Friday, January 24, 2014

Human Resources departments: hurting the company's security?

With tens of thousands of unfilled computer and network security positions, the hiring process itself may be a major impediment:
Further up the chain, getting through the hiring filters can be a struggle. Tipton and Kerby both agreed that the traditional human resources process, through which applicants typically are sorted, might not work so well when it comes to cybersecurity hiring.

"Today all the applications are filtered by keywords and reviewed by people who don't necessarily understand what the mission is. If you don't understand what the mission is, how do you find the right person for the job?" Kerby said. "When I was hiring, I used to sit down with a candidate and tell them, I'm going to ask you 20 questions. Here's the 20 questions; it's not a pop quiz. There are no right or wrong answers. By the end of those 20 questions, chances were I knew whether that person was right for the job, but more importantly that person knew whether the job was right for them. You can't know, whether you're the manager or the candidate, if someone is right for the mission until you sit down with them and figure out what makes them tick. And that's hard to do when you're talking about huge numbers of workers and positions."
This is from Federal Computing Week, so it's focused on the Government process.  I think that the Fed.Gov could do some significant good by instituting a German-style apprenticeship program in cyber security.

Remember, if you're looking to make a career change, you can do a lot of this on your own.

6 comments:

Anonymous said...

Especially true for math science and engineering positions. HR people studied easy stuff (liberal arts) in college and avoided math entirely. Thus, they have no understanding of anything technical. My first job as a civilian I got as a personal referral to a corporate VP. He told me that he did all his hiring this way because his HR department couldn't send him a single referral. They simply did not know what to look for. And their HR training taught them how to over complexify things and write long wordy job descriptions with measurable skills tied to corporate goals. The end of which is a position no real person can satisfy the word search.

--Hale

Dave H said...

I've been lucky in that every place I worked, I ended up talking to at least one engineer who had a clue about what I needed to do for the company. Even the place where I got hired by spamming their careers web page with resumes. HR forwarded resumes to engineering managers who were better at recognizing other keywords. ("Amateur radio" in my case.)

Comrade Misfit said...

I suspect that if you took out the possessive and deleted the word "security", you'd be spot-on.

I worked for a company that was pretty screwed up. But one thing was done right: The managers who would directly supervise a new hire had a huge say in the screening and hiring processes. HR could raise red flags, but if a manager didn't want to hire "X" for good reasons, that candidate didn't get hired.

Eagle said...

Had a phone screen last night for an embedded Linux position with a local company. The interviewer identified himself as the "program manager", told me he wasn't a "software guy", and proceeded to ask me software- and programming-specific questions.

He had a copy of my resume in front of him. He saw the 30+ years of experience. He saw the keywords and some expressions that only a true "software guy" would recognize (I put them there specifically for that purpose).

The questions were... simplistic. Either he was lying to me about not being a "software guy" to get me to explain complex concepts in simple terms, or he just didn't have enough background in software engineering to understand the questions (or the answers).

"I'll give your answers to the engineering team. If they like your answers, they'll arrange for another more technical phone screen. Thanks for calling."

If he was lying, I don't want to work for him (trust). If he doesn't understand software but he's the software project manager, I don't want to work for him (mismanagement).

It's not always HR that's the problem.

OMMAG said...

I'm retired now ... but the HR director for my last employer was a bartender before he got the job as manager - human resources.

He took a 20 week community college course paid for by the government and the old HR director hired him base on his "credentials". The guy was incapable of producing suitable job candidates over the five years I worked there, costing our group years worth of productivity and the company millions. He remains there to this day.
I worked there for five years before pulling the pin on that clusterf@ck.

AnarchAngel said...

I cannot begin to describe how true this is... in fact, how understated this piece is.

I would elaborate, but I'm still suffering PTSD from the "hiring process" I went through last year.