Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

11/7/2017
02:30 PM
Roselle Safran
Roselle Safran
Commentary
50%
50%

Hiring Outside the Box in Cybersecurity

Candidates without years of experience can still be great hires, as long as they are ready, willing, and able.

We all know what the ideal security team candidate looks like. She has years of hands-on operational experience, is skilled in a variety of cybersecurity technologies (particularly the ones in the organization’s security stack), and comes highly recommended. But given the workforce shortage, such candidates are like diamonds: very rare and extremely expensive. Organizations can have unfilled positions open for months on end while they look for a candidate with the perfect resume.

The reality is that most organizations would be well-served to expand their searches beyond the typical rock star resumes and hire outside the box. There are plenty of talented individuals who could become strong contributors if they are given the opportunity in an organization that is willing to cultivate its own talent.

I feel particularly strongly about this subject because I started my first computer forensics job without any applicable experience in the field. I applied for the position because it sounded exciting and I knew I could quickly acquire the skills I needed by working hard on the job and on my own time. Ultimately it was a win-win situation: I had a job I thoroughly enjoyed, where I was constantly learning and developing a new skill set, and my employer had the talent it needed at a rate that was initially under market. (My salary doubled during my time at the company). 

As a result, one of the key tenets of my hiring strategy is to always be on the lookout for capable individuals who have the potential to excel in their roles regardless of their backgrounds. I have found that there are several must-have intangible qualities that are strong indicators that a candidate will be a quick study and successful team member. Here are three ways to identify them:

Ready
One of the best ways to determine whether a candidate is prepared to do the work necessary for the job is to give him or her a short exam as part of the interview process. I am not referring to a closed-book, multiple-choice test that relies on memorization or obscure cybersecurity facts. I am talking about an onsite, open book, practical exam based on a real-world security analysis scenario where the candidate talks through his or her thought process each step of the way. The candidate may not be able to provide all the right answers or complete the analysis, but someone with solid potential will be able to demonstrate an intelligent methodology and a clear understanding of the fundamental concepts. If you give him a hint, he will be able to run with it and make additional progress. This is the type of person who will become effective on the team once he receives some relevant on-the-job training.

Willing
You can often glean how motivated a candidate is to be in cybersecurity directly from what the person’s resume lists for education, extra-curricular activities, certifications, and/or technology. This filter is especially important when evaluating candidates who are looking to transition into cybersecurity from other industries.

If the person is working in a field unrelated to cybersecurity and is completing a cybersecurity educational program or regularly attending cybersecurity meetups or activities at night or on weekends, she is probably quite motivated to move into cybersecurity. Likewise, if the candidate has earned a cybersecurity certification, she is demonstrating notable determination as well. While there is debate as to whether certifications are indicative of skill, it is clear that obtaining a certification of any type requires commitment to the field and the expenditure of a significant amount of time and energy.

Along the same lines, if the candidate is new to security and lists numerous security products in her technology section, if she is researching which products are used for specific functions, and putting the effort into familiarizing herself with the technologies, that provides additional indication of interest and motivation. You can confirm during the interview process whether the candidate’s knowledge of the technology is substantive.

Able
Our industry evolves rapidly. Network defenders are constantly improving their capabilities to keep pace with new attacks, new advisories, and new technologies. No matter what an individual’s skill set includes when starting a job, he will need to develop new competencies while on the job. When interviewing candidates, I try to understand their propensity for developing their capabilities by solving problems on their own. I often ask questions such as "what do you do when you don’t know something?" If the answer is "read through the standard operating procedures (SOPs)," I delve into what the candidate would do if there was no SOP because I want to determine whether the person would go beyond what was already known and readily available to him.

If the answer is "ask someone on the security team," I inquire further to determine whether the candidate is more likely to be collaborative or burdensome to team members. The type of answer that is usually the best sign is more along the lines of "I would research the topic on my own." If the person says that he would conduct Google searches, that is sufficient, but it is better to hear a candidate name several reputable resources specifically.

Most security leaders will find that hiring outside the box can be challenging. It requires a rigorous interview process, internal training, and patience. But in the end, it can be well worth the effort when the security team is full of ready, willing and able team members who are prepared, motivated, and growing as professionals.

Hear Roselle speak about "Ten Ways to Stretch Your IT Security Budget" on November 29 at the INsecurity Conference sponsored by Dark Reading.

Related Content:

Roselle Safran has over a decade of experience in cybersecurity and is a frequent speaker on cybersecurity topics for conferences, corporate events, webinars, and podcasts. She is President of Rosint Labs, a cybersecurity consultancy that provides operational and strategic ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kbrown6729@gmail.com
100%
0%
[email protected],
User Rank: Apprentice
12/1/2017 | 8:32:50 PM
Can I Use Your Article In My Upcoming Job Hunt?
Thanks so much, Ms. Safran, great article.  As a longtime network admin attempting to re-invent herself into a security professional, it has occurred to me also that hiring managers would do well to broaden their scope a bit if they truly want to abate the current security talent shortage (and if they'd like to secure their networks as quickly as possible too).  A well-rounded person with the right approach and hard work, may be just as good an answer to the problem as that elusive 'top notch talent'.  I may not bring a copy of this to interviews, but I'll certainly keep its points in mind as I talk with potential employers!  
KSRNC
50%
50%
KSRNC,
User Rank: Apprentice
11/9/2017 | 2:48:10 PM
Sounds Promising
I just hope more organizations are more willing to seriously consider "nontraditional" candidates moving forward.
Cybersecurity Industry: It's Time to Stop the Victim Blame Game
Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8741
PUBLISHED: 2020-02-28
A denial of service issue was addressed with improved input validation.
CVE-2020-9399
PUBLISHED: 2020-02-28
The Avast AV parsing engine allows virus-detection bypass via a crafted ZIP archive. This affects versions before 12 definitions 200114-0 of Antivirus Pro, Antivirus Pro Plus, and Antivirus for Linux.
CVE-2020-9442
PUBLISHED: 2020-02-28
OpenVPN Connect 3.1.0.361 on Windows has Insecure Permissions for %PROGRAMDATA%\OpenVPN Connect\drivers\tap\amd64\win10, which allows local users to gain privileges by copying a malicious drvstore.dll there.
CVE-2019-3698
PUBLISHED: 2020-02-28
UNIX Symbolic Link (Symlink) Following vulnerability in the cronjob shipped with nagios of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 11; openSUSE Factory allows local attackers to cause cause DoS or potentially escalate privileges by winning a race. This issue affects: SUSE Linux...
CVE-2020-9431
PUBLISHED: 2020-02-27
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.