A key theme at this year's MIT Sloan CIO Symposium on the digital enterprise was that the customer comes first for IT, no matter what kind of business a CIO is in. It follows that customer data is among an organization's most valued assets. Protecting customer data in today's digital enterprise, however, can no longer be relegated to your run-of-the-mill security engineers, according to Patrick Gilmore, CTO at data center services provider Markley Group. For Gilmore, candidate prerequisites include a high degree of paranoia and a hacker's mentality.
In this video excerpt, Gilmore shares his thoughts with Ben Cole, editor of sister-site SearchCompliance.
What kind of experts are you trying to hire over the next year? What positions do you think are really important? Is it security, or is it something else that you're really looking to fill?
Patrick Gilmore: I'm actually looking to fill everything. We're kind of in startup mode; we're just running to keep up with customer demand, so we're trying to hire [for] everything. But if I'm going to be more realistic and step back about this and assume that we're not just busy hiring to keep up with demand, then, frankly, security is Job 1. It is the absolute most important thing, because if you have a network failure in a few minutes, it's not fatal to the company. If your systems don't work perfectly and people wait an extra 30 seconds, that's bad for business and you might lose some customers, but it's not fatal, and you can fix it and recover.
If your customer's data is stolen, you're done -- it's over. So, security is Job No. 1, and finding really good security engineers, frankly, is hard. There are a lot of people out there who claim to know security, but when I can trick them up, that means something's wrong and they're not real security experts. So I'm having a hard time finding people who are truly, truly paranoid enough to work for me.
Security's been a big topic here today, so why do you think that is? Do they not have the courses in school?
Gilmore: I don't think you can actually teach this in school. I think it's got to be people who, frankly, have been in the trenches. I'm looking at people that used to be on the other side of the aisle -- people who, in their teenage years, were doing the hacking. Because finding people who have just been playing defense their whole life is actually -- I'm not saying that no one has ever gotten good like that, it just seems like you need a different mindset.
As we mentioned in the panel earlier, you can't think like a defender. You have to think like an attacker. And that's actually hard to find, especially with people [who] have spent 20 years doing nothing but being a defender.
Now there are good places for those, and there are good people [who] do that. I would love to hire some of them as well, but the one [who] I find hardest to find, the one [who]we absolutely need -- and this is not necessarily the chief security architect or somebody like that -- you need somebody in your organization who thinks like the attacker and will find the things that you didn't think of.
You can sort of put a Band-Aid over this by hiring people to pen-test or attack your stuff or do security audits. Those are all good and useful, and we do the same thing, but finding the one guy or the one lady who is going to figure out where the hole is that you didn't see, just because you had a blind spot -- that's hard.