Security Architect Needed in VA!

Hello Everyone,

I have the following contract position in the Richmond, VA area. If
you are interested, please send your resume to
Cindy@AtlanticResource.com with SecArch in the subject line.

Position: Security Architect
Location: Richmond, VA
Duration: 6+ months
Rate: $50.00-$72.00 per hour depend on exp.

My client is looking for a Security Architect that has experience with
IT Security Risk Assessments, best practices and SME consulting to MS
Exchange and Active Directory projects. My client would prefer someone
with security certifications in: CISSP & CISM;ISO 17799,along with
having a broad IT knowledge MS Active Directory Windows 2000+2003;MS
Exchange 5.5+2003;MS MMS/MIIS 2003; Public Key Infra. (PKI X.509
Certificates+Certificates Authority Mgt.;Networking
(TCPIP,WINS,DNS,DHCP,RPC,NetBios,SMTP,etc)Network Security
(Firewall/VPN).

Candidates MUST have 2-5 years experience with Active Directory, MS
Exchange, Directory Services (LDAP), Filesystems, MS Project, MS
Office, SDLC, Project Management, Presentation skills, Windows OS,
Internet Security, and Windows 95/NT Systems Support. Candidates must
also be able to pass a credit/background/drug test and work in a
smoking environment.

View all of my jobs and sign up for my jobs mailing list at
www.richmondjobs.org.

Re: Security Architect Needed in VA!

On 9 Jul 2006, in the Usenet newsgroup comp.security.misc, in article
<1152479267.025625.49200@m79g2000cwm.googlegroups.com>, Cmbelz@comcast.net
wrote:

>Hello Everyone,

Hi Clueless

>I have the following contract position in the Richmond, VA area.

That's nice. I've sent mail to our Richmond area office, calling attention
to your posting so that the company will automatically ignore any contact
you may attempt. Hopefully, the HR guys and technical types will also pass
the word to other companies in the area too.

I realize this might be a surprise to you, but this isn't a jobs group. You
can tell this because (wow) it doesn't have that word in the title of the
group. In fact, the charter for this group would have told you that, but
despite posting from a search engine you didn't seem to be able to find it.
One reason is that the news group is international in character, with posts
from around the world, and deals with _technical_ discussion. I suppose
you failed to notice that too. You also failed to notice that others who
have tried to post job offers were informed that such offers were not
welcomed in the newsgroup. In fact, all you've done is advertise to the
entire world that your company has no candidates, doesn't know how to find
them, and in general is so totally incompetent that anyone thinking to use
their service is wasting their time and in the case of applicants - harming
their prospects.

>View all of my jobs and sign up for my jobs mailing list at

Why should anyone want to look at the trash and fake jobs from a clueless
pimp? Obviously no company would accept candidate from someone who thinks
that posting from google will make them look more impressive. Comcast
really does have a news service though you apparently haven't managed to
figure out how to access it - and that server has 1157 different groups
with the word 'jobs' in the title including (after a five _second_ search
of the list) alt.betsjobsusa.virginia.jobs and va.jobs, though they are
probably filled with false and misleading posts from clueless idiots.

Old guy

Re: Security Architect Needed in VA!

Moe Trin wrote:

> On 9 Jul 2006, in the Usenet newsgroup comp.security.misc, in article
> <1152479267.025625.49200@m79g2000cwm.googlegroups.com>, Cmbelz@comcast.net
> wrote:
>
>>Hello Everyone,
>
> Hi Clueless
>
>>etc
>
> In fact, all you've done is advertise to the
> entire world that your company has no candidates, doesn't know how to find
> them, and in general is so totally incompetent that anyone thinking to use
> their service is wasting their time and in the case of applicants -
> harming their prospects.
>
>>View all of my jobs and sign up for my jobs mailing list at
>
> Why should anyone want to look at the trash and fake jobs from a clueless
> pimp?
>
> Old guy

No disrespect intended, but this post feels just a bit harsh. I agree that
the OP is not - quite - up to speed on netiquette, and needs to learn. Is
this the way of providing that learning experience, though?

Re: Security Architect Needed in VA!

On Mon, 10 Jul 2006, in the Usenet newsgroup comp.security.misc, in article
, M. Trimble wrote:

>No disrespect intended, but this post feels just a bit harsh. I agree that
>the OP is not - quite - up to speed on netiquette, and needs to learn. Is
>this the way of providing that learning experience, though?

As it turns out, my mail to corporate HR wasn't needed - these guys are
already on the 'do not use' list corporate wide - "improving resumes"
as best as I can tell. However, looking at google, you'll find that we
are far from the only ones dissatisfied with them. It's tough on any
applicants whose resumes they submit, as we mark them as being undesirable
as well. You'll also notice that the O/P wasn't posting with a company
address - even a munged address. Adding that the post came from google
is another reason to be highly suspicious. I know google is aware of their
spam/abuse problem, but my contact says they haven't found a workable
solution to it.

As mentioned, the technical newsgroups are not for job postings. The
head-hunters have already turned the 'jobs' newsgroups into sewers with
their troll ads (where they solicit resumes for non-existent jobs). Those
wishing to obtain a job through one would to well to search the news group
archives (most major news server have a decent enough retention) and see
who is posting the same ads week-after-week, especially when the job
descriptions are missing details or have ludicrous start dates (last I
scanned the three "local-to-me" job groups, there were two postings with
supposed start dates several _months_ earlier). That might be a clue to
avoid those outfits. Likewise, job posts to technical groups are another
indication of a bad choice - near as I can tell, it means they're not
getting responses to posts in job groups.

