Hiring new technical security personnel in 2006

A security group is compromised (or should be comprised) of many different types of people. One of the subsets of the security group should be the engineers (or techies). These are the folks that will be ‘down in the weeds’ configuring firewalls, designing networks, pen-testing, writing or testing tools, etc. What skills should we be looking for in these people?

When hiring new security engineers, some (many?) of us will be looking for Education. Some will be looking for credentials or certifications. Some of us will be looking for experience. Here’s what I’ll be looking for (in order of preference).

1) Honesty. Don’t let the fox in with the hens.

2) Drive. If a person loves what they are doing, they will spend more time doing it. With respect to infosec, these sort of ‘driven’ individuals will rapidly absorb and retain security-related information. Look for these people to traverse the learning curve very quickly.

3) Critical thinking. In my opinion, it’s not what you know, it’s how you deal with what you don’t know.

4) Real-world smarts (aka “common sense”). I need someone who can ask both the hard and the easy questions. Contrary to what Elton John would have us believe, “Why” often seems to be the hardest word to say.

5) Experience.

Traits 1 – 4 are MANDATORY. I won’t hire a ‘techie’ without those traits. Trait 5 is optional (i.e. nice to have on top of the important stuff).

Happy New Year and good luck with those new hires :-)


  • http://ravichar.blogharbor.com Ravi Char

    Very interesting post. Did you mean relevant security experience is optional?

  • dmitryc

    Yes. For new security engineers, relevant security experience is optional, imo. I get way better results by hiring folks that meet the bullets above.

  • http://www.whiteacid.org WhiteAcid

    Wohoo. 4 out of 5 and all the essentials. Not sure I’d hire myself though. Either way…. experience will come in time.

  • http://www.tuxq.com/ Steven

    My honesty and bluntness have cost me a job and denied me another. Not to whine, I stick to my guns. I won’t change that for a paycheck ;) Not sure what company you’re working for but, want a resume? :)

  • sunshine

    My preference is more to these two:
    1. Being a nice (okay, rude would also work) guy that can get along with people or more to the point – in a corporate environment.
    2. Being able to learn. I.e. being able to handle and learn on their own whatever is thrown at them.

    These can come as an experienced person, or as somebody who never heard of what a buffer overflow is. It won’t matter either way and both have their PROs and CONs.

  • jerry

    Honesty and bluntness sounds like a codeword for lack of tack and an inability to pick your battles.

    It’s necessary to view problems from the perspective of another person if you’re gonna get them to buy into it. If you end up locking horns with everybody you work with, you won’t get anything done….even if you are right.

    Security needs to be about corporate needs, not just about security. Sometimes a great security idea costs to much. The risk analysis process allows the business owner to determine if the “solution” is better thant he “problem”. We all make insecure decisions every day because we’re willing to assume the risk (I hope that can of Folgers that I just opened didn’t have anything bad in it ‘cuz I just drank the first cup.)