Whataya want from me?

We’ve all heard about the security staffing shortage; it attracts a lot of press and is hard to ignore. If you’re currently working for an organization that is not hiring, you, yourself, might be receiving regular calls from recruiters about one of the estimated 1 million open positions. Maybe you’re even covertly scoping out your next job opportunity. 

With RSA—the biggest networking event of the year—barely in the rearview mirror, many employment conversations have surely been ignited, purposely or by circumstance. For those keeping an eye on job postings, just because security is a buyers’ market, this doesn’t mean you don’t have to be on your “A game” when it comes to the interview process. If you’re a hiring manager or on a team needing to fill staff positions, you should realize that you’re vying for the best and brightest, but that doesn’t mean you must lower your standards to find the perfect fit for your team and organization.

“Perfect fit,” of course, means something different to every organization and perhaps even each individual within the hiring team. Certain skills are “must haves” for any given role, but those are the easy questions that Human Resources can help vet via the applying candidate’s résumé. Hiring teams will want to dig deep on technological capability during interviews, and some managers have told InfosecInsider that job applicants who make it through the first rounds of screening will be asked to complete an exercise or simulated security task before an offer will be made.

Just don’t give up

But what about the softer side of security—the vision? Infosec Insider spoke with the CISO of a leading multinational insurance organization to find out what he wants to know when any applicant is brought to his office. In his view, his hiring team can scrutinize candidates’ technical capabilities; he wants to know if proposed team members’ strategic views of security align with the overall mission of the security organization.

If a job applicant is scheduled to meet with the CISO, says our source, it means that either this role reports directly to the CISO, or the person has made it through several rounds of interviews already. In either case, it’s important to ensure the applicant is trying to tie his or her role and skill set to the security program as a whole. Typically our source will start interviews with questions such as:

  • In a perfect state, what would an enterprise security program look like?
  • When you refer to “business risk acceptance,” what does that mean to you?
  • Describe how you would speak to the business about risk acceptance?
  • In your view, what is the primary role of security?
  • Do you see the head of security as a consultant or accountable officer?

Questions like these provide a glimpse into candidates’ views of how security contributes to the success of the business. The job of security, after all, is to drive down business risk. Thwarting malware attacks or stopping adversaries from entering, navigating, and stealing information from the organization’s systems? Risk management. Segmenting data, monitoring alerts, identifying vulnerabilities and anomalies, troubleshooting network performance, creating PowerShell scripts, experience deploying new tools and technologies? All risk management. Security doesn’t live in its own bubble (or shouldn’t, if it hopes to be effective and gain the support of the executive team and board of directors), so when broken down to its core, all security team members must understand this and have a vision of how their job fits into the risk ecosystem. How a candidate responds to the questions—and whether or not she or he can answer them immediately and relatively easily—will reveal quite a lot. Every individual on the security team, even the most entry level staffer, contributes to security’s success, and security’s success is directly tied to the organization’s success as a healthy, profitable, and efficient business.  

I’m workin’ it out

The next questions our CISO contributor focuses on relate to accountability.

  • Would you prefer to set up a program where there were no “exceptions” to policy and standards?
  • For which would you rather be fired, spending too much on security or having a significant security incident?
  • Describe what you see as the top 10 requisite security capabilities. Why?

It’s easy for security practitioners to feel defeated: No system is impenetrable; attackers need only find one vulnerability whereas defenders have to secure the entire environment; an end user clicking on an infected link can lead to total system compromise. And these statements are true, but it’s important for security practitioners to understand and accept the role, and then be able to communicate to the business well and often the information security risks associated with running a modern company.

As we’ve discussed before, successful business executives are comfortable with risk (at varying degrees). In this day and age, most accomplished CEOs understand that breaches and incidents most likely will occur under their watch; it’s not about preventing every single one, but about preventing the most obvious and devastating incidents, and estimating, quantifying, and minimizing the damage when a security incident hits. No business operates without risk. Therefore, the type of candidate you’ll likely want to hire understands this, all while taking responsibility for his or her role in mitigating opportunities for security incidents to happen in the first place.

Please don’t give in

The final set of questions our CISO contributor typically rolls out help him understand how candidates view working with end users and outside experts. Knowing a candidate’s proclivities can shed some light on her or his attitude towards personal responsibility and collaboration, both of which feed into a security practitioner’s success or failure.

  •  What is the ideal password strength/complexity for a business organization? Are there pluses and minuses to too hard / too weak? What are they?
  •  Tell me your thoughts on “ethical” hacking?
  •  Tell me your thoughts on bug bounty programs?

The truth is, if you ask 100 practitioners his/her views on passwords, you’ll hear 50 different answers. The security community can argue “pro vs. con” on ethical hacking and bug bounties all day long. The point here is not necessarily the “correctness” of the answer, but the applicant’s outlook towards working with others and to learn if she/he has a well thought out response. People’s views and opinions change all the time, especially given new information or a new environment, so use these questions to vet the job applicant’s thought process and attention to detail, another extremely important quality in a security practitioner.

I won’t let you down

Every team will have its unique needs and preferences when it comes to hiring security staff, but ensuring the right fit is predicated on evaluating how strategically a person’s thinking aligns with the company’s goals. Technical skills are critically important, of course; a strategic thinker who can’t change his own password won’t be a boon to the security team, to say the least. During the interview process, though, don’t forget that a candidate’s ability to mesh with her or his team and understand how security-impacts-risk-impacts-the business will be vital to the entire team’s success.