About four or five years ago, there was a head-hunter who used to post to
one of the technical groups I follow. He was actually providing technical
answers, and the only indication he was a head-hunter was his .sig line
which had a pointer advertising his web page. I haven't seen any posts
from him recently, which is a pity as his postings were actually useful
in providing technical answers to technical problems.

Old guy

Re: Security Architect Needed in VA!

On Mon, 10 Jul 2006 22:47:31 -0500, ibuprofin@painkiller.example.tld
(Moe Trin) wrote:

>... - these guys are already on the 'do not use' list
>corporate wide - "improving resumes" as best as I can tell. ...


>As mentioned, the technical newsgroups are not for job postings. The
>head-hunters have already turned the 'jobs' newsgroups into sewers with
>their troll ads (where they solicit resumes for non-existent jobs). ...


I hope that you don't mind illuminating me on what they do with the
information they collect from those resumes. I remember reading that
some online job sites were collecting information from those that
posted their resumes, but I haven't heard much on this topic lately,
except with relation to the issue of identity theft, something which
apparently might be bigger than what the media is reporting.

Thanks
Geo

Re: Security Architect Needed in VA!

To M. Trimble: Moe's first post is a bit harsh - for Google Groups
users do very little harm posting from this interface, and the OP was
not even hiding behind the Tor network :-)

This mentioned, who could blame Moe for this little recruiter bashing?
Is it the fact recruiters do some sort of human flesh commerce - an
inherent reason? Or is it due to fierce competition in the sector? The
profession in general sure lacks ethics.

To focus on one aspect: fake jobs are - a reality. Human flesh
brokers have found with this technique a way to feed their product
database. To the great distress of the serious job seeker - eager to
find his dream job; or simply - aspiring to a decent living and
rewarding existence?

The topic of recruitment ethics makes me think of a little story. On
the French government website dedicated to information systems
security, the Central Information Systems Security Division (DCSSI in
French) advertises for some open positions. One job opening -
basically an IT security engineer with some penetration testing and
Debian experience position - appeared *last year* and is still
online. This makes me wonder. In a country of 60 million people, with a
proportion of decently educated scientists, a good share of unemployed,
underemployed and working poor people, a convalescent and
consulting-infected IT sector, how can this be explicable - for a
position advertised by the state, with a generous salary and package,
and a de facto lifetime employment contract? Is it that hard to hire a
few pen testers? Or who is wanted? The god size, über-1337 ethical
hacker of the Future and his/her sibling? Or let me guess - they were
found; but for some *mysterious* reason they didn't pass the
background check.

http://www.ssi.gouv.fr/fr/dcssi/offremploi.html

This post is dedicated to le mauvais go=FBt - and its sibling.

Kind regards
Ludovic Joly

Re: Security Architect Needed in VA!

Ludovic Joly wrote:

> To M. Trimble: Moe's first post is a bit harsh - for Google Groups
> users do very little harm posting from this interface, and the OP was
> not even hiding behind the Tor network :-)
>
> This mentioned, who could blame Moe for this little recruiter bashing?
> Is it the fact recruiters do some sort of human flesh commerce - an
> inherent reason? Or is it due to fierce competition in the sector? The
> profession in general sure lacks ethics.
>
> To focus on one aspect: fake jobs are - a reality. Human flesh
> brokers have found with this technique a way to feed their product
> database. To the great distress of the serious job seeker - eager to
> find his dream job; or simply - aspiring to a decent living and
> rewarding existence?

I heartily agree with all of your assertions. Koschchei knows, I'm running
into it in my own job search, and that's on the consulting side: company
advertises X position; I put in my resume and do the interview. Then, all
of a sudden, hey-presto, it's obvious by what the recruiter's saying that
they're looking for something altogether different. And that's -without-
involving a third-party recruiter.

>
> The topic of recruitment ethics makes me think of a little story. On
> the French government website dedicated to information systems
> security, the Central Information Systems Security Division (DCSSI in
> French) advertises for some open positions. One job opening -
> basically an IT security engineer with some penetration testing and
> Debian experience position - appeared *last year* and is still
> online. This makes me wonder.

Agreed, again. Playing Devil's Advocate for just a few seconds, though.
Maybe the position posted, but the webmaster or automated script that ages
then removes those postings isn't up to his/its job?

etc.

M

Re: Security Architect Needed in VA!

On Tue, 11 Jul 2006, in the Usenet newsgroup comp.security.misc, in article
<44b38830.3004617@news.telus.net>, "GEO" Me@home.here wrote:

>> their troll ads (where they solicit resumes for non-existent jobs)

> I hope that you don't mind illuminating me on what they do with the
>information they collect from those resumes.

Job placement agencies (recruiters, head hunters, pimps) make their money
by the fees that they charge the company (up to 20% of the annual salary
of the candidate) for those candidates they successfully place. Some may
also charge the candidate a fixed fee or salary percentage. (Some even
charge you "up-front" fees - avoid those recruiters.) The rational is
that they do the preliminary screening, and hide the name of the
prospective employer (which may shield the company from legal problems,
hide company planned business changes, and so on). This is a competitive
business (the local Yellow Pages from the primary telephone company here
has 8 pages of listings under "Employment Agencies", 4 for "Employment
Contractors - Temporary Help" and 1 for "Executive Search Service"), and
the winner is the one who has a list of "qualified" candidates they can
submit right now. How do they get those names for openings that their
customer companies doesn't even know exist yet? They collect them with
generic ads.

>I remember reading that some online job sites were collecting information
>from those that posted their resumes, but I haven't heard much on this
>topic lately, except with relation to the issue of identity theft,
>something which apparently might be bigger than what the media is
>reporting.

