Member-only story
How not to hire for a senior information security role
Dunning-Kruger meets information security
Some years ago, I worked for a professional services firm. One of our clients was an international medical device company developing implantable devices for cardiac rhythm management. We proposed performing a security assessment for their remote monitoring service, which was under development, and then helping them build out the information security components for the device.
After much work, the contract was almost ready to be signed. We had thoroughly worked out the agenda, logistics, and scope. The only remaining items were the terms and conditions.
At the time, Bruce Schneier worked at the same professional services firm. He was going to be near the company’s headquarters, and the sales executive thought that having him pop in for a quick security briefing would be a surefire way to seal the deal. Bruce had the time and interest in the project, and the meeting was scheduled.
After the meeting, Bruce debriefed us and said the 1-hour meeting went quite well. He told them the criticality of getting security right for these implantable medical devices and mentioned something he and a researcher had recently written on the topic. He assumed the client was ready to sign, as we all did.
