Recruiting Chaotic Good Wizards
If you have not read part one yet, its here.
It was not easy growing up in the late 70s and early 80s. Parents actually expected you to go by yourself and “play” outside. Outside, where there is no air condition nor neon lights. I remember the harsh glaze of the sun beating down on me as I was playing with marbles and apricot seeds (true story! they were a popular game when I grew up). I was in despair.
And then! And then me and my very *ahem* not at all geek friends, discovered Dungeons and Dragons. It was bloody marvelous. We can slay dragons and annoying paladins alike in the shelter of our air conditioners without moving a muscle! (at least, not too many, we needed to go to the toilet every now and then. Or to refill on snacks).
In any case, for those of you who recall the character alignment they were based on two main axes: Lawful vs Chaotic and Good vs Evil, and all the possible combinations between:
My favorite alignment was typically the Chaotic Good. It was, in my view, the winning combination of people that ultimately want to do some good, but wouldn’t be too upset if they break some rules on the way. Or burn some villages. Or indulge in a massacre or two. You know, nothing too extreme.
Fast forward some years later, and I find myself in the un/fortunate position of recruiting information security personnel. I’m using the wholly original wording of un/fortunate (tm) because:
- I’ve met some of the most talented people while scouting for candidates.
- Some of them I stayed friends with even years after leaving the job
- Generally speaking this is one of the more “fun” things a security professional can do (i.e. — looking for good people to expand his/her team). And in case you wondered, the reason “fun” is in quotes, it’s because we security people don’t do fun. Ever.
However, on the unfortunate side you get:
- Not enough good people to chose from
- Good people that think that the sun shine out of their arses
- Bad people that that think that the sun shine out of their arses
- Bad people that don’t know they’re bad people
- Good people that can’t talk with other human beings
- People that refer to themselves as gurus or thought leaders.
But enough about my personal distastes.
One thing I’ve found during my tenure as both recruiting people and being recruited myself is the sad fact that most of the people that recruit information security professionals don’t know how to recruit their own kin. Cascade this problem further down the line, and you have a whole lot of recruiters that make this problem much worse, wrongly describing the positions, asking the wrong questions in interviews and paying the wrong salaries people not experienced enough.
And why is that a problem? It’s as I’ve mentioned previously — such actions bring the whole industry down and create a whole layer of inexperienced over paid people.
I can’t even get a cyber piss boy these days without paying a six digit salary.
So let’s see, as a first step, how you go about writing an appropriate job description for your new extra special cyber punch bag. COLLEAGUE! I MEAN COLLEAGUE!
I know, it sounds pretty obvious, but based on the gems I keep seeing on job and career sites, it isn’t. When you come to write a job description consider the following:
- Specialization — security is not a single line of profession. The same way you don’t publish a vacancy titles “IT GUY WANTED”. or “SOME FINANCIAL PERSON GOOD WITH NUMBERS” don’t assume that if you publish a generic “SECURITY EXPERT NEEDED” you’ll get the right person in. Also, you’ll look silly. For more on specialization I shamelessly refer you to my previous blog post.
- Be specific with the requirements — the amount of technologies a security professional may need to know is as big as the holes in your parameter. Even with specialization — you need to be as specific as possible. Mention technologies, vendors, programming languages — and in what ways you want the candidate to break them. If you want someone to be hands on, be sure to actually mention that in the job description. Otherwise you’ll get — “Oh you want me to actually harden your mainframe and not just talk about it?
- Years of practical experience — this is harder than it sounds in the field of security, since some candidates believe that if they alerted their high school that they have weak password policies, it qualifies as being a SEASONED ENTERPRISE LEVEL RED TEAM EXPERT. It doesn’t. While many in the field start in a very young age, the quality of the practical experience in the grand days of their youth vary wildly. Be sure to be specific (e.g. — “at least 5 years of experience in an Enterprise environment”). Years of experience also help you, and the recruiter, to determine the level of seniority of this position and the salary benchmark.
