Making the wrong hire for your security team is worse than not hiring someone at all.
Special guest blogger Tony Asher of Asher Security shares 6 considerations when hiring security talent.
The majority of my days working in cybersecurity have been persistently infected with the thought, "If I only had another person on the team."
Too much to do and not enough resources. We've all been there. The danger I've fallen into is making a hiring decision too hastily after I've received the long-awaited budget approval.
When making the mistake of hiring someone too quickly, the consequences can be devastating. The impact can last for years and the residual weight of the mistake can felt by the rest of the team. Hiring the wrong person can actually do more damage than NOT hiring someone.
So below I outline my process for approaching and hiring the right cybersecurity talent.
#1. Strategic vs. Technical
Am I looking for someone to help with leadership, roadmaps, initiative decisions and budgets, or further team building and development? Am I looking for someone to get technical traction on a project or risk control?
On the strategic side, the role requires someone with a lot of experience. This can be challenging, because many experienced cybersecurity professionals feel like they’re right for leadership, but the truth is, some are not ready. Time changes a person. Experience leads to cyber wisdom. I've been guilty of this myself – ready to lead and then I encounter a decision I don't feel confident how to make. Worse yet, I'm forced to communicate something to C-Level leadership and I haven't had enough experience speaking or talking the business language.
When looking for a technical resource, I want to divide people who know a product from people who understand the system of the product. I always prefer a candidate who understands the framework of a technology over someone who knows a specific product well. One way to differentiate a technology versus product expert is to ask for a parable or children's story using the technology involved. The person who can simplify, articulate, and explain is my favorite candidate.#2. Dictatorship vs Partnership
Is the cybersecurity team aligned with the business? How does the business view security? Some organizations maintain a passive, behind-the-scenes program where the business believes the cybersecurity team is responsible for the security of the company, while others look more like a dictatorship, where security walks around with hammers in hand ready to point out the latest breach and how that can't happen again.
If the latter is the type of environment you support, focus on a candidate who doesn't have to be 'right' all the time – find someone who will have conversations instead of giving lectures and who can encourage partnerships and security champions within the engineering departments.
#3. Introvert vs. Extrovert
Is the cybersecurity team augmenting a larger technology team or is it part of a development environment like Scrum and Agile?
Historically, security professionals had the freedom to wear their hoodies and camp out in dark cubicles. They were allowed to put their heads down and do 'security stuff.'
The technology environments are changing and we are starting to see a shift, especially in retail, technology, and software companies, where companies are adopting a more DevOps approach. In this environment, there is an emphasis on continuous integration and continuous delivery. Security cannot sit back in the 'security department' any longer. They need to be integrated into the engineering groups and have a pulse on business initiatives.
With that said, if it's a traditional 'security department' model with basic security controls, policies, and management consoles, then someone reserved, quiet, and soft-spoken can work (I'm tempted to say 'introverted,' but I'm introverted myself and have been able to be successful in other environments).
If it's a scrum philosophy, then I put more emphasis on a candidate who can smile, build relationships, and get out of the 'department' geography to go make app/dev friends. In an Agile environment, it's all about relationships.
#4. Product Specific vs. Vendor Agnostic
Do you need someone to develop a practice or run a specific tool? This is a question often overlooked before the candidate search begins. We make the mistake of thinking that, because our last employee managed our vulnerability program, our new candidate needs experience operating this specific vendor solution, as well.
If that is the case, and you're confident your current solution is the right tool, then consider contracting or outsourcing. Typically a candidate with a deep skill in a specific vendor product is a commodity.
If you're willing to invest a little more for someone, you can expand the scope from the vendor product to the fundamental security discipline (i.e. LogRythm vs Security Incident and Event Management). This can add a lot of value to the business and ensures you're running the right product for your company. It provides flexibility and greater pricing negotiation with the vendor because you have the ability to change solutions.
In addition, there are currently so many open source tools available that someone with a security pillar discipline can help transition the program and build this bridge. This can save the company a lot of money and help recuperate much of the labor cost.
#5. Technology vs Code
What kind of risks does the business face? Where are the crown jewels? What is the secret sauce?
I realize that we want to do all the things and protect all the stuff, but from a core business function, what are the two to three most important things that are mission-critical to protect?
One large business I worked with recently had a large set of assets (financial), large global footprint (geographical), but their risk wasn't products or data, it was financial fraud. When pushed, their greatest risk was phishing emails and spear phishing attempts. The best kind of candidate for them was one focused on security awareness, with a design and communication mindset, who really understand security risks. This was not a highly technical person. It was someone who could clarify and present training succinctly with brevity.
At another company where I worked, they were constantly developing applications and their greatest risk was application exploitation that attackers could pivot on and gain a foothold in the environment. This role required someone who could integrate into the engineering teams and understand the basics of programming code. There was no need to know how to program, but rather having an understanding of OWASP and how it translated to security no matter what programming language the developers chose to use.
Lastly, I also worked with a financial company whose crown jewels were confidential deal files stored on file shares. A security practitioner who knew ACLs, Data Loss Prevention, and Security Incident and Event Management was the perfect fit.
#6. Passive vs Aggressive
A final factor in selecting the right cybersecurity professional – their vision. Where do they want to go with their career? What do they want to be doing a year or two years from now?
I find some candidates are comfortable. They like what they do and want to keep doing it. They enjoy being a subject matter expert (SME) in their cybersecurity field and hold a niche talent that can benefit the larger team.
Other candidates desire to be a CISO someday and want to learn all they can. They are hungry and need to be given opportunities for growth. This can be done through role development by providing an allowance of time and resources to study and participate outside their core role. I've seen this done at organizations where the business supports up to twenty percent of the employees time being spent learning, shadowing other groups, or working on other initiatives. When complemented by the right resources, like PluralSight, or Udemy, this has a lot of traction.
These six considerations have a huge impact on who you hire. From my experience, it takes about one year for a new hire to come up to speed, understand the business, optimize their efficiency in the role, and really start to provide value.
Take your time. Don't make the mistake of hiring too quickly. Considering working with a professional group that has experience finding the ideal candidate – it’s often well worth the investment and can pay off for years to come.
Meet the AuthorTony Asher is a security professional based in Minnesota, previously acting as Business Information Security Officer at Target and an InfoSec Officer at Piper Jaffray.