Hiring new technical security personnel in 2006
January 2, 2006
A security group is compromised (or should be comprised) of many different types of people. One of the subsets of the security group should be the engineers (or techies). These are the folks that will be ‘down in the weeds’ configuring firewalls, designing networks, pen-testing, writing or testing tools, etc. What skills should we be looking for in these people?
When hiring new security engineers, some (many?) of us will be looking for Education. Some will be looking for credentials or certifications. Some of us will be looking for experience. Here’s what I’ll be looking for (in order of preference).
1) Honesty. Don’t let the fox in with the hens.
2) Drive. If a person loves what they are doing, they will spend more time doing it. With respect to infosec, these sort of ‘driven’ individuals will rapidly absorb and retain security-related information. Look for these people to traverse the learning curve very quickly.
3) Critical thinking. In my opinion, it’s not what you know, it’s how you deal with what you don’t know.
4) Real-world smarts (aka “common sense”). I need someone who can ask both the hard and the easy questions. Contrary to what Elton John would have us believe, “Why” often seems to be the hardest word to say.
5) Experience.
Traits 1 - 4 are MANDATORY. I won’t hire a ‘techie’ without those traits. Trait 5 is optional (i.e. nice to have on top of the important stuff).
Happy New Year and good luck with those new hires :-)
!Dmitry