, audit, CICA, professionalism, interviews, resumes, security analogies, infosec[/tags]

Comments

  1. @rybolov

    You’re correct about choosing to / being required to adhere to a specific compliance standard. I’ve taken the approach that I need to create a program that is predictive of what all standards will ask for and ensuring that we comply with that (within the constraints of the risk assessment and adjudication of the senior exec – those that would be wearing the jumpsuits)

    Wheeeee – love this stuff.

  2. I managed to have a chat with “UC” earlier today. He’s coming around. At least my week was far less painful than his.

    Still…I’m glad that the day is almost over.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.