Hiring Outside the Box in Cybersecurity

Candidates without years of experience can still be great hires, as long as they are ready, willing, and able.

Roselle Safran, President, Rosint Labs

November 7, 2017

5 Min Read
Dark Reading logo in a gray background | Dark Reading

We all know what the ideal security team candidate looks like. She has years of hands-on operational experience, is skilled in a variety of cybersecurity technologies (particularly the ones in the organization’s security stack), and comes highly recommended. But given the workforce shortage, such candidates are like diamonds: very rare and extremely expensive. Organizations can have unfilled positions open for months on end while they look for a candidate with the perfect resume.

The reality is that most organizations would be well-served to expand their searches beyond the typical rock star resumes and hire outside the box. There are plenty of talented individuals who could become strong contributors if they are given the opportunity in an organization that is willing to cultivate its own talent.

I feel particularly strongly about this subject because I started my first computer forensics job without any applicable experience in the field. I applied for the position because it sounded exciting and I knew I could quickly acquire the skills I needed by working hard on the job and on my own time. Ultimately it was a win-win situation: I had a job I thoroughly enjoyed, where I was constantly learning and developing a new skill set, and my employer had the talent it needed at a rate that was initially under market. (My salary doubled during my time at the company). 

As a result, one of the key tenets of my hiring strategy is to always be on the lookout for capable individuals who have the potential to excel in their roles regardless of their backgrounds. I have found that there are several must-have intangible qualities that are strong indicators that a candidate will be a quick study and successful team member. Here are three ways to identify them:

Ready
One of the best ways to determine whether a candidate is prepared to do the work necessary for the job is to give him or her a short exam as part of the interview process. I am not referring to a closed-book, multiple-choice test that relies on memorization or obscure cybersecurity facts. I am talking about an onsite, open book, practical exam based on a real-world security analysis scenario where the candidate talks through his or her thought process each step of the way. The candidate may not be able to provide all the right answers or complete the analysis, but someone with solid potential will be able to demonstrate an intelligent methodology and a clear understanding of the fundamental concepts. If you give him a hint, he will be able to run with it and make additional progress. This is the type of person who will become effective on the team once he receives some relevant on-the-job training.

Willing
You can often glean how motivated a candidate is to be in cybersecurity directly from what the person’s resume lists for education, extra-curricular activities, certifications, and/or technology. This filter is especially important when evaluating candidates who are looking to transition into cybersecurity from other industries.

If the person is working in a field unrelated to cybersecurity and is completing a cybersecurity educational program or regularly attending cybersecurity meetups or activities at night or on weekends, she is probably quite motivated to move into cybersecurity. Likewise, if the candidate has earned a cybersecurity certification, she is demonstrating notable determination as well. While there is debate as to whether certifications are indicative of skill, it is clear that obtaining a certification of any type requires commitment to the field and the expenditure of a significant amount of time and energy.

Along the same lines, if the candidate is new to security and lists numerous security products in her technology section, if she is researching which products are used for specific functions, and putting the effort into familiarizing herself with the technologies, that provides additional indication of interest and motivation. You can confirm during the interview process whether the candidate’s knowledge of the technology is substantive.

Able
Our industry evolves rapidly. Network defenders are constantly improving their capabilities to keep pace with new attacks, new advisories, and new technologies. No matter what an individual’s skill set includes when starting a job, he will need to develop new competencies while on the job. When interviewing candidates, I try to understand their propensity for developing their capabilities by solving problems on their own. I often ask questions such as "what do you do when you don’t know something?" If the answer is "read through the standard operating procedures (SOPs)," I delve into what the candidate would do if there was no SOP because I want to determine whether the person would go beyond what was already known and readily available to him.

If the answer is "ask someone on the security team," I inquire further to determine whether the candidate is more likely to be collaborative or burdensome to team members. The type of answer that is usually the best sign is more along the lines of "I would research the topic on my own." If the person says that he would conduct Google searches, that is sufficient, but it is better to hear a candidate name several reputable resources specifically.

Most security leaders will find that hiring outside the box can be challenging. It requires a rigorous interview process, internal training, and patience. But in the end, it can be well worth the effort when the security team is full of ready, willing and able team members who are prepared, motivated, and growing as professionals.

Hear Roselle speak about "Ten Ways to Stretch Your IT Security Budget" on November 29 at the INsecurity Conference sponsored by Dark Reading.

Related Content:

About the Author

Roselle Safran

President, Rosint Labs

Roselle Safran has over a decade of experience in cybersecurity and is a frequent speaker on cybersecurity topics for conferences, corporate events, webinars, and podcasts. She is President of Rosint Labs, a cybersecurity consultancy that provides operational and strategic direction to security teams, leaders, and startups. Previously she was the CEO and Co-founder of Uplevel Security and led the startup to become a venture-backed company with Fortune 1000 customers and numerous industry accolades. Prior Roselle managed cybersecurity operations at the Executive Office of the President during the Obama Administration and directed the 24×7 Security Operations Center that protected and defended the White House's network. Before that she managed security analysis teams at the Department of Homeland Security's US-CERT and spearheaded the development of two cyber threat intelligence platforms there. Roselle holds a Certified Information Systems Security Professional (CISSP) certification and a Bachelor of Science in Engineering degree from Princeton University.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights