Before getting into what makes the best security teams, it’s essential to delve into what makes an individual. If you were to agree with me that our very roots are hackers, you might get the perspective I am trying to bring. When it all started, technology & programming was just taking birth. We were curious to know what & how of it, like a child playing with everything it gets it’s hands on.
Curiosity has been the fabric of all that we do. But it is important to move from the ‘what’ to ’how’. When hiring I see a lot of folks tend to know some concepts but haven’t tried enough to see through some of these systems. This skews the perception to what they hear rather than what it really is. This applies to protocols, systems such as devices, applications, servers and all nodes you can think of. Your passion shows in what you have done with systems rather than what you think you know about those. Hence learning by doing is a great way to start.
As applicants in Information Security, we will mostly end up reaching out to either one of Offensive Security Consulting, Software Delivery or Product/Manufacturing industry. The emphasis is different in all these cases.
Consulting companies require an out of the box thinking, efficient attacks & when working on scaled up infra, structured execution. Software delivery may prefer understanding of various tech stacks and fixes respectively. While Product companies today want better automation and speed over manual workouts. When defending the infra though your experience (of dealing with things breaking apart) may count a little more than just knowledge of the security products.
With over a decade of InfoSec interviewing, I have seen a conversion rate of around ~10-15%(in India). Some of the best CVs out there may prove to be of not much value to your use case. A line of certifications do not prove anything and in-fact sometimes can be deceptive. I learnt this once when interviewing an OSCP (Don’t get me wrong, I like & am an OSCP), who could not answer the most basic of attack scenarios. You shouldn’t judge a book by its cover.
On the contrary some very humble CVs(people) turn out to be gems in course of time. While some may debate that hacking is an art, a lot of it is earned over time with commitment and going that extra mile daily. Besides, some of them are smart and they know it. As an interviewer we also need to see if the candidate will stay or runaway, in short if they don’t, they are not the right fit for your organization.
The best thing to do is to be honest to your trade. Understand that it’s ok to NOT know something and be confident in what you do. Whatever you touch, try to explore it to the best possible in the time given. If you have done tons of good attacks, you’ll not remember all (I am personally not great with remembering), but it will shape your perspective and creativity of your answers in the interview. Also, if you have solved ‘people problems’ and Security automation at the Organization level, make sure to provide some metrics that can help the interviewer gauge the impact of your programs.
So, what do we need to look for in a candidate? Well the obvious but simple attribute which is often ignored is the willingness of the candidate to explore or contribute to the role (in equal terms). Security is a hot seller and hence it is a no brainer that a talented individual will easily be in demand. If they are inherently not interested in the role, they will not stick around long enough to contribute or worse use the role as a stepping stone to something they’re really interested in. This is a subtle difference, and I have seen many people joining for name/brand/money and leaving at the earliest available opportunity.
Secondly, if they are truly here to explore/contribute, the attitude to learn cannot be far behind. The tide would have been high a decade ago, but the security landscape is simply crazy right now. Increasing user base, numerous products, a plethora of apps and an active set of hackers has led to new vulnerabilities every day. Funny though, our’s might be the only field with more discoveries than inventions☺ Everyone may have their own way of keeping up, but they must have one. Sometimes attitude is the only thing they’ll need to learn. In the real world, you might be thrown at any ‘system’ and you’ll need to hack through it.
I have been a practitioner mostly. So, the only thing remaining is to see how well they have turned things around. Ask for their real-life experiences whether technical or not. If you’re recruiting for Offensive Security, check if they know the applicability of fundamentals and the boundaries where those may break. Refer to ‘Doing Vs Knowing’ for more cues. Defensive Security on the contrary requires them to know the various layers at play when setting the security strategy. See if they ever married Security to Business goals and ask how. This might need them to hack through the cultural blockers existing in those organizations and can prove to be way more helpful. Hence, look for what problems they may have solved.
A perfect security team is a myth. However, the best team, in my opinion is one that has the right mix of balanced and extreme individuals with respective domain strengths. All should be ready to go that extra mile whether that be exploring/attacking new/existing technology or communicating with the client, developers or in-house teams. Transparency, Consistency and Trust drives the security industry and help you stay ahead in the long run.