Paid Paranoia: Hiring Security Experts
Healthy paranoia is common for the best computer security experts. You’d be paranoid too if you saw the number of outside attacks your computers face every day. You’d be helplessly paranoid if you realized your vulnerability to your own employees.
One security chief I talked to set up a system to tell if any unauthorized laptops with wireless LAN capacity were ever turned on within 100 yards of their campus. It allowed them to catch a van full of foreign spies outside of their research facility. Industrial spies who made it inside the building as salespeople, clients, visitors, or employees had their laptops wiped clean before they left. It was a weekly occurrence. Are you scared yet?
Hiring someone who can spell "network security" is easy. Getting the right person is hard. You have to start with the right question:
"What is your exposure?"
How secure do you need to be? My office got hacked. A nasty little Trojan that buried itself in the server had to be killed. That was just a hassle. Nothing worthwhile was stolen. No one got access to credit card numbers or anything that could be sold. It was just an annoyance. Even if the hackers wiped the server clean, it would only have been a hassle, not a calamity. I have a low exposure. I can be hassled, not destroyed.
You have to decide if you have a low exposure like me, or a huge exposure like the research facility I mentioned. They have a $500,000 security staff and a few million dollars of equipment. They need it.
Here is how to deal with those two levels of exposure:
"I have low exposure."
If no one has a $100,000 reason to get into your network, go out and hire an hourly security expert from your local Cisco supplier. You don’t need a full-time guy. Ask for a certified technician. If the salesman says, "Certification isn’t necessary—our guys are all trained," then ask for the training certificates. There are a lot of great security experts who learned their craft without attending a single class, but how are you going to know? It is better to pay an extra $100 per hour for a certified guy you are sure of than to just hope your good feeling about a salesman or technician is right.
Make sure the security expert explains to you or your network technician what he is doing. I guarantee that someone is going to complain about the new firewall and tighter network security. Adding a new user is going to get more complex. Someone is going to get their toes stepped on. You have to have someone at your office who at least has some idea of what has been done.
Finally, set up a regular security review. Tell the salesman that you want a security checkup every six months or once a year. If you ask him to take your money regularly, the salesman will remind you when the security reviews are due just in case you forget.