The main problem for the individual is that the job you are expecting does
not exist. Your name (and resume/CV) will be submitted for any job that the
recruiter happens to see that you might be even slightly qualified for. A
major problem with recruiters is that they will re-write your resume/CV
often without telling you what new skills you have suddenly acquired. They
do this to make your skills appear more closely matched to what the
customer is searching for. (The HR personal that receive the resumes from
recruiters invariably have no technical skills, and merely check that the
resume/CV has the same buzz-words that are listed on the internal job
requisition form - '"3 years of $FOO", check, "5 years of $BAR" check, "2
years of $BAZ" - hmmm, not here - reject'.) This falsification is fairly
well known, and there have been cases publicized of some company wanting
5 years experience on a product that has only existed for three, and yet
the recruiters have no trouble supplying candidates with that experience.
This is the reason we request a copy of the candidate's resume/CV at the
first interview do detect such "improvement".

There is an advantage for the candidate to have the resume/CV re-written,
and the recruiter is often more experienced in the field and knows what a
"good" resume/CV looks like. (There are resume/CV services that the
applicant can pay to do the same job - often helpful as the candidate
rarely has the skill at _writing_ the resume/CV.)

I don't know how much of an issue identity theft is in the job search
industry. Certainly the issue exists, and you would do well to check out
the recruiter before you contact them. The more ethical agencies do take
care to prevent personal information from being ill-used. However, the
information _should_ be no more than can be found in your local telephone
book - name, address, and phone number. "Sensitive" information (such as
the Social Security Number in the USA) should not be divulged to the
recruiter, as there is no legal requirement for that information.

Old guy

Re: Security Architect Needed in VA!

On 11 Jul 2006, in the Usenet newsgroup comp.security.misc, in article
<1152631517.051069.299470@h48g2000cwc.googlegroups.com>, Ludovic Joly wrote:

>To M. Trimble: Moe's first post is a bit harsh - for Google Groups
>users do very little harm posting from this interface, and the OP was
>not even hiding behind the Tor network :-)

Actually, I could care less where they try to post from.I mentioned
google because the recruiter is posting from a Comcast IP - Comcast who
has a very good news server, and not from the agency they claim to work
for - who should also have direct access to a working news server.

>This mentioned, who could blame Moe for this little recruiter bashing?
>Is it the fact recruiters do some sort of human flesh commerce - an
>inherent reason? Or is it due to fierce competition in the sector? The
>profession in general sure lacks ethics.

Your last sentence is _VERY_ true - but the recruiter bashing occurs
simply because this is not, and never has been a "jobs" newsgroup.
Kindly check the charter.

>One job opening - basically an IT security engineer with some penetration
>testing and Debian experience position - appeared *last year* and is still
>online. This makes me wonder. In a country of 60 million people, with a
>proportion of decently educated scientists, a good share of unemployed,
>underemployed and working poor people, a convalescent and
>consulting-infected IT sector, how can this be explicable - for a
>position advertised by the state, with a generous salary and package,
>and a de facto lifetime employment contract? Is it that hard to hire a
>few pen testers?

I can't say, both not having seen the job offer, or being that familiar
with the French employment scene. In the USA, _government_ jobs have
basic requirements, and the government is restricted in how they are
allowed to recruit. Your experience/skills/history is submitted on a
standard form (literally - SF-171, though now there is an optional form
you can submit _with_ your resume/CV) and if all the boxes on those forms
isn't filled out correctly, they are not _allowed_ to consider your
application, _and_ they are not required to send any response to you that
might indicate the reason they're ignoring you.

Old guy

Re: Security Architect Needed in VA!

On Wed, 12 Jul 2006 15:09:04 -0500, ibuprofin@painkiller.example.tld
(Moe Trin) wrote:

>>> their troll ads (where they solicit resumes for non-existent jobs)
>
>> I hope that you don't mind illuminating me on what they do with the
>>information they collect from those resumes.
>
>Job placement agencies (recruiters, head hunters, pimps) make their money
>by the fees that they charge the company (up to 20% of the annual salary
>of the candidate) for those candidates they successfully place. Some may
>also charge the candidate a fixed fee or salary percentage. (Some even
>charge you "up-front" fees - avoid those recruiters.) The rational is
>that they do the preliminary screening, and hide the name of the
>prospective employer (which may shield the company from legal problems,
>hide company planned business changes, and so on). This is a competitive
>business (the local Yellow Pages from the primary telephone company here
>has 8 pages of listings under "Employment Agencies", 4 for "Employment
>Contractors - Temporary Help" and 1 for "Executive Search Service"), and
>the winner is the one who has a list of "qualified" candidates they can
>submit right now. How do they get those names for openings that their
>customer companies doesn't even know exist yet? They collect them with
>generic ads.
>
>
>The main problem for the individual is that the job you are expecting does
>not exist. Your name (and resume/CV) will be submitted for any job that the
>recruiter happens to see that you might be even slightly qualified for. A
>major problem with recruiters is that they will re-write your resume/CV
>often without telling you what new skills you have suddenly acquired. They
>do this to make your skills appear more closely matched to what the
>customer is searching for. (The HR personal that receive the resumes from
>recruiters invariably have no technical skills, and merely check that the
>resume/CV has the same buzz-words that are listed on the internal job
>requisition form - '"3 years of $FOO", check, "5 years of $BAR" check, "2
>years of $BAZ" - hmmm, not here - reject'.) This falsification is fairly
>well known, and there have been cases publicized of some company wanting
>5 years experience on a product that has only existed for three, and yet
>the recruiters have no trouble supplying candidates with that experience.
>This is the reason we request a copy of the candidate's resume/CV at the
>first interview do detect such "improvement".
>
>There is an advantage for the candidate to have the resume/CV re-written,
>and the recruiter is often more experienced in the field and knows what a
>"good" resume/CV looks like. (There are resume/CV services that the
>applicant can pay to do the same job - often helpful as the candidate
>rarely has the skill at _writing_ the resume/CV.)
>
>I don't know how much of an issue identity theft is in the job search
>industry. Certainly the issue exists, and you would do well to check out
>the recruiter before you contact them. The more ethical agencies do take
>care to prevent personal information from being ill-used. However, the
>information _should_ be no more than can be found in your local telephone
>book - name, address, and phone number. "Sensitive" information (such as
>the Social Security Number in the USA) should not be divulged to the
>recruiter, as there is no legal requirement for that information.

