Cool as McCumber

It is a tough economy out there. If there is any upside in the high unemployment numbers, it is perhaps that many of us have grown a little more appreciative of our jobs. Those of us blessed with a good situation may tend to be a bit more circumspect with keeping our work area clean, or perhaps we are more tolerant of co-workers. Is it me, or have you noticed wait staff at high-end restaurants seem less snobbish? Bartenders smile more, and that kid at the drive-through window just wished me a pleasant day

What does not seem to change is the barrage of overtures IT professionals get from headhunters pitching new opportunities. In the recent past, headhunters would often purloin a corporate organizational chart or telephone listing, and start dialing up numbers leaving intriguing voicemails to encourage you to call them back. They would target companies being acquired, or ones going through public turmoil hoping to lure away some of the star performers before things settled down. Getting a qualified recruit makes their job simpler and more likely to result in a payday.

Now, the smart headhunters also leverage social and business networking technology to garner resumes and prospects. They will spend hours on sites such as LinkedIn and Facebook and play connect-the-dots as they develop a list of possible candidates to approach. I am sure this makes the process much easier for them, and allows them to search links and connections among professionals.

So it was no surprise when I was contacted this week by a plucky recruiter who happened to scrounge up my cellular phone number, and called while I was relaxing away from both home and job duties. She had a great opening pitch — a vice president title for the lucky selectee. She also used the accepted tap-dance phraseology to ask if I might know of anyone else interested in this amazing opportunity. That way, she can’t be accused of trying to directly poach someone. If you ask her because you are interested, well, that’s now on you.

She had coyly stated that this senior-level IT security position was with a “leading technology company,” so I was curious if she would let me know which one, or more typically, dole out clues until I had to make a guess. In this case, she came right out with it, and I was taken aback. No, it wasn’t my present employer, but it was a big (albeit dated) name in the Internet services space.

Without any further prompting from me, she began her sales pitch by reiterating it was a VP title of a brass ring. A big ego boost for someone like me. Something to make my mom proud. Something to have stitched into my underwear so guys at the gym could see that I was a VP, dagnabit! I didn’t bother to mention that my suburban branch bank has three resident VPs, none of whom drives anything more impressive than a Toyota Camry.

She then rattled off a litany of requirements that would be expected of any security professional working above the level of a corporate intern: leadership, knowledge, skill, training, experience and a willingness to “roll up your sleeves.” I was nodding along to myself as I mentally envisioned my resume and ticking off the qualifications as if she was reading it back to me. That was when she dropped the bombshell.

She repeated the “rolling up the sleeves” part in a way that conveyed some special nuance I apparently was far too dim-witted to discern by her repetition or her tone. When I asked why she took special pains to repeat that part, she said, “they want someone who’s a hacker.” I sat there quiet for a long time. Finally, I blurted out, “Did you just say ‘hacker’?” She affirmed I heard it correctly the first time. I’ll bet now she wishes she had hung up right then.
I next asked her if she could define that oft-misapplied and hackneyed term. She returned to the roll-up-your-sleeves metaphor. I then asked if the person taking this position would be required to roll up their sleeves to hack their way into bank networks, corporate e-mail servers, or better yet, classified Pentagon databases to help populate Wikileaks. She immediately explained that this would not be the case. So I then asked if this “hacking” would simply take place in a test environment. She claimed not to know the answer to that question, so I again asked her what she meant when she said they wanted a “hacker” as a chief security officer — and vice president. The answer? Sleeves, rolled.

I asked her how many specific technical vulnerabilities this hacker would need to exploit to be considered qualified for the job. I mentioned that my present employer had documented 1,549 unique technical vulnerabilities last year alone. The entire catalog ranges north of 40,000.

I explained that playing attack and defend are two completely different jobs. A successful attacker may need expertise with only one vulnerability. The defender needs to understand them all. But by this time, I figured she had hung up, as I was listening to a dial tone. So much for that VP title this year.

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail