Hiring for security teams

Hiring for security teams

I run an application security consulting company. Majority of our work is about testing applications on the web and mobile. A big challenge of hiring for app security is the fact that they need to be aware of network layer, transport layer and the applications.

The world of applications is constantly changing and evolving. We don’t know how do we evaluate and constantly up-skill.

An ideal candidate

They need to have an intersection of bunch of skills.

  1. Great at being able to understand variety of applications. Apply their knowledge of web and related protocols to get a sense of the business logic etc.
  2. Great at being able to articulate in words, the issues found and why should that be something that a developer care about
  3. Someone who can absorb pressures of tight deadlines, lack of evident success in certain projects, be able to perform even when there is a lack of complete information

Is it even possible to get someone with all of that above?

Not really but for most people if they have strength in even one of the areas, others can be honed. The crucial aspect of being able to train people is objective and subjective evaluation of an individual’s grasp of the concepts (fundamental knowledge), applied knowledge and capabilities.

Their real skill is how good are they in practising their capabilities and how quickly can they re-align their capabilities for successful execution.

Imagine if we had the ability to evaluate at the time of hiring and if someone needed a bit more time and support, if we could share a personalised learning path. That would be a game changer for most of us.

At this point, I don’t have any solutions to offer but would like to share what we do at Appsecco is a combination of the following

  1. Regular hackathons for people to practice their craft and master skills
  2. Discussions around productivity, approaches to projects (time boxing, pomodoro etc.)
  3. Emotional well being and mental health. Everyone is encouraged to raise with their leads if they are going through a tough time (for professional or personal reasons) or if their mind is just not into it.

Our guiding principles for hiring

Everyone is capable

If they don’t have the knowledge or the ability to do something specific they can be trained – as long as they are willing to do the work

Initiative trumps everything else

Initiative trumps almost every other personality trait. Individuals who are willing to take a risk, go after learning in-spite of the inherent fear of failure, completely out of their comfort zone are the ones who create tools used by others, write books and articles referenced by others.

In my experience companies can’t really inculcate initiative. It is one of those latent abilities that can be honed if they exist.

Be kind with your self

Be nice and kind with your self. Because on the journey to accelerate learning is bound to be full of seemingly insurmountable obstacles and things are highly improbable. The net effect is that we will see a lot of failure. Failing while trying shouldn’t be a reason to be hard on yourself. In short we prefer people who are willing to try but will be chill if they don’t succeed in their first/nth attempt.

Be open about trying out multi-function roles

All testers should be open to writing code. All coders should be open to testing. Everyone including non-technical staff should be open to documenting their way of working and then figure out how to automate majority of their job. Once they do that, they can move to better more fun and challenging problems.

What do you think about hiring for security teams? Do you agree or there is a magic sauce you are willing to share?

Image - Photo by Clem Onojeghuo on Unsplash