Tech & Work

Create great employees: Hire security pros based on reasoning and aptitude

In-house education -- not resume bullet points -- is the key to having the best possible employees.

The hiring process in most companies is built backwards. Take a tour of the hiring process for almost any company in the United States, and what you see will look something like this:

  1. Post job requirements.
  2. Collect resumes.
  3. Throw away any resumes that don't satisfy all the bullet points.
  4. Call the people whose resumes remain and put them through a test intended to determine whether they lied about those bullet points.
  5. Send those who didn't appear to lie to a final interview.
  6. Hire those who don't annoy you.

The problem here is, for the most part, related to steps 1 and 4. Employers put the cart before the horse, sorting for people who seem to already know how to do the job, but will require retraining anyway because no two work environments are going to be identical. This is true of any job from janitorial services to software engineering.

A better way to handle it is to pare those job requirements down to a minimal set of fundamentals (skills unrelated to the job itself, but necessary to understand the job), and defer the rest for preferential interviewing and training. Instead of setting "six years J2EE experience" as a minimum requirement, try "understands, and can demonstrate, basic programming skills." Instead of "Bachelor's Degree required; Computer Science preferred," try "willing and able to learn."

When it comes to testing, most HR departments put together a set of technology familiarity questions, such as: "Using a mouse, what series of steps would you use to change the IP address on Windows XP?" I actually faced that specific question myself when applying for a job well below my skill level, but couldn't recall the exact sequence of clicks needed to get there at that moment. Instead, make the first interview an informal discussion with someone within the company that actually understands the job at hand. Do you remember, with perfectly clarity, the exact set of clicks you need to go through to change the IP address on Windows XP? Is there some reason that opening a cmd window and using ipconfig is unacceptable? Would someone in HR be able to determine a correct answer other than the one listed in the answer key?

Aside from coördination, HR departments are generally woefully underequipped to manage the hiring process for skilled workers. For technical jobs, the phrase "it takes one to know one" is both true and important. Just as with simple plurality voting, where each person gets exactly one vote in a potential cast of thousands, the cookie-cutter approach to applicant evaluation used by most HR departments is prone to artificially and inefficiently narrowing the field so that the chances of getting the best candidate for the job is actually unlikely.

This is especially problematic in the field of security, where satisfying bullet point requirements for experience and education is nowhere near as important as being able to think through the ramifications of policy decisions. Cookie-cutter application evaluation based on education and experience bullet points is more likely to net you a "security expert" who is merely an expert in security software vendors than in developing and implementing secure business policy.

For best results, hire your security experts based on their aptitudes and reasoning abilities more than their ability to select "best practices" based on multiple-choice vertically integrated vendor stack selection that conforms to current trends. Learn the lessons of How do you interview security experts?, and expect most of the practical skills to come from on-the-job training rather than arbitrary standards of "higher education" indoctrination and years in similar jobs under dissimilar conditions.

An example of a company that appears to "get it" is Jane Street Capital. The Desired Skill Set listing for JSC is strong in aptitudes, attitudes, and potentials, and says nothing about years of experience in similar jobs or specific degree requirements. The Education page at the JSC site explains what is expected of employees, and how ongoing education in the skills pertinent to the job — both as students and as educators — is the key to competence and advancement. In short, Jane Street Capital appears to be dedicated to creating the best possible employees, rather than expecting to find them sprung whole from the forehead of Zeus by checking to see who fits the cookie cutter.

Bringing in a new "security expert" who thinks that duplicating the security policies from a previous employer — one whose security policies probably consisted fundamentally of a set of vendor choices — can ultimately prove disastrous, if your needs do not closely enough match those of the previous employer. Aside from compliance officers, no amount of memorization of checklists will ensure your new hire will do the job any better. Leave the cookie cutter in the kitchen, where it belongs. If you want the best possible employee, be prepared to create great employees, and optimize your hiring process for finding good raw materials for that process.


Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Editor's Picks