314 C.4 Security Personnel
It does not matter that an employee is unauthorized to perform an
act, and the mere fact that an act is illegal does not bring it outside
the scope of employment.
Even though unauthorized access or computer fraud by an employee
is an act that lies outside the employee’s scope of employment, this
does not automatically exclude the employer from vicarious liability.
It is not necessarily an answer to a claim against an employer that the
wrong done by the employee was for the employee’s own benefit.
Much of the computer fraud committed by employees can be averted if
employers implement an effective security policy that puts in place mea-
sures targeted at prevention, ongoing monitoring, and recovery strategies in
the case of breach. Monitoring may detect problems in progress and allow
the possibility of aborting a process before any serious damage is done.
C.4.2 How to Identify Competent Security Professionals
It is always a good idea to understand what areas and applications of secu-
rity are most in demand when trying to find competent staff. Some of these
areas include perimeter management, intrusion detection, forensics, fire-
walls and VPNs, and internal information security. Sounds like all the basic
areas of security, right? Well, it is! Security is a diverse field and it covers a
lot of territory. When looking for people for your organization’s needs, you
need to know as much as possible about the organization before you go
headhunting. Then, and only then, will you know what to look for in find-
ing competent people. To find these people, one needs to consider, What are
the basic things people seeking information security jobs should know?
When hiring entry-level or nonsenior security engineers, education and
training play a much bigger role. This indicates a strong level of effort to
stand out from the crowd and hone skills in a particular area. Look for cer-
tifications and similar indicators of professional training and qualification.
However, once you get past six to eight years of experience, when looking
for management level security professionals, certifications are less important
than experience. This does not mean you should ignore certifications, but
they should be considered as a secondary factor. For example, would you
rather have a security engineer with a certification less than a year and less
than six years of experience of industry experience, or someone without the
certification but with twelve years of hands-on, in-the-dirt security consult-
ing experience? It is your call, of course, but we encourage looking at the