Via Twitter from GovInfoSecurity came a link to an article titled, “The Bad News of No Unemployment.” This certainly is a problem that I’ve seen personally, where someone in a “security” position (whether it be contract, consulting, advisory, or full employee) really doesn’t know what the fuck they’re talking about. Either they can’t walk the walk (whether that be security testing or walking in the shoes of ops/devs) or they absolutely fail the talk (when their advice sucks and they clearly don’t have much real knowledge beyond a few boilerplate topic responses).
Do the industry some favors. Hire only people who have real talent; filling a position with an assclown is a disservice to your business and the industry. Expose those who do not. Don’t support those who are doing us all a disservice, or do help them to get out of that doghouse by imparting real wisdom, advice, and assistance. I really believe this also includes informal, non-paid assistance to non-sec managers who just need 30 minutes of lunch talk to get a better idea on how to evaluate security vendors/candidates/services.