Thank you very much for a thorough explanation. I wasn't aware of
that side of the job placement agencies.

May be because of these deceptive practices of 'professional resume
writers' is that some people feel that it's OK to spruce up one's own
resume, and that many people say that if you can't get a job ii's just
a matter of re-writing the resume.

Regarding the identity theft issue I found a reference to what I
remembered:

'People who post their resumes on Monster.com, the world's largest
job-seeking site, "face considerable threats to their privacy,"
according to a watchdog group. In a 24-page report, The Privacy
Foundation on Wednesday accused Monster of attempting to sell users'
private data to marketers, failing to completely remove resumes after
job-seekers deleted them, and sending user information to America
Online to satisfy the terms of a business agreement.'
[September 06, 2001]


This report is also mentioned in:



Geo

[OT] Re: Security Architect Needed in VA!

On Thu, 13 Jul 2006, in the Usenet newsgroup comp.security.misc, in article
<44b62187.2564283@news.telus.net>, "GEO" Me@home.here wrote:

> Thank you very much for a thorough explanation. I wasn't aware of
>that side of the job placement agencies.

Job placement agencies have their place in the picture. When a company
decides to add staff for any reason, they NORMALLY don't publicize this
fact until upper management has approved the idea. Thus, there is no
reason to be advertising for people to fill a job that doesn't (and if
management doesn't approve, may never) exist. Yet once the approval has
been approved, invariably the position has to be filled "quickly". An
agency with a stable of qualified candidates really helps here.

But agencies aren't the only source. I know that every individual that
has been recruited into my group (of about 150) over the past five years
has come from existing employee referrals. The company pays that "finder's
fee" to the referring employee once the new hire has passed the probation
period. The disadvantage of this mode is that the selection of candidates
is much smaller than an agency can supply, though (especially if the
referrer will have to be working in the same area/task as the applicant)
maybe not as suitable.

> May be because of these deceptive practices of 'professional resume
>writers' is that some people feel that it's OK to spruce up one's own
>resume, and that many people say that if you can't get a job ii's just
>a matter of re-writing the resume.

"get the job" isn't the goal of the resume. That document is needed to get
you in past the HR department, and the preliminary screening that occurs
before an interview. You can put all kinds off roses and bull on the
resume, and if you can't deliver at the interview, you're still not going
to get that job. But by the same token, if your resume isn't getting you
the interviews, then change is probably needed.

In these days of word processors, etc., there is no real excuse for a "stock"
resume. "One size does NOT fit all", and the resume can (and should) try to
cover the requirements that the prospective employer wants. Some have said
that you can tweak your application in the cover letter, but while I do see
resumes of candidates, I _never_ see that cover letter - it's seems to
disappear in HR.

Old guy

Re: [OT] Re: Security Architect Needed in VA!

Moe Trin wrote:

> On Thu, 13 Jul 2006, in the Usenet newsgroup comp.security.misc, in
> article <44b62187.2564283@news.telus.net>, "GEO" Me@home.here wrote:
>
>>
>
> "get the job" isn't the goal of the resume. That document is needed to get
> you in past the HR department, and the preliminary screening that occurs
> before an interview. You can put all kinds off roses and bull on the
> resume, and if you can't deliver at the interview, you're still not going
> to get that job. But by the same token, if your resume isn't getting you
> the interviews, then change is probably needed.
>
> In these days of word processors, etc., there is no real excuse for a
> "stock" resume. "One size does NOT fit all", and the resume can (and
> should) try to cover the requirements that the prospective employer wants.
> Some have said that you can tweak your application in the cover letter,
> but while I do see resumes of candidates, I _never_ see that cover letter
> - it's seems to disappear in HR.
>
> Old guy


Well, it looks like you have thoroughly confirmed my dark opinion of HR
departments. Instead of helping, they're hindering the process of finding
qualified applicants because a) there is an additional bureaucratic layer
between the hiring people and the applicants with its attendant
inefficiencies and sloth; b) they don't *really* know what the manager is
looking for; because of 'b', c) they have no clue what to look for in the
ideal candidate who doesn't match *exactly* the qualifications listed; and
d) they HR people, because they have no f^H^H^H^H^H^H reaking clue of what
they're talking about, they generally tend to not tell the applicant the
right thing, which in turn generally tends to turn the qualified applicants
off.

Re: [OT] Re: Security Architect Needed in VA!

"M. Trimble" writes:

> Well, it looks like you have thoroughly confirmed my dark opinion of HR
> departments. Instead of helping, they're hindering the process of finding
> qualified applicants because a) there is an additional bureaucratic layer
> between the hiring people and the applicants with its attendant
> inefficiencies and sloth; b) they don't *really* know what the manager is
> looking for; because of 'b', c) they have no clue what to look for in the
> ideal candidate who doesn't match *exactly* the qualifications listed; and
> d) they HR people, because they have no f^H^H^H^H^H^H reaking clue of what
> they're talking about, they generally tend to not tell the applicant the
> right thing, which in turn generally tends to turn the qualified applicants
> off.

