Right now I think pretty much everyone who is established in the security field is getting asked about how to break in and what makes for a good candidate. As I thought about other things while job candidates talk about their certificates and what their college professors told them about anti-virus, I started to think about what does make for a good candidate.
I think its safe to say that the security profession attracts an unusual type of person. Go to a security conference and you’ll find a range of very unique individuals that would in no way be described as “mainstream” for the most part. Heck five minutes at DefCon and anyone could reach that conclusion.
What sets security professionals apart from other careers is that for many of us we are a group that has experienced failure, and to be honest, is accustomed to it. Think about the nature of our job:
- We are going to fail to stop the bad guys from getting into the network
- We are going to fail to train end users to stop clicking links
- That exploit isn’t going to work right the first time (or even the fifth time)
- Certainly your going to miss finding some vulnerability or critical configuration that will bite you…
When you work in that kind of environment, it doesn’t lend itself to a personality who is always successful. I’ve seen a number of “straight A” type people looking to get into the field, attracted by the salaries and type of work offered. It’s the same people that seem to burn out within a year or two and seek some other type of work. I think the big difference there is that they aren’t used to struggling and making mistakes.
So why do the failures succeed?
In our field you are frequently confronted by challenges and problems you can’t get around. As a pen tester a server may look vulnerable to a particular exploit. Unfortunately it make take 20–30 tries before your able to successfully break in… if your lucky. Someone who plays be the rules and always aced the test on their first try is going to struggle in that environment. When your breaking into stuff there aren’t clear cut rules and guidelines. Sometimes you have to just try weird stupid things until one of those dumb things work.
I think if you’ve failed in your personal life, your more likely to be comfortable making mistakes and when things don’t well professionally. If you were cut from your sports team, or did terrible in school, you already know what its like to struggle. If you have the right work ethic, and your willing to struggle, you will eventually be successful in security. You may fail 30 times breaking into a system, but if you get it on 31, you’ve still contributed something huge to the organization and security’s goals. It’s that perseverance and knowledge that you can survive making some mistakes that makes you good.
Thomas Edison had to learn 10,000 ways not to make a light bulb. I think a lot of newer applicants in the security field are the type who give up after trying once.
What does it mean?
I’m taking this mindset into the interview room with me. The candidates that are the most interesting to me are the ones who have made mistakes, or haven’t been continuously successful, but are willing to work hard and not be afraid to mess up. There are a lot of non-traditional people out there who can be trained into phenomenal security professionals. Maybe they hated being an Accountant, but they are detail oriented, capable of research/learning, and have a great work ethic. You can teach the technical pieces, its their passion and ability to work through the obstacles of the security world that will make them successful.
The best security people I’ve worked with don’t have degrees in security, and straight A’s on the books. They were accountants, lawyers, tech support reps who made the leap into security and weren’t afraid to make mistakes and ask questions. Take a chance on these non-traditional applicants, you might be surprised.
