Hiring security staff is a big challenge. Not only does the industry need more people to fill the open positions than it currently has, but to complicate matters further, hiring managers aren’t necessarily security professionals themselves; many organizations’ security teams report to IT, operations, or even finance.  

A well-respected man

Hiring security staff is a big challenge. Not only does the industry need more people to fill the open positions than it currently has, but to complicate matters further, hiring managers aren’t necessarily security professionals themselves; many organizations’ security teams report to IT, operations, or even finance, and the hiring process generally starts with the hiring manager—a non-security professional in these cases.  

More established security teams are able to lead or participate in the process, ensuring the right questions are asked. Even when the security team is driving the hiring process, though, many times human resources personnel or a recruiter is screening out (and I do mean “out”) applicants before they can walk through the door. Furthermore, a flow for how each interview will go is set by someone other than the security team, and the result is a very standardized, well-entrenched, easy-to-follow process that’s used across the entire company rather than configured for department-specific needs.

Each of these situations contributes to an untrustworthy hiring process. It certainly contributes to consternation when someone with the “right skills on paper” can’t perform required tasks after the paychecks start coming. 

‘Cause he gets up every morning

Hiring for security isn’t a standard process, though, and it’s hard to judge a person’s skill level based on what’s written on his or her résumé. Certifications may add a layer of complexity; while a recruiter or HR person may use them as a screening mechanism (e.g., Yes! This person has a CEH. He must be a qualified pentester), certifications are actually a reflection of a security practitioner’s book knowledge rather than technical ability, decision making, and leadership. When it comes to security, it’s all about execution; theoretical knowledge won’t get a person very far when an intruder is inside the system.

Not every hiring process will allow for hands-on, practical testing of the applicant’s skills, but when possible, a “trial run” is highly recommended. If you’re hiring a systems analyst, have that person complete a mini change management exercise in which they interact with a “client” to gather, document, and report on detailed requirements. If you’re hiring a security architect, provide a mock environment or dataset and ask for a brief vulnerability assessment.

If this sounds like a lot of work, it is. But it’s a heck of a lot more work to have to go through the entire process of finding, interviewing, and hiring yet another team member after you learn the first guy or gal couldn’t cut it in your environment. Importantly, the deliverable of the test doesn’t have to be perfect (an outside candidate won’t have all the requisite information or time to deliver a “perfect” result), but a willingness to go through the process is a good signal to hiring managers and the team, and also opens a window into the applicant’s thought processes and work style.

And he goes to work at nine

OK, so the trains can run on the tracks when security staff is involved, but as this article started, often hiring for security isn’t entirely up to the security team. The game changes significantly when a non-security person has to assess the viability of a candidate in a functional area with which they are merely conversant (if they’re lucky). On top of that, a non-security hiring manager might not understand the importance of a practical test for security positions. Theoretically, every functional area could benefit from hiring tests, yet it doesn’t happen nearly frequently enough, especially at upper management levels.

In instances where the security team is small or a subset of another part of the organization, and the hiring or initial interview are going to be conducted by someone external to the security team, this is an opportunity for security staff to jump into a consultative role. Oh, no, more education and awareness. Yes, this is another are where the security team needs a soapbox. Says Adrian Sanabria, Senior Security Analyst at 451 Research, “there’s room in the market for managed IT/security-specific training services for employers.” As the case may be, the only way this will happen is if security takes the lead; who is better equipped to explain security’s needs than security staff themselves?

‘Cause he’s oh, so good, and he’s oh, so fine

Working with non-security staff to help hire security team members is a win-win; security helps socialize what’s required of the security team, providing a glimpse into the needs and activities of the organization, all while becoming involved in the process, and making sure the team hires appropriate employees.

That said, testing a job applicant’s skills may seem like a daunting task for a manager who isn’t a security expert. Where do I start? What do I test? How do I know if the person completed the task correctly? It’s a good sign if these questions are being asked. If they’re not, get in front of the problem. Volunteer to help. You might not be part of the hiring decision, but (unless the team is large, in which case security is more than likely already heavily involved) you probably know hiring is occurring. Become part of the solution rather than lamenting the need for more and better teammates. At the end of the day, if more capable staff is working with you, you’ll spend less time individually evangelizing security. First, though, talented, skilled, and competent security teammates must be hired, so the name of the game is getting those people into the interview room, testing their abilities, and making sure they’re the right fit for the team and the company.