- Toby Kohlenberg
Everyone has heard horror stories about trying to hire qualified IT security professionals. In a slumping economy, you'd think the challenge would get easier, but that's not necessarily true. Think about it: During a recession, there are even more unqualified people applying for increasingly scarce jobs. This makes the hiring manager's job more important than ever.
Recently, I interviewed candidates for our internal security consulting team. Several were prescreened through HR, and the first thing I did was ask each one a series of five basic questions:
- What encryption algorithms have you worked with?
- What's the difference between TCP and UDP?
- What's the difference between a filtering router, a proxy firewall and a stateful firewall?
- What resources do you use to keep up to date with technology and security issues?
- Why are you interested in working in infosec?
Some of the interviewees (including the guy I ended up hiring) provided good answers to these questions. They had worked with multiple algorithms, demonstrated solid protocol knowledge, understood the differences between various perimeter defenses and kept up to date with a variety of information resources.
However, an equal number of candidates -- prescreened candidates, mind you -- had no idea how to answer. One guy identified PGP as an encryption algorithm and couldn't answer the router vs. proxy vs. firewall question at all. He said he was interested in the job because he heard it was a growing area with good pay.
Hiring qualified infosecurity employees is never easy, but I think the emphasis for both interviewers and interviewees is often misplaced. This inevitably results in unqualified hires, unproductive employees and unhappy managers. Here are some simple tips that will help both interviewers and interviewees find a good fit.
Tips for Interviewers
1. Unlike clothes, certifications don't make the man (or woman). Most certifications -- even security-specific ones -- don't say that much about a person's skill. The main problem with the MCSE, CISSP, CCNA and other certifications is that most of them involve multiple-choice tests. Having taken a number of these exams, I'm comfortable saying you can almost always pass by using a study guide no matter what twists are thrown in.
2. Don't look for someone who "knows everything" about security. Such people are exceedingly rare. Even if you do find one, he or she is undoubtedly out of your salary range. The majority of the highly experienced and qualified people doing infosec today are already doing what they like and are unlikely to move. Instead, find one leader and five followers who have a decent start and the right disposition.
3. Anyone who claims to be an "expert" in information security isn't. I could rant about this, but suffice it to say, the more you learn, the more you have to learn.
4. Technology may come and go, but paranoia is forever. Translation: a deficit in tech knowledge can be addressed. A lack of the right perspective and mindset can't. The people I trust most to do security aren't the ones who know the most about every platform and technology under the sun. They're the people who understand the attacker's perspective, never make assumptions about what's possible and what's not, and always assume that they may miss something (and plan for it accordingly).
Tips for Interviewees
1. Letters after your name aren't a substitute for experience and knowledge. Remember, there are no multiple-choice questions in job interviews ... or in everyday security work.
2. Even if you knew everything there was to know yesterday, you are already behind. The ability to apply what you learned in the past is obviously important. But you must always continue to learn, or else risk obsolescence.
3. If you aren't scared, you don't understand the nature of the beast. Keeping up with this industry isn't for the faint of heart. Software will always have vulnerabilities. And attackers are more numerous and have more time and fewer distractions than you.
4. Most important: Don't apply for jobs that you have no chance of getting. It's one thing to apply for a job that you're almost qualified for. It's another thing entirely to waste someone's time because you think you can fake it. Because when it comes to infosecurity, you can't.
About the author:
Toby Kohlenberg, CISSP, GCIA, is a senior information security specialist with a Fortune 20 company on the West Coast.