- Think about the soft skills you need — you might find this somewhat surprising, but security professionals sometimes need to talk with other human beings. Shocking, I know. While you can certainly hire some Linux specialist who get scared whenever they need to talk with someone else (or when they see a GUI, may the lord help us) — most security people will need to be part time psychologists as well. Security, even where it is a mature function, will always be despised, hated, ignored, spat at, kicked and placed in very small cubicles on sub basement 7, just behind the janitor’s out of order chemical toilets.
You get the picture? Good. Because you need to explain day in and day out why you are needed, what are you preventing, why the fact that the organization doesn’t see security incidents is not necessarily a good thing. You need to make them want to love you. And if you have a bunch of security zombies working for you, yer not going to get very far.
- Certifications and university degrees — this here is a problematic subject which I will touch in more detail in some later date. However, when recruiting new people you need to consider the following: is it essential for them to have either? Some organizations have already turned certifications like CISSP or CISM into a knockout criteria. Meaning: you don’t have it, you don’t even make it to the first interview. Same for university degrees. Don’t. While generally speaking it is important to know that your candidate can self study and can pass exams — with the exception of some certificates (such as OCSE or Sabsa)they should always be considered as a nice to have or advantageous — never a mandatory requirement. I’ve worked in security teams that had people with degrees in Biology, Civil Engineering, Political Science and had people with no degrees or certifications. They were all highly experienced professionals — because they learned most of their job by themselves or on the job. Again, I’m by no means opposed to education — I’m saying that in the infosec field, practical experience is, in many cases, more important than education. In many cases when I see job adverts saying — “CANDIDATE MUST HAVE CISSP” or “IF YOU DON’T HAVE A CISA WE KILL YOU LONG TIME” I shake my head in mock despair. These companies will get a highly certified person, but whether they can do the job in a “real” company remains to be seen.
Finished the job description? You’re almost there. Now you just need to additional things to consider:
- Compensation — HR have a chronic tendency to underestimate the salary of security personnel. That is not because they’re evil people (well, some are) but mostly because security people tend not to match the job family structure most enterprises use. For those of you who don’t work for large companies — many of them use a job grading system which is based on market bench-marking by external companies (such as Towers-Watson). Remember the job definition issues I’ve mentioned in my previous post? If the security industry can’t define its own job families, why do you think HR can do a better job? What happens in the end is that HR picks the closet sounding position it has on its list (something like SENIOR EGRESS NETWORK TECHNICIAN or WINDOWS INTERMEDIATE DATA-CENTER LOGISTICS LEAD) and just uses that salary. The result — you have senior penetration testers which are offered a salary of an intern in Iraq. Not to say that interns in Iraq are not good enough — but their pay grade is somewhat different. Bottom line — do not be ashamed to challenge HR. You need to show them some numbers (you can use sites like Payscale for that) or just explain, based on your experience, how long you’ll be able to retain employees based on that salary. The idea of trying to go once more into a lengthy recruiting process within 18–24 months might convince them to up the salary a bit.
- Do not shy away from specific countries, gender, religion, age or body odor— while the last part of the statement is false (yes, people, even hackers need to wash every now and then and use a deodorant) never avoid hiring someone just because he/she has a specific gender, age, skin color or religion. Do not let your misconceptions prevent you from hiring someone just because he’s over 50. Or a woman. Or from a part of a world you think is not advanced enough. Talk to the guy or girl, get to know their capabilities — and even if their accent is a bit strange, they might be the best person you ever worked with. I’ve ran teams that had a combination of borderline teenagers with people over 50s, boys and girls, black and white. They were all the bestest. Yes, there is such a word in English. No, you can’t find it in Merriam-Webster.
And there you have it, you’re almost ready to recruit your new chaotic-good wizard. The only thing you need now is to interview them, hire them, induce them and break their spirit. I MEAN NURTURE THEM NURTURE THEM.
Watch this space for the yet to be named next episode and if you liked this article, you should go follow me on twitter.