Security Padawans?
By Keith Posner
A few years back someone proposed moving a few security-related accountabilities to my team. My comment was along the lines...
‘my staff were not hired for that. They will need training, or I need new hires’
The response… ‘don’t worry, you can hire, that won’t be difficult’
My inner monologue… ‘Huh?’ (think Scobby Doo)
My response…something like ‘if I had access to unlimited resources, absolutely’
By
unlimited resources I had meant both the monetary kind along with the
available talent pool. From my experience and I presume for most
us, resources are finite. Budget constraints and well-defined
salary ranges are most of our realities. Now add in other
factors that could make the hunt for skilled individuals more
challenging. Have you ever wondered…
- How is your organization viewed by the broader security community?
- Is what you are doing cutting edge or thought of as interesting?
- How have others spoken about past experiences at your organization?
The
answers to these questions can impact our ability to attract qualified
candidates. If we were able to consistently exceed candidate
salary expectations by thirty percent, I am sure the focus of our
discussions might change.
Before
we proceed, I will stop and share one of my primary assumptions, and
that is as readers, you have an interest in technical skills and
capability. I am talking about candidates with a genuine interest
in security. Those who, keep current with changes in technology
and take the time to understand security implications, monitor
developments in the broader security landscape, conduct their own
research and maintain technical currency through hands-on work, can
offer experience supported guidance and solutions based on what they
know to be possible. To offer value in security, I am going to
suggest that you need to understand the subject from both a theoretical
and practical perspective. Hands on experience in
invaluable.
On the opposite end of the spectrum, you
might have a need for individuals who can manage the complicated world
of checklists or those who are experts negotiation or
business-speak. If this is your focus the remainder of this
document may not be all that interesting or informative. Let me
be clear, I am a supporter of relationship building, business
knowledge, and other non-technical skills; but not at the expense of
technical skills and capability. A colleague recently provided me
with an example for comparative purposes. I will preface it by
acknowledging that most of us are not savings lives day to day.
A
surgeon has a certain technical skillset. They perform surgery using
hands on experience refined over years. They keep up to date with
new techniques and approaches. These skills are maintained and
for good reason. Now if my surgeon had unparalleled bed-side
manner and could walk me through a five-page checklist, but had a 70%
mortality rate for tonsil surgery, I might raise an eyebrow and seek a
new surgeon.
Technical skills are crucial for
information security professionals just like doctors (or civil
engineers, pilots, plumbers). The non-technical skills sit atop
the technical and are used to communicate issues, concerns, approaches,
plans etc. It is my belief that at a certain point in our lives,
primary interests are well established and our willingness to step
outside of our comfort zone decreases. What this means is that a
typical candidate is far more likely to learn and/or fine-tune
non-technical skills as opposed to becoming technical. For that
reason, I am going to suggest two things…
1. It is unlikely that you will find a candidate who excels at every aspect of a role (the prized unicorn)
2. Knowing that, prioritize technical
With that… the question remains....what next?
Your objective
What
is it you are looking for? Do you need someone to hit the ground
running? Someone who can come in and short of knowing process and
people, understands the world of security in all its glory? Or do
you have time to allow on-the-job training? A well-defined ramp
up? Someone who can shadow more senior members of your
team? Or still, are you looking to develop a talent pipeline
(think farm team) where the focus is fundamentals, hoping to one day
have a team of highly skilled staff to draw from.? Each is valid, each
has its own pros and cons.
And onto
assumption #2. You are looking for the first example above.
Someone who knows the world of information security, having technical
hands on experience and the ability to hit the ground running with
minimal effort.
Laying the groundwork
Speak
with HR. If possible reach out to external recruiters to get a
sense of what the local market is paying for comparable experience and
skillsets. If there are online resources you can also reference
(e.g., payscale.com)
it can only help support general conclusions. The goal is to
identify potential issues and determine if you have any means to deal
with them. During a round of hiring I was doing in 2017, I had
somehow missed the mark on salary by almost 25% in the market I was
looking at. I only discovered this useful bit of knowledge when a
recruiter seemed to be laughing at me through email. This is
ultimately about managing your own expectations. Your future may
involve your head meeting a wall in frustration. Knowing you are
off the mark and knowing you can’t doing anything about it may allow
you to change your approach. Can you work with someone less
senior?
Acknowledge that
people are by far your most important asset. People are the
foundation on which process and tools must be built. Without
skilled people, process and tools with fail. Tools cannot solve
process issues. Processes cannot solve issues with staff
capability and skill. When a process fails, or a tool fails to
live up to expectations, then some questions should come to mind. Did
you have the right people? Did they understand the
technology? Were they capable? I would be surprised if the
answer is yes.
Next, focus on organizational
values. I don’t mean corporate values, I mean what behaviors are
rewarded, and what skillsets are perceived as relevant by
management.
- Is there genuine interest in core enterprise security capabilities and maturity?
- Does your organization value technical competency?
- How is it rewarded?
- Are there proven examples of employees advancing into senior roles as technically focused individual contributors?
- Does your organization value certifications and memberships?
- Do your information security staff have access to tools and environments to keep their skills current
- Is transparency into gaps and obstacles encouraged and rewarded?
- Does
your organization value collaboration and providing opportunities to
explore areas of interest in the information security field?