Yup.

I recall at one major multinational I was at reviewing resumes from
the recruiting office for a position we had open in integrated circuit
design. They actually sent us a friggin electrician's resume.

Electrical engineering, electrician, so similar in skillset right?
And this was a company whose bread and butter was engineering.

Woof.


--
Todd H.
http://www.toddh.net/

Re: [OT] Re: Security Architect Needed in VA!

On Fri, 14 Jul 2006, in the Usenet newsgroup comp.security.misc, in article
<9LTtg.10062$PO.9636@dukeread03>, M. Trimble wrote:

>Well, it looks like you have thoroughly confirmed my dark opinion of HR
>departments.

Again - they have their place in the grand scheme, both good and bad.

>Instead of helping, they're hindering the process of finding qualified
>applicants because a) there is an additional bureaucratic layer between
>the hiring people and the applicants with its attendant inefficiencies
>and sloth;

Good point - they isolate the technical staff, preventing unwanted noise.
Good point - they enforce management's requirements for staffing levels,
legal requirements, etc.
Bad point - they isolate the technical staff from communicating/clarifying
which often results in delays, mis-information, and confusion.

>b) they don't *really* know what the manager is looking for

They aren't technical - that's not their job. They do know the laws and
policies. But don't you think it's the technical manager's job to explain
exactly what skills he's looking for? If the manger requests a warm body
with skills in UNIX networking security, without 1) defining what he means
by "UNIX" (legal definition? clones including *BSD/Linux? something else?)
or "networking security" (what-ever that might be defined as) - how do you
expect HR to know someone listing OpenBSD skills, might be more knowledgeable
than someone listing SuSE or Ubuntu Linux. NOTE: O/S flames > /dev/null

>because of 'b', c) they have no clue what to look for in the ideal
>candidate who doesn't match *exactly* the qualifications listed;

As above. However, you should also know that they _usually_ don't shred
those resumes/CVs/applications that "don't match" the requirements, but
rather put them into a "different" stack. When the technical type comes
in to get the applicant data, there _may_ be two (or more) piles to look
through. Also, depending on how paranoid the HR department is, we _MAY_
only receive photo-copies where personal information may be censored (to
avoid discrimination problems). However, this varies quite considerably
between companies.

>and d) they HR people, because they have no f^H^H^H^H^H^H reaking clue of
>what they're talking about, they generally tend to not tell the applicant
>the right thing, which in turn generally tends to turn the qualified
>applicants off.

Here, I can't say one way or the other, as I'm not sure which area you are
commenting/complaining about. If you are referring to the inaccurate
information they may stick into job advertisements - there's more than
enough blame to share with HR/Legal/Technical. That's where word-of-mouth
or employee referrals are good (and potentially bad). There tends to be
less technical censorship/confusion/mis-information, but there is a
larger chance of exposing the company to legal complications. Please don't
think I'm defending HR functions. The way company organizations have changed
in the past twenty years now means that they _will_ be involved in the
hiring process as much as they are involved in the termination end. It's a
fact of modern life.

Old guy

Re: [OT] Re: Security Architect Needed in VA!

On 14 Jul 2006, in the Usenet newsgroup comp.security.misc, in article
<84irlzq3ja.fsf@ripco.com>, Todd H. wrote:

>I recall at one major multinational I was at reviewing resumes from
>the recruiting office for a position we had open in integrated circuit
>design. They actually sent us a friggin electrician's resume.

I don't think I've seen _quite_ that much of a stretch, but close.

>Electrical engineering, electrician, so similar in skillset right?
>And this was a company whose bread and butter was engineering.

The company may be the world leader in engineering, but that doesn't
mean the HR staff will know anything more about it than payroll or
the staff responsible for building maintenance. Or, if you want to
push things, neither will the CEO. It's not their job to know this
stuff. They've got other beans to push. HR had better know a heck of
a lot more about local/state/federal labor law than a technical
manager (as one example), though I will agree that they OUGHT to know
the difference between a Journeyman Electrician (and have heard of
the legal requirements/licenses) and a BSEE (and be able to identify
the university well enough to know if it even exists).

>Woof.

Indeed.

Old guy

Re: [OT] Re: Security Architect Needed in VA!

Moe Trin wrote:

> On Fri, 14 Jul 2006, in the Usenet newsgroup comp.security.misc, in
> article <9LTtg.10062$PO.9636@dukeread03>, M. Trimble wrote:
>
>>...
>
> Good point - they isolate the technical staff, preventing unwanted noise.
True. They also unintentionally filter out the valid but still extremely
weak signals. Perhaps more often than not?
> Good point - they enforce management's requirements for staffing levels,
> legal requirements, etc.
Which is what they're supposed to do. I have no beef with HR when they run
interference with the legal/administrative overhead. Lets the actual
managers and the people under them concentrate on what it is that they're
supposed to be doing - being productive.
> Bad point - they isolate the technical staff from communicating/clarifying
> which often results in delays, mis-information, and confusion.
And that's the fatal flaw in the scheme. I've talked with HR people, trying
to decide do I really want to work at xyz company, and have had some very
good, insightful questions, and the HR people have not exactly been very
informative. Companies like that usually end up at the bottom of the list
of companies that I'd work for if offered a position. of course, I've
noticed that those kinds of questions tend to be a bit off-putting to the
HR people because they (the questions) are 'off the reservation' in terms
of what is expected in an interview.
>
>>b) they don't *really* know what the manager is looking for
>
> They aren't technical - that's not their job. They do know the laws and
> policies. But don't you think it's the technical manager's job to explain
> exactly what skills he's looking for? If the manger requests a warm body
> with skills in UNIX networking security, without 1) defining what he means
> by "UNIX" (legal definition? clones including *BSD/Linux? something else?)
> or "networking security" (what-ever that might be defined as) - how do you
> expect HR to know someone listing OpenBSD skills, might be more
> knowledgeable
> than someone listing SuSE or Ubuntu Linux. NOTE: O/S flames > /dev/nul
o/s flame = NULL.
#ifdef exception
favored o/s = FC5
#endif

