Sophos Cloud Optix
October is National Cyber Security Awareness Month and this week’s focus is on hiring a cyber workforce – so just how do you make sure your new IT recruits are security-aware?
As an IT Security Manager at Sophos, I’ve been hiring for five years. Here are my tips to winnow away the chaff and discover what your candidate really knows about security.
Always check the basics
Anyone working in IT absolutely must have a basic knowledge of the major threats. Everyone in an IT department is likely to be called upon to offer general IT advice at some point. If the question is “what should I do with this strange email I’ve just received?”, you need to be sure everyone will give the right answer.
A lack of basic knowledge should also raise alarm bells about other potential critical skill deficiencies.
Look for an interest
If you’re reading a blog about computer security you obviously have an interest in the subject. Although not everyone will share this interest, it’s reasonable to expect anyone who has picked a career in Information Technology has at least a passing interest in the big infosec stories.
Demonstrating knowledge of Anonymous, Lulzsec, WikiLeaks or the Snowden revelations, for example, should give you some confidence that a candidate will proactively keep their knowledge up to date.
Prepare relevant technical questions
Technical professionals should also be expected to be able to go into some detail on security issues relating to their expertise. For instance, any web developer should have a grasp of all the threats in the OWASP Top 10.
Do a little research prior to an interview on your main technology’s common attack vectors and security record so that you can check a candidate is suitably conversant in the area.
Open-ended tests and scenarios can really help you understand the breadth and depth of a candidate’s knowledge so look for ways to get them talking, talking, and talking some more.
Consider asking candidates to stand at a whiteboard with a realistic system architecture and have them talk you through it, identifying as many attack vectors and protection strategies as they can. This technique can be particularly effective at identifying gaps in knowledge.
You might also want to test your interviewees with a recent real-world problem your team has had to deal with. As far as possible give them the same information that your team had access to and let them run with it. You can learn a lot from watching how a candidate thinks about your problem, how long they take, how thoroughly and how clearly they answer and, of course, you can compare it directly with your own team’s performance.
Look for the right thought processes
Sometimes you may be hiring someone with an understanding that they will be learning the technology on the job. In these cases they are unlikely to have technology-specific security knowledge. You may wish instead to check how they think about problems.
Look for an understanding of trust and where it is inappropriate. For example, ask them about the dangers of an application which lets users run their own raw SQL queries or scripts. It may sound simple but you’ll be surprised how often an inexperienced person just doesn’t consider the possibility of a malicious user.
Remember that anyone other than a junior candidate should be able to talk you through their thought processes on things they have actually done, not just what they would do. Question them about the previous projects they have worked on and ask questions that help you discover evidence of them showing the right thought process in a real-world situation.
Be prepared for post-hire training
Not everyone can be an expert. You may find some talented individuals have surprising gaps in their knowledge. The hiring process should be used to help identify these gaps and ensure they are filled in as quickly as possible. Make sure your interview notes feed into a training plan or the individual’s personal goals.
Hopefully these five tips will help you when you’re looking to hire security-savvy IT professionals. If you have any other suggestions for fellow IT managers, please leave them in the comments below.
And if you’re interested in reading other stories related to National Cyber Security Awareness Month, take a look at 3 essential security tasks you can do for your family today, 10 tips for securing your smartphone and our 10 topical security tales.
Image of professionals on a bench courtesy of Shutterstock.
Great article ! I tend to often think I'm not tech and sec savvy enough to make a difference out there..when I go back to the working world I mean. But reading on your site everyday and getting really interested in sec issues, I'm not so sure I'm completely outdated anymore. This article should be sent to business magazines, and journals read by hiring personnel, because they're on top of things abour hr issues, but more often than not are outdated about sec issues.
Gabrielle, you are assuming the hiring personnel would be competent enough to judge whether the candidate was competent — it is called the Dunning-Kruger effect. Perhaps one way to establish yourself back in the working world might be to hold mini-seminars at your local library where you invite local businesses to come in to discuss security issues, to help make them aware of the stakes and the state of the art, and better equip them to judge new candidates (which will of course include yourself
It's always a good idea to keep up with tech advances you never know when you will need it .
Thanks for the Great Article!
Even though I am retired and now look after IT for family and friends, this lets me analyze my own qualifications and prepare more thoroughly for what is happening today.
Excellent article. Security is an aspect of the job that many IT people seem to take for granted, as do most typical users.
The most dangerous threats to any organization are ignorant users and malicious users. Training user to be both security-aware and to report any (potential) issues should be part of any organization's employee training plan.
This was a fantastic summary. Where I work no-one takes security seriously, and most look at it as an impost. In fact one senior developer that I know used to look down on and disparage the security people, saying that they had little knowledge of ITS just because they were not developers. Hiya TIM P !. All staff need take responsibility for information security and it needs to be an integral part of their statement of duties.
In places where IT security is done at a moderate level, I tend to believe they don't have problems with hiring IT people that are pro active in performing IT securit duties. However in places where IT security isn't taken seriously, the best case scenario is that the change to a more secure environment is very small incremements at best.