Taosecurity has an interesting post.
Hiring a 19 year old hacker without an Associates degree and some hacking knowledge does not make a secure corporate environment.
The ststaement by blogger Richard Bejtlich
“Young has repeatedly assigned Brewer to hack into Butler’s computer system. “He finds security problems,” Young said. “And I patch them.”
This article does not mention whether Butler’s CISO spends any time looking for intruders who have already compromised his organization. Finding security problems and patching them is only one step in the security process. ”
Also Bruce Schneier’s “monitor first” is also a good principle to follow. Patching known vulnerabilities is good, but monitoring and patching is better. With a concerted security policy, architecture, and consistent vulnerability scanning.
Maybe you have seen it?
A monitor and security policy can also be discussed, and we do not recommend hiring people with little experience.