I agree that, in the ideal world, the manager should communicate his/her
desires/needs/etc. Unfortunately, this is not the ideal world, as witness
this typical conversation in an HR office:
recruiter: we're looking for someone who has skills with computer systems
possibly maintaining our database.
me, looking over recruiter's shoulder at his/her PC: what size of computer,
and what operating system, windows, OSX/*nix/*BSD/other?
recruiter: Uh, I think it's windows.
me, thinking that this company is collectively stupid and do I want to work
here: what database environment?
recruiter: I don't know, they never said.

Right there, that recruiter has just talked him/her self out of an
applicant, because I now have no clue whether or not I'm qualified.


>
>>because of 'b', c) they have no clue what to look for in the ideal
>>candidate who doesn't match *exactly* the qualifications listed;
>
> As above. However, you should also know that they _usually_ don't shred
> those resumes/CVs/applications that "don't match" the requirements, but
> rather put them into a "different" stack. When the technical type comes
> in to get the applicant data, there _may_ be two (or more) piles to look
> through.
Assuming the technical type comes in to read the stacks. I've seen and heard
of a lot of cases where the HR people are told that ONLY the
application/cv/resume/other with these specific buzzwords is to be turned
over to the manager in any form whatsoever.


Also, depending on how paranoid the HR department is, we _MAY_
> only receive photo-copies where personal information may be censored (to
> avoid discrimination problems). However, this varies quite considerably
> between companies.
And at least in my personal opinion, that is how
things should be universally. Would require an emphasis on
skills/qualifications, etc., in favor of name, face, age, gender, etc. (for
any etc. in the set, things that differentiate two people)
>
>>and d) they HR people, because they have no f^H^H^H^H^H^H reaking clue of
>>what they're talking about, they generally tend to not tell the applicant
>>the right thing, which in turn generally tends to turn the qualified
>>applicants off.
>
> Here, I can't say one way or the other, as I'm not sure which area you are
> commenting/complaining about. If you are referring to the inaccurate
> information they may stick into job advertisements - there's more than
> enough blame to share with HR/Legal/Technical.
Inaccurate information in job postings is part of what I'm talking about. A
networking consultant whom I don't know personally was complaining to a
mutual friend of ours - to quote the friend - that he had been hired as
a 'network analyst' and was put to work doing web development. True or not?
I have no clue, but given my relationship with the mutual friend, I suspect
so. I can tell you from personal experience that I've gone into interviews
for position a, and discovered that the position was entirely different
than what was advertised. And that assumed the direct supervisor knew what
he/she wanted the person in that position to do.

> That's where word-of-mouth
> or employee referrals are good (and potentially bad). There tends to be
> less technical censorship/confusion/mis-information, but there is a
> larger chance of exposing the company to legal complications. Please don't
> think I'm defending HR functions. The way company organizations have
> changed in the past twenty years now means that they _will_ be involved in
> the hiring process as much as they are involved in the termination end.
> It's a fact of modern life.
>
> Old guy
I agree that HR will probably be involved in the hiring decision as well as
in the firing decision from now on. It's an inevitable concomitant of the
state of our society. (comments on the state of society > /dev/null) I just
wish they'd get off their collective duffs, leave the metaphoric
pleistocene era and at least take a look at joining the industrial
revolution. Might save a lot of grief in the long run.

Re: [OT] Re: Security Architect Needed in VA!

In article <9LTtg.10062$PO.9636@dukeread03>, M. Trimble wrote:

>Well, it looks like you have thoroughly confirmed my dark opinion of HR
>departments. Instead of helping, they're hindering the process of finding
>qualified applicants because a) there is an additional bureaucratic layer
>between the hiring people and the applicants with its attendant
>inefficiencies and sloth; b) they don't *really* know what the manager is
>looking for; because of 'b', c) they have no clue what to look for in the
>ideal candidate who doesn't match *exactly* the qualifications listed;

In the part of government I work for [in Canada], all the resumes
are turned over to local HR and are available to the manager
running the position.

However, if a given application does not exactly match the
qualifications of the job description, serious consideration
of the application becomes more difficult, in two related ways:

1) If we waive a listed requirement for one candidate, we are
required to waive that requirement for -all- the candidates.
And that might expand the interview pool beyond the feasible.

At the preliminary weeding-out stage, we are not -allowed- to make
subjective judgements about the depth of someone's skills or
experience: we can only make subjective judgements at an interview.
Thus, all we have to go on in order to decide who gets interviewed
(or at least tested) is the matter of whether the candidate listed
all the right keywords... and if after cutting the pack down to
just the ones with all the right words, the resulting pool is
about as big as we can handle, then the candidate(s) who
we -think- look great on paper but who missed a keyword or two
just don't make the second round.

