Tech & Work

Create great employees: Hire security pros based on reasoning and aptitude

In-house education -- not resume bullet points -- is the key to having the best possible employees.

The hiring process in most companies is built backwards. Take a tour of the hiring process for almost any company in the United States, and what you see will look something like this:

  1. Post job requirements.
  2. Collect resumes.
  3. Throw away any resumes that don't satisfy all the bullet points.
  4. Call the people whose resumes remain and put them through a test intended to determine whether they lied about those bullet points.
  5. Send those who didn't appear to lie to a final interview.
  6. Hire those who don't annoy you.

The problem here is, for the most part, related to steps 1 and 4. Employers put the cart before the horse, sorting for people who seem to already know how to do the job, but will require retraining anyway because no two work environments are going to be identical. This is true of any job from janitorial services to software engineering.

A better way to handle it is to pare those job requirements down to a minimal set of fundamentals (skills unrelated to the job itself, but necessary to understand the job), and defer the rest for preferential interviewing and training. Instead of setting "six years J2EE experience" as a minimum requirement, try "understands, and can demonstrate, basic programming skills." Instead of "Bachelor's Degree required; Computer Science preferred," try "willing and able to learn."

When it comes to testing, most HR departments put together a set of technology familiarity questions, such as: "Using a mouse, what series of steps would you use to change the IP address on Windows XP?" I actually faced that specific question myself when applying for a job well below my skill level, but couldn't recall the exact sequence of clicks needed to get there at that moment. Instead, make the first interview an informal discussion with someone within the company that actually understands the job at hand. Do you remember, with perfectly clarity, the exact set of clicks you need to go through to change the IP address on Windows XP? Is there some reason that opening a cmd window and using ipconfig is unacceptable? Would someone in HR be able to determine a correct answer other than the one listed in the answer key?

Aside from coördination, HR departments are generally woefully underequipped to manage the hiring process for skilled workers. For technical jobs, the phrase "it takes one to know one" is both true and important. Just as with simple plurality voting, where each person gets exactly one vote in a potential cast of thousands, the cookie-cutter approach to applicant evaluation used by most HR departments is prone to artificially and inefficiently narrowing the field so that the chances of getting the best candidate for the job is actually unlikely.

This is especially problematic in the field of security, where satisfying bullet point requirements for experience and education is nowhere near as important as being able to think through the ramifications of policy decisions. Cookie-cutter application evaluation based on education and experience bullet points is more likely to net you a "security expert" who is merely an expert in security software vendors than in developing and implementing secure business policy.

For best results, hire your security experts based on their aptitudes and reasoning abilities more than their ability to select "best practices" based on multiple-choice vertically integrated vendor stack selection that conforms to current trends. Learn the lessons of How do you interview security experts?, and expect most of the practical skills to come from on-the-job training rather than arbitrary standards of "higher education" indoctrination and years in similar jobs under dissimilar conditions.

An example of a company that appears to "get it" is Jane Street Capital. The Desired Skill Set listing for JSC is strong in aptitudes, attitudes, and potentials, and says nothing about years of experience in similar jobs or specific degree requirements. The Education page at the JSC site explains what is expected of employees, and how ongoing education in the skills pertinent to the job -- both as students and as educators -- is the key to competence and advancement. In short, Jane Street Capital appears to be dedicated to creating the best possible employees, rather than expecting to find them sprung whole from the forehead of Zeus by checking to see who fits the cookie cutter.

Bringing in a new "security expert" who thinks that duplicating the security policies from a previous employer -- one whose security policies probably consisted fundamentally of a set of vendor choices -- can ultimately prove disastrous, if your needs do not closely enough match those of the previous employer. Aside from compliance officers, no amount of memorization of checklists will ensure your new hire will do the job any better. Leave the cookie cutter in the kitchen, where it belongs. If you want the best possible employee, be prepared to create great employees, and optimize your hiring process for finding good raw materials for that process.


Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Tony Hopkinson
Tony Hopkinson

As Mr Maxwell Edison said in the first recorded instance of my agreeing with him about anything. "Hire for attitude, train for aptitude." All 99% of HR departments do is chop down the list of applicants in a pseudo-scientific manner. The results would be no different, if they threw all the resumes in a sack and had a prize draw.


On the whole, I agree that when hiring someone, you should look for the best combination of attitude and aptitude to lead to long term success. I just went through a hiring process where I decided upon a candidate that was originally 'dinged' by HR for not having the required experience and skill set. I looked through the resumes myself (it cannot be stressed enough that the IT Manager needs to 'own' the hire), saw a couple things that caught my eye, and 2 months later, I may have the best hire I've ever made. The one issue I see is this: 'Instead of ?Bachelor?s Degree required; Computer Science preferred?, try ?willing and able to learn?.' For many, the fact that someone got the degree is the proof that they're dedicated to their career and willing to learn. Personally, I don't necessarily agree. However, in certain industries that are dominated by people with strong academic backgrounds (law, financial, health care), it would be a harder sell to senior management to bring in someone they deem "undereducated". Maybe more so in the current economy. Ironic, that many firms would plow through millions/billions in questionable financial activities without a hesitation or concern, but when it comes time to take a chance on an individual, they become highly risk averse. I can't reconcile that, which is probably why it is a good thing I didn't go for a MBA!


JSC's got the right idea. HR departments are indeed generally unqualified to interview technical staff. Testing potential employees is needed because certifications often don't mean very much. Conversely, in regulated environments subject to external audits (such as pharmaceuticals) Quality departments often are required to prove to the auditors that staff are trained on their jobs. IT Pros recognize that the person would not have been hired in the first place unless they demonstrate competence, but that is insufficient in some areas. Technical managers usually end up doing their own screening and filtering. I recall staffing a mid-level DBA position - by the time it was over I had reviewed over 800 resumes.


You just have sense, NotSo. That's something many managers don't have. They just like to go by "status quo" rather that what fits the situation the best.


...common sense and common courtesy are the two least common things, nowadays. I can understand the point about education if a firm is pretty, how do I say this, "across the board bland". At least there is a level of consistency I can appreciate. But operating out of both sides of the mouth, so to speak, is just frustrating to see or be a part of professionally.


I know that as a rule of thumb, I'd value someone who'd done the exact work for 10 years more than someone with the M.S. or Ph.D. in the field, even if they had specialized schooling. Knowing the theory and knowing how to apply it and use it are two totally different things. As for the commons sense and courtesy: I could not agree more. I have a great department I work in. I get along with everyone pretty much (a couple of people I don't like as much but the rest are cool). My boss is cool, let's me do my work to the best I can without getting in my hair too much unless he gets a red warning light from those above him. But, seems the folks above him are nobs who (one of) is a typical cookie-cutter management type who thinks all blocks no matter their shape will fit through standard round holes with the right hammer in hand. Ugh. I hate that. I need to go take a break.

Editor's Picks