There is this great post over at sans.org Teaching people how to to suck at Security, (actually a reprint of this post
Especially the remarks about security tools ..
On how not to implement them or how to neglect configuring, afterall the default values must be secure enough.
However My favorite
Hire somebody just because he or she has a lot of certifications.
I'd write Vendor Certifications however .. as independent certifications might have some use.. but if I`m looking for a security guy and he starts talking to me about his product certificatins, something is wrong..
Remember, security is a life style, not product you can buy ..