For example, several years ago, I was manager for an entry level
hire in which we asked for a community college certificate as a
computer technician. One of the applicants had a PhD in computer
science and experience in running computer labs. A PhD in computer
science does not, however, offer formal training as a computer
technican and is thus not equivilent to what was in the job
description, so in order to have considered that candidate we would
have had to have waived the education requirement for all the
candidates. That would have doubled the number of people we would
have had to have interviewed. The others that would have had to have
been interviewed were obviously very weak candidates (e.g., some of
them had absolutely no on the job experience but had 1 1/2 weeks of
training in-class). Four interviewers times half a day per
candidate times 6 extra candidates... the candidate with the
missed-a-keyword great resume would have to have been -enough- better to
make up for the extra 12 working-days of effort that would have
been required to hold the extra interviews. Which was unlikely
to be the case for a completely entry-level position.

The goal, I am told, is not to get the absolute best possible
candidate into the position: that's simply not feasible most of the
time. The goal, instead, is to set requirements on the job description
that are appropriate for the position, and then to run a fair
competition amongst the candidates whose resumes demonstrate that
they meet the minimum conditions for the position. If a higher-
calibre of person was needed for the position, then the job description
should have had stricter requirements.


2) Closely related to the first point about not being able to
selectively waive qualification requirements, is that waiving
requirements is usually not considered fair. If, for example,
we specified Linux but we were to waive that and accept BSD
as well, then we have not been fair to the potential candidates
that had modified qualifications but took the listed
qualifications seriously and so did not apply because they knew
they didn't meet the -listed- Linux requirement. Therefore, if
the pool of candidates that meet the exact listed qualifications
would be "big enough" then, as described for (1) we are advised
to go with the exact listed qualifications; if the pool would
not be big enough, then rather than waiving a requirement, we
are recommended to re-run the competition with the qualifications
we would actually accept.


In connection with the point about the goal not being to get
the absolute best possible candidate into the position: for all
but the most specialized or high-level positions, we run regional
competitions, in which we specify the "geographic catch basin" of
current residences of candidates we are willing to consider. It just
isn't feasible to run a national or international competition for
a low- or mid- level position. Even just the cost to fly people in
for interviews...


It would be nice to be in a situation of having the resources to
persue and keep "the best of the best" but that's not at all
likely to happen for us; and that fact eventually trickles down to
literal reading of resumes.

Re: [OT] Re: Security Architect Needed in VA!

Walter Roberson wrote:

> In article <9LTtg.10062$PO.9636@dukeread03>, M. Trimble
> wrote:
>
>>Well, it looks like you have thoroughly confirmed my dark opinion of HR
>>departments. Instead of helping, they're hindering the process of finding
>>qualified applicants because a) there is an additional bureaucratic layer
>>between the hiring people and the applicants with its attendant
>>inefficiencies and sloth; b) they don't *really* know what the manager is
>>looking for; because of 'b', c) they have no clue what to look for in the
>>ideal candidate who doesn't match *exactly* the qualifications listed;
>
> In the part of government I work for [in Canada], all the resumes
> are turned over to local HR and are available to the manager
> running the position.
> ...

I don't know anything about government hiring, except to note that, given
what I've seen of the various governments in the US of A, the hiring
process is even more baroque and arcane than it is in the private sector.
And that assumes that there is no favoritism or other underhanded activity
being conducted for any given reason - probably a very rare thing, but
IMHO, even one instance of such behavior is dead wrong.

Re: [OT] Re: Security Architect Needed in VA!

In article , M. Trimble wrote:
>Walter Roberson wrote:

>> In the part of government I work for [in Canada],

>I don't know anything about government hiring, except to note that, given
>what I've seen of the various governments in the US of A, the hiring
>process is even more baroque and arcane than it is in the private sector.
>And that assumes that there is no favoritism or other underhanded activity
>being conducted for any given reason - probably a very rare thing, but
>IMHO, even one instance of such behavior is dead wrong.

At least in our environment, it isn't really practical to eliminate
all "favouritism" in hiring.

We have much more work to do than available people (or positions.)
That work cannot easily be divided into nice neat compartments
that we could hire component people for -- for example, -someone-
needs to do "network analysis" but we don't have enough such work
to hire a Network Analyst that just did that.

What we need, then, is adaptable people with a broad array of skills,
to do work with ill-defined boundaries. But we can't "cast our net" for
a person like that by putting out a job description that indicates
40 different items as "desirable": as far as HR and interviews is
concerned, someone who does not have even a single one of the
"desirable" skills but meets the base education requirements,
must get as much attention as someone who has Been There, Done That.
And for this kind of work, the objective "education requirement" is
usually pretty thin, since we have no objection at all to working with
someone with no -formal- education past high school but who has
a well established track record of actually getting things done.

It is really is the case that our classification process encourages
specialization and discourages skilled generalization. The
classification people really do say, "If you have to do all these
different things, then you obviously cannot be a specialist and so
cannot be in the higher classification": the rule is essentially that
for high classification you must have a full budget and supervise
people /OR/ you must be a specialist in a narrow field. The person who
is 2 years out of school gets the same classification as the person who
is likely capable of running the entire computing department but
doesn't happen to have been assigned the financial responsibility to do
so (because someone else already has, and if that other person shares
budget control then that other person gets reduced in
classification...)

As you have probably noticed yourself, highly skilled flexible
available people are not very common, and as described above, if we
went completely open "absolutely no-one in mind" for such a position,
we would have to interview nearly everyone who applied. "I don't know
what I'm looking for, but I'll know it when I see it" is -not- accepted:
we have to have -objective- reasons to not consider a candidate in the
second phase, and it's pretty hard to develop objective criteria to
filter broad bases of experience.