Answers
to questions such as these will help shape your approach in attracting
and retaining a team of skilled information security professionals.
On your way…
Job
description… avoid buzzwords and jargon. Be clear, concise and
honest. There is nothing worse than someone joining your
organization and realizing that it is not the job they applied
for. There will always be some aspects of the job not clearly
called out on in the job description, but the candidate should never
wonder if they have gone crazy and taken a job without understanding
it. The phrases, ‘I think they lied to me in the interview’ and
‘I am really glad I took this job’ are likely not going to go hand in
hand.
Candidate screening…If you have an opportunity to use up
front screening questions great. Make them specific and if
possible, limit candidate research and response times. I have had
success with initial phone screening conducted by members of my team or
external recruiters (with a technical skillset). It is
critical that whomever is screening candidates understands the material
and can take relevant and meaningful notes. One of the more
interesting experiences I had here was working with an external
recruiter who used a video interview platform. I was able to
provide questions that were flashed in front of candidates who were
then given a defined time limit for their response. In these
instances, responses came directly from the candidates which was a
bonus.
Now, in terms of questions focus on fundamentals.
Test candidate understanding of security principles and the ability to
articulate opinions. If a candidate…
- explains that SSL and HTTPS are identical, consider another candidate
- believes
that an NMAP scan is a penetration test, it is safe to assume they will
not be terribly effective in a penetration testing role.
- doesn’t
understand operational, security, or legal aspects of open-source
software, they may not be suited to conduct risk assessments.
- thinks that DDoS protection is enabled through IDS, you may not want them monitoring your networks
- understands
MFA to be UserIDs and passwords provided at different stages of the
authentication process, keep them away from PCI and regulatory work.
With a quick google search, you will find a host of similar questions already pulled together with expected answers.
The
interview...Understand that behavioral interviews on their own,
assumptions based on listed experience and reliance on listed
certifications will not end positively. I have seen instances of
these approaches in action and the long-term impact. Interviews
must be balanced in terms of:
- understanding candidate technical capabilities
- how comfortable and capable a candidate is expressing thoughts and ideas
- understanding how a candidate may fit into the team dynamic
I
will stress the importance of the technical capabilities. It is
here where you should spend a chunk of time working through specific
open-ended questions based on listed experience and desired
capabilities. If part of the role you are filling involves
certain aspects, then your questions should reflect that…
Knowledge of firewall function and an understanding of associated rules?
Your
IT client approaches you, indicating they would like to open TCP port
22 to an external vendor to share information. What is your
thought process? What questions would you ask? What would you do
if a client asked for TCP/UDP port 53 for DNS queries?
Aspects of vendor security assessment?
An
IT partner is looking to sign a contract for a SaaS product. The vendor
(ABC) uses an external hosting provider. The vendor (ABC)
has indicated that they are PCI-certified. What questions would
you ask?
Penetration testing and vulnerability management?
You
have completed a web application penetration test for a public facing
site, and now you have scheduled a walkthrough of the results with the
Project team. How would you describe cross site request forgery and its
associated risks. What about CSRF?
Working with the development community on secure coding practices?
What are your thoughts on static code analysis vs dynamic code analysis? Where does RASP fit in?
Rolling out logging and monitoring?
What
logs would you look at if you were interested in WPAD and pass-the-hash
attacks? What alerts would you set up for apache web-server logs?
Creating / updating Information Security Policy or Standards
What
is your definition and view of end-to-end encryption? How would
you approach implementation in a corporate environment using a variety
of vendor based infrastructure servies?
These
are high level examples. Be specific...question experience....dig
into the use of terms such as expert and advanced. If you are not
comfortable with the subject matter, bring in a member of your team or
subject matter expert. Ensure you can identify both insightful
and concerning responses.
Be clear as to what you
are interested in. It is here you may discover overstated or
dated skillsets. In my experience one of the paths most travelled
in information security begins with hands on technical experience and
shifts overtime into the realm of governance and risk. In some
cases, technical skills are left behind in the pursuit of
advancement. This is directly related to what skills are valued
and rewarded in the industry and what opportunities are
available. Think of it in terms of existing career paths for
technical staff.
You should be looking for individuals who
are genuinely interested in information security beyond a 9-5 job.
They should be able to speak to interests, how they keep up to
date, what they think of current events in information security, what
their personal goals are in terms of development and learning, how they
have contributed to the broader information security community, how
they take their expertise and apply it to their personal lives. I
have had the opportunity to ask related questions during recent
interviews. I think the responses below underscore why it is so
important to find candidates with a genuine interest in security.
Keep in mind the responses from interview over the past few years are
the beginning and end of how some candidates protect their home
networks.
- ‘I make my router password really long’
- “I tell my parents and significant other to make their passwords really long’
- ‘I put a firewall in front of my ISP’s modem’
- ‘I have anti-virus running’
As
with anything in life, the most challenging path often is the most
rewarding. There are obvious shortcuts. Hire contractors,
loosen internal standards, focus on checklists, create snappy colorful
dashboards that are more subjective in nature. Ultimately the
lack of technical skill and capability will become apparent.
And
there you have it…. decision time. But your job is not quite
over. There are other considerations to ponder. If I am
feeling ambitious I will offer some thoughts soon.
- How do you approach technical self-assessment
- How can you build an engaged information security team
- How can automation make your life easier
..stay tuned