We all know what the ideal security team candidate looks like. She has years of hands-on operational experience, is skilled in a variety of cybersecurity technologies (particularly the ones in the organization’s security stack), and comes highly recommended. But given the workforce shortage, such candidates are like diamonds: very rare and extremely expensive. Organizations can have unfilled positions open for months on end while they look for a candidate with the perfect resume.
The reality is that most organizations would be well-served to expand their searches beyond the typical rock star resumes and hire outside the box. There are plenty of talented individuals who could become strong contributors if they are given the opportunity in an organization that is willing to cultivate its own talent.
I feel particularly strongly about this subject because I started my first computer forensics job without any applicable experience in the field. I applied for the position because it sounded exciting and I knew I could quickly acquire the skills I needed by working hard on the job and on my own time. Ultimately it was a win-win situation: I had a job I thoroughly enjoyed, where I was constantly learning and developing a new skill set, and my employer had the talent it needed at a rate that was initially under market. (My salary doubled during my time at the company).
As a result, one of the key tenets of my hiring strategy is to always be on the lookout for capable individuals who have the potential to excel in their roles regardless of their backgrounds. I have found that there are several must-have intangible qualities that are strong indicators that a candidate will be a quick study and successful team member. Here are three ways to identify them:
One of the best ways to determine whether a candidate is prepared to do the work necessary for the job is to give him or her a short exam as part of the interview process. I am not referring to a closed-book, multiple-choice test that relies on memorization or obscure cybersecurity facts. I am talking about an onsite, open book, practical exam based on a real-world security analysis scenario where the candidate talks through his or her thought process each step of the way. The candidate may not be able to provide all the right answers or complete the analysis, but someone with solid potential will be able to demonstrate an intelligent methodology and a clear understanding of the fundamental concepts. If you give him a hint, he will be able to run with it and make additional progress. This is the type of person who will become effective on the team once he receives some relevant on-the-job training.
You can often glean how motivated a candidate is to be in cybersecurity directly from what the person’s resume lists for education, extra-curricular activities, certifications, and/or technology. This filter is especially important when evaluating candidates who are looking to transition into cybersecurity from other industries.
If the person is working in a field unrelated to cybersecurity and is completing a cybersecurity educational program or regularly attending cybersecurity meetups or activities at night or on weekends, she is probably quite motivated to move into cybersecurity. Likewise, if the candidate has earned a cybersecurity certification, she is demonstrating notable determination as well. While there is debate as to whether certifications are indicative of skill, it is clear that obtaining a certification of any type requires commitment to the field and the expenditure of a significant amount of time and energy.
Along the same lines, if the candidate is new to security and lists numerous security products in her technology section, if she is researching which products are used for specific functions, and putting the effort into familiarizing herself with the technologies, that provides additional indication of interest and motivation. You can confirm during the interview process whether the candidate’s knowledge of the technology is substantive.
Our industry evolves rapidly. Network defenders are constantly improving their capabilities to keep pace with new attacks, new advisories, and new technologies. No matter what an individual’s skill set includes when starting a job, he will need to develop new competencies while on the job. When interviewing candidates, I try to understand their propensity for developing their capabilities by solving problems on their own. I often ask questions such as "what do you do when you don’t know something?" If the answer is "read through the standard operating procedures (SOPs)," I delve into what the candidate would do if there was no SOP because I want to determine whether the person would go beyond what was already known and readily available to him.
If the answer is "ask someone on the security team," I inquire further to determine whether the candidate is more likely to be collaborative or burdensome to team members. The type of answer that is usually the best sign is more along the lines of "I would research the topic on my own." If the person says that he would conduct Google searches, that is sufficient, but it is better to hear a candidate name several reputable resources specifically.
Most security leaders will find that hiring outside the box can be challenging. It requires a rigorous interview process, internal training, and patience. But in the end, it can be well worth the effort when the security team is full of ready, willing and able team members who are prepared, motivated, and growing as professionals.
Hear Roselle speak about "Ten Ways to Stretch Your IT Security Budget" on November 29 at the INsecurity Conference sponsored by Dark Reading.