October is National Cyber Security Awareness Month and this week's focus is on hiring a cyber workforce - so just how do you make sure your new IT recruits are security-aware?
As an IT Security Manager at Sophos, I've been hiring for five years. Here are my tips to winnow away the chaff and discover what your candidate really knows about security.
Always check the basics
Anyone working in IT absolutely must have a basic knowledge of the major threats. Everyone in an IT department is likely to be called upon to offer general IT advice at some point. If the question is "what should I do with this strange email I’ve just received?", you need to be sure everyone will give the right answer.
A lack of basic knowledge should also raise alarm bells about other potential critical skill deficiencies.
Look for an interest
If you’re reading a blog about computer security you obviously have an interest in the subject. Although not everyone will share this interest, it’s reasonable to expect anyone who has picked a career in Information Technology has at least a passing interest in the big infosec stories.
Demonstrating knowledge of Anonymous, Lulzsec, WikiLeaks or the Snowden revelations, for example, should give you some confidence that a candidate will proactively keep their knowledge up to date.
Prepare relevant technical questions
Technical professionals should also be expected to be able to go into some detail on security issues relating to their expertise. For instance, any web developer should have a grasp of all the threats in the OWASP Top 10.
Do a little research prior to an interview on your main technology's common attack vectors and security record so that you can check a candidate is suitably conversant in the area.
Open-ended tests and scenarios can really help you understand the breadth and depth of a candidate's knowledge so look for ways to get them talking, talking, and talking some more.
Consider asking candidates to stand at a whiteboard with a realistic system architecture and have them talk you through it, identifying as many attack vectors and protection strategies as they can. This technique can be particularly effective at identifying gaps in knowledge.
You might also want to test your interviewees with a recent real-world problem your team has had to deal with. As far as possible give them the same information that your team had access to and let them run with it. You can learn a lot from watching how a candidate thinks about your problem, how long they take, how thoroughly and how clearly they answer and, of course, you can compare it directly with your own team's performance.
Look for the right thought processes
Sometimes you may be hiring someone with an understanding that they will be learning the technology on the job. In these cases they are unlikely to have technology-specific security knowledge. You may wish instead to check how they think about problems.
Look for an understanding of trust and where it is inappropriate. For example, ask them about the dangers of an application which lets users run their own raw SQL queries or scripts. It may sound simple but you’ll be surprised how often an inexperienced person just doesn’t consider the possibility of a malicious user.
Remember that anyone other than a junior candidate should be able to talk you through their thought processes on things they have actually done, not just what they would do. Question them about the previous projects they have worked on and ask questions that help you discover evidence of them showing the right thought process in a real-world situation.
Be prepared for post-hire training
Not everyone can be an expert. You may find some talented individuals have surprising gaps in their knowledge. The hiring process should be used to help identify these gaps and ensure they are filled in as quickly as possible. Make sure your interview notes feed into a training plan or the individual's personal goals.
Hopefully these five tips will help you when you're looking to hire security-savvy IT professionals. If you have any other suggestions for fellow IT managers, please leave them in the comments below.
And if you're interested in reading other stories related to National Cyber Security Awareness Month, take a look at 3 essential security tasks you can do for your family today, 10 tips for securing your smartphone and our 10 topical security tales.