Thus it is certainly not unknown for us to keep our eyes open for
several years, until eventually we find someone who has the kind of
technical skills and people skills we need, and then to talk to them,
and then draw up a job description that they could meet -- always
generalizing it so that there is a meaningful possibility that other
potential candidates might meet the requirements as well. Once the formal
description is submitted, we consider all the applicants carefully: the
evaluation process is fair; but reasonable people could potentially
consider that the process is "stacked".

In a sense what we end up doing is finding a good person and
figuring out what section of our work that they could take on, and
developing the job description around that, instead of slicing up
the job narrowly and hiring based upon that and hoping that we end up
with someone who turns out to be flexible enough to take on many
other random tasks as well.

If we were big enough and had enough resources to assign people to
well-categorized duties then the reality might be different, but
life ain't quite so compartementalized.


You've likely experienced yourself, that sometime you looked at what
someone has done, and said, "This person is good!". They probably
weren't the best database person around, or the greatest C++ expert
you'd met, or the strongest networking person -- quite possibly
not the top of any particular field, and yet their adaptability
and learning rate and comprehension of how things fit together and
of what is important might have been extraordinary. Unfortunately
it is very difficult to quantify such metaskills in a job description;
and if you do manage to find such a person, you probably want to hire
them to do "whatever they can" for your organization rather than pinning
them down to a narrow role. Private sector hiring has a lot more
flexibility that way than government hiring does.

Re: [OT] Re: Security Architect Needed in VA!

On Sat, 15 Jul 2006, in the Usenet newsgroup comp.security.misc, in article
, M. Trimble wrote:
>Moe Trin wrote:

>> Good point - they isolate the technical staff, preventing unwanted noise.
>True. They also unintentionally filter out the valid but still extremely
>weak signals. Perhaps more often than not?

Hard to say - I don't see the data on both sides of the filter very often,
and thus am in no position to comment one way or the other.

>> Bad point - they isolate the technical staff from communicating/clarifying
>> which often results in delays, mis-information, and confusion.
>And that's the fatal flaw in the scheme.

I don't think the systems is dead.

>> They aren't technical - that's not their job. They do know the laws and
>> policies. But don't you think it's the technical manager's job to explain
>> exactly what skills he's looking for? If the manger requests a warm body
>> with skills in UNIX networking security, without 1) defining what he means
>> by "UNIX" (legal definition? clones including *BSD/Linux? something else?)
>> or "networking security" (what-ever that might be defined as) - how do you
>> expect HR to know someone listing OpenBSD skills, might be more
>> knowledgeable than someone listing SuSE or Ubuntu Linux.

>I agree that, in the ideal world, the manager should communicate his/her
>desires/needs/etc.

As far as I'm concerned, that's a major end of the problem. Otherwise you
are stuck with the classic GIGO.

>recruiter: we're looking for someone who has skills with computer systems
>possibly maintaining our database.
>me, looking over recruiter's shoulder at his/her PC: what size of computer,
>and what operating system, windows, OSX/*nix/*BSD/other?
>recruiter: Uh, I think it's windows.
>me, thinking that this company is collectively stupid and do I want to work
>here: what database environment?
>recruiter: I don't know, they never said.

And who's to blame for that? Recruiters should have some awareness of the
field, and should have acquired a bit more data - certainly the type of
computer and some clue about the O/S and the name of the application. Gone
are the days when this might be running on a Systwm 360 or an 8370, and
things were incompatible in the extreme, or when you actually had a real
choice of applications such as FoxPro verses dBase or Access, but it's also
not one and only one.

>Assuming the technical type comes in to read the stacks. I've seen and heard
>of a lot of cases where the HR people are told that ONLY the
>application/cv/resume/other with these specific buzzwords is to be turned
>over to the manager in any form whatsoever.

That really depends - in general, I only see those that passed the buzzword
screen. This tends to be a fair sized stack. The last position we filled
there were about 40 in that stack, and I think the other stacks (missed
one buzzword, missed two, missed more than two) may have totalled over 200.
Now, if the 'missed none' stack had been smaller (or if our first pass had
failed to show anything interesting) then we would have at least looked at
the other stacks.

>Inaccurate information in job postings is part of what I'm talking about. A
>networking consultant whom I don't know personally was complaining to a
>mutual friend of ours - to quote the friend - that he had been hired as
>a 'network analyst' and was put to work doing web development. True or not?

Very likely true. This tends to happen more often than not in places where
management either doesn't have a clue, or they do and are trying to work
around some restriction under their control.

Old guy

Re: [OT] Re: Security Architect Needed in VA!

On Sun, 16 Jul 2006 in the Usenet newsgroup comp.security.misc, in article
, M. Trimble wrote:

>Walter Roberson wrote:

>> In the part of government I work for [in Canada], all the resumes
>> are turned over to local HR and are available to the manager
>> running the position.

>I don't know anything about government hiring, except to note that, given
>what I've seen of the various governments in the US of A, the hiring
>process is even more baroque and arcane than it is in the private sector.

Walter's description isn't that much different from what I know about
US Federal, California, and Arizona practice. Also, a lot of companies
that have multiple state operations, or contracts from some federal
entities follow many of the same practices.

>And that assumes that there is no favoritism or other underhanded activity
>being conducted for any given reason - probably a very rare thing, but
>IMHO, even one instance of such behavior is dead wrong.

At government levels, favoritism or other forms of hanky-panky are relativelyp
rare - for the simple reason that the legal risks can make it not worth
the candle. Slightly different arena, but ask Boeing about Darleen Druyan.

Old guy