It’s easy to argue that the most significant issue facing technology today is the security of online data. As demonstrated by recent mega-breaches, IT security pros can barely keep up with increasingly sophisticated threats, and the need for talent with a solid security skill set is therefore great.
The security field needs critical thinkers, not just candidates with good resumes. These top-notch practitioners want to know “why” something happened, not just “how,” and they’re not always comfortable following a list of prescribed steps to deal with problems. Or as Georgia Weidman of Bulb Security put it: “I’m more interested in someone’s process than the candidate knowing all the right answers.”
Know More Than the Basics
If your tech background includes positions outside of the security space, all the better. According to Voodoo Security’s Dave Shackleford, the security industry lacks professionals with programming abilities who understand complex topics such as cryptography, and who have also used a wide range of technologies that give them an experienced perspective on risk analysis.
If you’re an absolute beginner in IT security, read Shackleford’s excellent blog post “One for the N00bs” before you send off your first resume. For those still relatively new to the field (e.g., three years or less of experience), capabilities earned in the “real world” will often earn more regard from an interviewer than whatever you learned in school. “Most college doesn’t even come close to preparing people for information security careers, sadly,” he said.
Prove in Depth
Shackleford believes the ideal candidate for a security job should be prepared in the following ways:
- A Foundational Skill Set: That skill set should include some system and network administration/engineering, familiarity with vulnerability management, and an understanding of perimeter security (firewalls, proxies, IDS/IPS, secure architecture, anti-malware).
- Projects… Lots of Projects: Ideally, your beyond-the-classroom efforts have been infosec-focused and included participation in NCCDC or regional competitions.
- Track Record: Be prepared to demonstrate (or explain) how your work helped to secure an organization, and how you reduced its overall risk.
You Must Communicate
In order to augment your personal narrative, Shackleford added, candidates should emphasize how well they can work with colleagues, even those not involved in IT. “Security can’t hide under a rock,” he said. “We have to get out with the other people in the organization to help them.”
Given that need for collaboration, even the most technically skilled candidates should work on their communication abilities whenever they get the chance. “There really is an expectation of people skills and interaction, and they should be prepared for this,” Shackleford said.
For her part, Weidman looks out for candidates with a willingness to explore and investigate. “When I used to interview for jobs,” she said, “I’d get a lot of ‘What is the syntax for this command,’ and now, when bidding on jobs for my company, I get a lot of, ‘What exactly would you do in this situation,’ but my truthful answer, unless it’s something I do all the time is, ‘First I’d do some research.’”
A good candidate, in her estimation, will have the communications skills necessary to explain a security fix to others in an organization, even those without a significant tech background.
Show More Than the Whiteboard Allows
Some companies give practical exams as part of the hiring process. While it’s impressive to breeze through these tests, all hope isn’t lost for candidates who struggle a bit with the material. Weidman takes note of those who use test time to explore the problem and work through multiple options to learn what works best; that shows an aptitude for critical thinking, which is so necessary for an IT security job.
“No one knows everything, even in a narrow field,” Weidman said, “and even if they did, technology is always changing, so more than being able to answer specific questions, the ability to pick up skills and figure things out is something I look for.”
Image: Maksim Kabakou/Shutterstock.com