zaterdag 27 oktober 2012

Hire great infosec people (and keep them) !

Earlier this week I had an interesting exchange with several people on Twitter after a statement by Mary Ann Davidson (Oracle CSO) gave at the -apparently awesome- ISSA Conference. It was paraphrased by George Hulme :

"entry level people have to work to convince orgs they are worth giving a break for a position."
 Roughly translated this would mean that if you are planning on joining an organisation to make a living from the skills you have built in college, university and/or through diligent selfstudy, you shouldn't expect any favors (or even a wage?) from that organisation. They will evaluate you against their set of values to see if you're 'a match' and, maybe, then you could expect being respected and could look forward to making progress.

The problems I see here are legion. I'll try to address the most important ones as I see them and specifically for information security profiles.


  1. I admit that there is a certain professional etiquette but I'm also convinced that this is covered by a decent upbringing provided by parents. You don't want a potty-mouth cursing at your users through the telephone and you want somebody that behaves normally. A smart person knows when he has to dress up and when he can wear a t-shirt. I think we're way past the era where 3 piece suits were mandatory uniform. Dreadlocks or long hair? Facial hair? tattoos? If you still care about that, don't expect to find the creative, intelligent, driven individuals you are looking for. If you open your mind, your ass will follow. (thanks En Vogue...)
  2. You will indeed need to 'test' people beyond your initial HR filter way after you hired them if you are convinced that a conventional hiring process still works. 'Way back when' job ads were used because normal ads were way more expensive and all that we wanted was to have our brand in the papers. Now that Google ads is even cheaper than job ads, what is the use for them? Imagine that you are fishing at sea: you can throw in a line to catch a random fish that you may or may not be able to eat. Another choice is to tune your lines, depth and bait to the particular species you want to serve your friends tonight. Job ads are your average bait, luring in ALL THE PEOPLE and thus requiring a very coarse filter to keep the edible. For infosec, you want very specific people so you're going to have to adapt your hiring process. In short I would advise to get 'out there'. Visit (local) conferences, hackerspaces, linux groups meetups, DEFCON chapter meetups, ISSA|ISC2|OWASP meetings, etc. etc. etc. You'll get to meet the exact kind of people you are looking for and you didn't even need your HR person to filter resumes by degree or certificate letter soup. You are winning! Throw in a CTF (Capture The Flag) style skills assessment maybe sprinkled with business-specific challenges and I don't doubt you'll fill in the empty spots on your team.
  3. "People have to prove themselves..." Lord please .... The exact people that you are looking for (driven, intelligent, skillful, ...) already have proven themselves and they probably have a job that is paying their bread and butter. Assuming we're still stuck in 'classic' hiring practices the solution would be to throw more money at them. You'd be in for an interesting experience :-) I would call it the axiom of infosec hiring :

    "For each org acquiring or retaining talent solely by pay raises, there's at least two orgs with more money to spend."

    The people you need obviously expect to make a decent living. They have spent hours and hours honing their skills and while, in many cases, their professional activities overlap with their hobbies they are not to be exploited. From personal experience however I can tell you that money is rarely the primary motivator. These individuals are to be challenged and to some extent allowed to roam free. It can be as easy as organizing regular internal hackatons focused on business problems but don't expect them to get tied to a chair performing repetitive tasks. Depending on the market circumstances it will take between 3 and 24 months before you've lost them.
I was actually not going to spend the time on writing down my opinion on the whole 'finding the right people' discussion were it not for Rafal Los coming with another article on the subject. The article is kind of all over the place and most could be answered with what I've written here, I want to specifically counter some of the four recommendations that he offers.

  • Partner with a good recruiting agency that can weed out the talent from the talent.(sic)
    • WRONG! Get out there yourself. Get a mandate from HR to play a more active role in the hiring process. Send out your team members to cons and local meets. They will learn at the same time as they are meeting their future colleagues. That's full of win. Recruiting agencies are awesome to find people to 'fill' your organisations, your 'foundation' type of people you generally don't find through recruiting agencies.
  • Offload as much of the non-business criticical work to a partner organization allowing you to keep your business-smart security folks for critical LOB tasks.
    • WRONG! Note that I'm not saying not to outsource stuff that's not critical. But there is some gross negligence in this recommendation. Firstly, outsourcing at first means an increased workload for your internal people. Processes that are 'informal' currently need to be fleshed out and formalized. What your internal people take for granted isn't so obvious for the third party. As your organization evolves, outsourcing may even be more high-maintainance than insourcing. I would never recommend it as a blanket solution. Secondly, this recommendation is made to specifically focus your business-savvy security folks on critical LOB tasks. The problem is that while performing LOB tasks they will need data to support the points they're making to the business. By outsourcing (for instance) SIEM and IDS, perimeter device management, IAM management, etc. etc. you are further removed from the data you actually need and especially the business context melts away at a rapid pace (getting locked in PDF's containing service reports and such). Remember that the primary concern of that third party is their business, not yours.
  • Offer incentives to keep people in working for you
    • If incentives are considered to be solely of the monetary kind, please consider what I've written under point 3.
  • Train existing human resources as you may already have the 'right' people working for you in roles where they're under-utilized.
    • I would add some perspective here. Just training resources because someone right may surface that you could internally hire for your team is a giant waste of money. You are looking for people with a very specific skillset that you could 'test' for. One could, as an example, run Incident Response exercises involving staff from different departments. Apart from just looking how well your processes work, keep an eye out for individuals that perform extremely well.  Those are the raw gems you want to polish through training and mentoring, not *everybody*.
I think I could write a book about infosec hiring but I don't think there is a big market for it and I don't seem to have a problem finding the right people for the job myself ;-) For some of you it could sound like I'm talking from my butthole and I accept your criticism, YMMV ;-)

***UPDATE***
A reader anonymously sent me the following message :
"I turned down an offer that was twice the offer I took because I felt I was more understood as an auto-didact at the organisation of which I accepted the offer."
Money matters but only up to a certain degree. If a person can eat, sleep under a fixed roof and maintain his drinking habit (j/k) other things start to count. Be very much aware of that.