One might identify three key concerns for hiring anyone, for any position, aside from meeting basic skills requirements; how to interrogate a candidate, what traits a candidate should possess, and when you should be interviewing candidates at all. Each of these three concerns is addressed here as they apply to hiring information security experts.
What kind of questions should you ask?
When interviewing, hiring managers often like to have checklists of "right answers" for predefined questions. There are several problems with that.
- If you're building lists of questions with "right answers", you're basically trying to use obscurity to maintain the security of your hiring process. You're banking on the job candidate not being able to get the "right answers" without having the actual security expertise those answers are meant to represent. That's why it is at least as important to get good explanations for answers as to get actual answers you like.
- When you plan out questions for an interview, and your goal is to have questions with "right answers", you'll tend to choose questions for which it's easy to define "right answers". The tendency for that type of question is to also be the kind of question for which it's easy to study "industry best practices" answers without having to know why they're good answers.
- If the security expert you're hiring doesn't know more about security than you do, you did something wrong. That means that no matter what questions and expected answers you have, the best candidate will probably be someone who disagrees with some of your "right answers" — and will probably be more right than those answers. In other words, rejecting a candidate for giving a couple of "wrong answers" might involve rejecting the best candidate for the job because your "right answers" weren't actually as good as the candidate's answers.
You need questions that invite explanations, not just simple answers. It's harder to explain why an answer is right than to just give that right answer itself. If your candidate gives a "right answer", your question should be phrased so that it requires more than just a few words to satisfy the answer. If the candidate gives a "wrong answer", tell him or her what answer you were expecting and ask why the answer you got was different. Have a conversation about the difference between the given answer and the expected answer, and make your decision based on the quality of the explanation and the thought process behind it, rather than whether the answer was what you expected.
In short, don't ask "Would you select Retina Network Security Scanner or QualysGuard for a heterogeneous six thousand node WAN distributed over four primary sites and seventeen satellite sites worldwide?" Instead, ask "What are some key criteria you would consider when selecting a vulnerability management system for a complex enterprise WAN, and why?"
What kind of personal traits should a security expert have?
Even when the information security job is a support position, evaluating security expert candidates is a very different task than evaluating candidates for most other positions. Among the traits far more important to even the lowest level security support personnel than to most other positions are:
- independent: To perform the job well, a security expert must be able to take initiative in pursuing the answers to security problems, research needed knowledge effectively often without relying on guidance from others, and even set his or her own task goals. Information security tasks require a lot of exploration outside of well-defined policy bounds, because the very nature of the job revolves around preventing, investigating, and responding to incidents where policy has been violated or subverted.
- analytical: Because so much of a security expert's work involves investigation, assessment, and troubleshooting tasks, a candidate for a security focused position should have habits and skills that lend themselves to abstract thinking, problem analysis, and recognizing the security principles that influence the circumstances of a particular incident.
- interested: If the new hire for your security position is not genuinely interested in security matters even outside of the job, you can pretty much guarantee that no matter how dedicated he or she is to the job, no matter how hard a worker and loyal an employee, he or she will do little more of value than you could accomplish with a couple of automated scanning tools and checklists in the hands of your network administrator.
Professional information security work is, at every level, a matter of "thinking outside the box". By definition, the best security experts are those whose expertise lies more with an unconventional mindset and perspective than with memorized standards of "industry best practices". In fact, in many cases the most important lessons to be learned about such practices are their flaws.
In short, the qualities most important in a security expert are those that set him or her apart from his or her peers, and not those that make him or her indistinguishable from them.
When should you hire a security expert?
There are cases where a security expert is specifically needed for a security focused position, of course, and answering the question of how to recognize such needs is a bit more complex than can be addressed in a short article. In a more general sense, however, every information technology professional you hire should, to some extent, be a security expert — at least within the limited realm of general knowledge of security principles as they apply to the duties of the position you seek to fill.
Security works best when it is part of the design of a system, when it is the very basis for policy, and when it informs the everyday work of every IT professional you employ. Every network and system administrator, every developer, and every IT resource manager should have some expertise in security matters related to his or her field, and have the interest and dedication needed to maintain and expand that expertise.
In short, every IT professional you hire for a position above entry level should, to some degree, be a security expert — and the entry level hires should be eager and able to become security experts.
Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.