Sunday, May 3, 2009

Connections, and weak links?

In my last post I listed a few vendors who have job openings- and the ever-alert Martin McKeay commented and questioned why some of the careers pages were external links.  Good question.  There are some companies like Taleo who specialize in providing outsourced "Talent Management", and in small-mid sized companies it may make sense to let others gather resumes and do initial screening- but that is a great way to lose talent in the process.  Many IT (and especially "security") positions have fairly esoteric requirements- the best candidates may have the right attitude and aptitude, but not know the specific tools.  The ability to learn and perform is often more valuable than specific skills, and pre-screening often focuses on checklists (if they love checklists so much they should just become auditors), which can weed out some of the best candidates.  Besides, expert knowledge of Forensicator Pro 2007 is obsolete as soon as the Next Great Thing TM comes along, the ability to learn and perform never becomes obsolete.

I should also mention a couple of other obvious items- someone else has PII theoretically submitted to your company and that third party may also provide an attack vector to your world.  I would make sure that the "talent management" firm does a very good job of protecting the data gathered and processed on your behalf (a requirement of 201 CMR 17.00, by the way)- and I would hope some level of audit or testing of the firm would be in scope for any pentest or vulnerability assessment of your company.  Remember, "out of scope" doesn't stop the bad people who are attacking you.