Careers & People

11/7/2017
02:30 PM
Roselle Safran
Roselle Safran
Commentary
50%
50%

Hiring Outside the Box in Cybersecurity

Candidates without years of experience can still be great hires, as long as they are ready, willing, and able.

We all know what the ideal security team candidate looks like. She has years of hands-on operational experience, is skilled in a variety of cybersecurity technologies (particularly the ones in the organization’s security stack), and comes highly recommended. But given the workforce shortage, such candidates are like diamonds: very rare and extremely expensive. Organizations can have unfilled positions open for months on end while they look for a candidate with the perfect resume.

The reality is that most organizations would be well-served to expand their searches beyond the typical rock star resumes and hire outside the box. There are plenty of talented individuals who could become strong contributors if they are given the opportunity in an organization that is willing to cultivate its own talent.

I feel particularly strongly about this subject because I started my first computer forensics job without any applicable experience in the field. I applied for the position because it sounded exciting and I knew I could quickly acquire the skills I needed by working hard on the job and on my own time. Ultimately it was a win-win situation: I had a job I thoroughly enjoyed, where I was constantly learning and developing a new skill set, and my employer had the talent it needed at a rate that was initially under market. (My salary doubled during my time at the company). 

As a result, one of the key tenets of my hiring strategy is to always be on the lookout for capable individuals who have the potential to excel in their roles regardless of their backgrounds. I have found that there are several must-have intangible qualities that are strong indicators that a candidate will be a quick study and successful team member. Here are three ways to identify them:

Ready
One of the best ways to determine whether a candidate is prepared to do the work necessary for the job is to give him or her a short exam as part of the interview process. I am not referring to a closed-book, multiple-choice test that relies on memorization or obscure cybersecurity facts. I am talking about an onsite, open book, practical exam based on a real-world security analysis scenario where the candidate talks through his or her thought process each step of the way. The candidate may not be able to provide all the right answers or complete the analysis, but someone with solid potential will be able to demonstrate an intelligent methodology and a clear understanding of the fundamental concepts. If you give him a hint, he will be able to run with it and make additional progress. This is the type of person who will become effective on the team once he receives some relevant on-the-job training.

Willing
You can often glean how motivated a candidate is to be in cybersecurity directly from what the person’s resume lists for education, extra-curricular activities, certifications, and/or technology. This filter is especially important when evaluating candidates who are looking to transition into cybersecurity from other industries.

If the person is working in a field unrelated to cybersecurity and is completing a cybersecurity educational program or regularly attending cybersecurity meetups or activities at night or on weekends, she is probably quite motivated to move into cybersecurity. Likewise, if the candidate has earned a cybersecurity certification, she is demonstrating notable determination as well. While there is debate as to whether certifications are indicative of skill, it is clear that obtaining a certification of any type requires commitment to the field and the expenditure of a significant amount of time and energy.

Along the same lines, if the candidate is new to security and lists numerous security products in her technology section, if she is researching which products are used for specific functions, and putting the effort into familiarizing herself with the technologies, that provides additional indication of interest and motivation. You can confirm during the interview process whether the candidate’s knowledge of the technology is substantive.

Able
Our industry evolves rapidly. Network defenders are constantly improving their capabilities to keep pace with new attacks, new advisories, and new technologies. No matter what an individual’s skill set includes when starting a job, he will need to develop new competencies while on the job. When interviewing candidates, I try to understand their propensity for developing their capabilities by solving problems on their own. I often ask questions such as "what do you do when you don’t know something?" If the answer is "read through the standard operating procedures (SOPs)," I delve into what the candidate would do if there was no SOP because I want to determine whether the person would go beyond what was already known and readily available to him.

If the answer is "ask someone on the security team," I inquire further to determine whether the candidate is more likely to be collaborative or burdensome to team members. The type of answer that is usually the best sign is more along the lines of "I would research the topic on my own." If the person says that he would conduct Google searches, that is sufficient, but it is better to hear a candidate name several reputable resources specifically.

Most security leaders will find that hiring outside the box can be challenging. It requires a rigorous interview process, internal training, and patience. But in the end, it can be well worth the effort when the security team is full of ready, willing and able team members who are prepared, motivated, and growing as professionals.

Hear Roselle speak about "Ten Ways to Stretch Your IT Security Budget" on November 29 at the INsecurity Conference sponsored by Dark Reading.

Related Content:

Roselle Safran has over a decade of experience in cybersecurity and is a frequent speaker on cybersecurity topics for conferences, corporate events, webinars, and podcasts. She is President of Rosint Labs, a cybersecurity consultancy that provides operational and strategic ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kbrown6729@gmail.com
50%
50%
[email protected],
User Rank: Apprentice
12/1/2017 | 8:32:50 PM
Can I Use Your Article In My Upcoming Job Hunt?
Thanks so much, Ms. Safran, great article.  As a longtime network admin attempting to re-invent herself into a security professional, it has occurred to me also that hiring managers would do well to broaden their scope a bit if they truly want to abate the current security talent shortage (and if they'd like to secure their networks as quickly as possible too).  A well-rounded person with the right approach and hard work, may be just as good an answer to the problem as that elusive 'top notch talent'.  I may not bring a copy of this to interviews, but I'll certainly keep its points in mind as I talk with potential employers!  
KSRNC
50%
50%
KSRNC,
User Rank: Apprentice
11/9/2017 | 2:48:10 PM
Sounds Promising
I just hope more organizations are more willing to seriously consider "nontraditional" candidates moving forward.
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.