Sunday, June 26, 2011

Talent Filtering for Information Security

I have written this article for RSA Conference blog originally (https://365.rsaconference.com/blogs/yinal-ozkan)


Great results are not achieved by mediocre teams… Building the right Information Security team does matter, and usually it becomes a full time task for the owners of Information Security initiatives at today’s enterprise.

Information Security domain might be hot, and we may have a positive influx of talent to the sector, however finding the right people with right skills sets at the right time and the right cost is close to impossible.

This post has no intention of questioning/changing years of HR practices – the goal is to give feedback from the enterprise Information Security field and to create useful short order cook content that can quickly be consumed within the next 15 minutes for the upcoming interview you are conducting…

Here are my experiences with finding/hiring talent in Information Security:
1-      Do not reinvent basics. As Buffet/Gates duo has stated the great talent should have the 3 basic skills:
    • Technical Skills (This is standard – I will dig into this item more down below)
    • Conceptual Thinking (Seeing the big picture)
    • Communication Skills (This is not talking too much as perceived by many engineers. Effective communication is a very valuable skill in all team deliverables
It is usually simple to find any one of these skills in an individual, but when you find 3 of them together never miss the opportunity, these people will carry the workload of many!


2-      Have the right pyramid mix of talent in your team: Complex projects require good leaders who can set the target, coach others, lead by example and more important than all great leaders can take the team from A to B. Then you need good managers, who can plan, organize and delegate. It is usually a good practice to have managers who cut their teeth in project management and financial management offices. Last, but not least, the engineers (or consultants). Based on the size of the project, you must determine whether to go with specialists or generalists. This is a big decision point. The more specialists you have, the more integration glue (architects, project managers, program managers ) you need.

3-      Since generic HR topics are not my intention here, I will skip managerial skills and focus on finding the right technical resources. Project based deliverables do not require that much real-time information. Therefore, it does not make sense to filter candidates based on closed book random interview questions. My recommendation is to measure their knowledge so you may level them based on knowledge. This is management basics -  data to wisdom:

    • Ask them questions starting with who?, when?, where?, what?? If you can get good answers that means your candidate has “information”Your candidate is probably familiar with the topic.
    • Ask them questions starting with “how?”. If you can get good answers that means your candidate has knowledge.This is a clear signal of experience.
    • Ask them questions starting with “why?” If you can get good answers to “why” questions that means your candidate has the wisdom and the conceptual thinking skills that you are looking for.

4-      Specialists: Being a specialist does not create a rain check to omit basics of information security. I have met several consultants who were very familiar with compliance but did not understand the technical tools, or I have seen great application security people with zero understanding of network basics. The trend is to have good understanding of all domains where you excel in 1 or 2 of the domains as a specialist. Interviewing specialists should have 2 different class of questions to gauge:
    • How much do they do they own their domain of specialization?
    • How much do they understand about how other domains work?

5-      Generalists: I believe there are 2 types of generalists you can trust in Information Security:
    • New Grads with no experience
    • Project Managers, Auditors, and Managers (usually go well with the certificates like CISSP, CISM etc)
    • If you are interviewing a candidate with over 3 years of Information Security experience with no particular specialty that is a big red flag.

6-      Send consultants the questions that you will ask in advance. This will eliminate the “it is not at the top of my head /it has been a while” excuse. Since you send the technical interview questions in advance you can ask any particular sub question. This asynchronous Q&A style is more close to real life. This way you can also ask really tough questions as well.

7-      Ask for a sanitized copy of deliverables from the past assignments. Good samples are good indicators of pitched skills. Obtaining samples are problematic especially in Information Security due to security and Intellectual Property concerns but checking is better than not checking.

8-      Classify Information Security resource types (this is subjective) Classification will help you to identify your candidates specialty, customize your questions and assess them more evenly. In today’s IS world, I see the following backgrounds We can dig into each area in separate articles. Here is the bird’s eye view for the 15m intro:
    • Network Security Specialists: This is the most abundant resource.  Most of the resources have strong networking background and they do have operational and engineering know-how about common tools like firewalls, IDP, content security, OS hardening.  Ask for the enterprise know how instead of small shops, that is completely different skill-set. It usually makes sense to get “Security Operations” resources from this background since their operational background fits well with the SOC (Security Operation Centers)
    • Vulnerability Testers:  This is another domain where you can find a lot of resources. (not necessarily the best ones) From network testing, to penetration testing, this area requires a lot of technical skills. Ask for methodologies, frameworks, references and sample deliverables in addition to basic checks. Network Vulnerabilities, Application Vulnerabilities, operational Vulnerabilities, and the Physical Vulnerabilities are different so make sure that you have the right skill sets.
    • Single Domain Specialists: If your project is big enough you can acquire a domain specialist (e.g. SIEM) or a technology (e.g. RSA envision) specialist. Be sure to question other skills as discussed above. DLP, DRM, Virtualization Security,  Social Media, and Mobile Security-type of next generation projects usually require specialists so it makes sense to start with a consultant specialists to acquire the skills sets.
    • Application Security Specialists: Securing SAP, Siebel, Oracle is a life time goal. It does require life time experience. Again the same rules with hiring specialists.
    • Desktop Security: Understanding desktop security is different than all other security areas where the end users are non-IT users. Lately desktop security domain is crisscrossing a lot of other domains like NAC, 802.1x, VDI so be very careful to filter.
    • Code Security: This is a hot domain, possible candidates interact with application security, vulnerability testing. It is not possible to understand code security in every development framework so an eclipse environment  expert cannot be very useful in the .NET environment
    • Security Architects: Even if you see a lot of titles with Security Architect, the real ones are tough to come by, look for understanding of EA frameworks like TOGAF, Zachman etc. Also look for special frameworks like ISO 27001, CoBIT, and NIST. Generic frameworks like ITIL, 6 Sigma, and other compliance frameworks are important. In addition, look for perfect understanding of operations and the technology.
    • Compliance Specialists: Audit background helps. Top 4 experience helps. Compliance has 2 important parts, meeting compliance and an accreditation. Make sure that you acquire the right internal resources to meet your compliance goals.  Instead of going with multiple security compliance specialists, it will make more sense to build an information security management program that can answer the common 80% requirements of all frameworks.


9-      Classify candidate backgrounds based on the verticals; it makes sense to find Information Security resources with vertical specialization. I find it amusing to mark “government” background as we start discussing topics with “cyber” word… So far I have seen the following backgrounds in the field. Based on your project’s requirements, different backgrounds provide different outcome.. You can find Information Security professionals with the following backgrounds
      •   Enterprise
          • Financials
          • Healthcare
          • Manufacturing
          • Utility
          • High Tech
          • Media
          • Other
      • Government
          • Federal
          • State
      • Military
      • SMB
      • Consultancy
      • Higher-Ed
      • Service Provider
      • New Grad
      • Vendor
      • Reseller
      • Out of Sector


    Wrap Up: Look for talent with specific skill-sets – To help you better identify the right skill sets, customize your questions based on experience background, vertical background and universal skills such as conceptual thinking.

    Full page view Add this post to:

    DiggIt!| Reddit| Technorati|

    Posted by yinal at 1 comments

    Subscribe to: Posts (Atom)