2 quotes from Sun Tzu:
“Attack is the secret of defense; defense is the planning of an attack.”
“Invincibility lies in the defense; the possibility of victory in the attack”
You need a team built at least partially of people who have had cyber-attack experience, preferably penetration testing and / or a past in the criminal underground. Degrees and certifications have little to no value whatsoever when your opponents play on a different level. While your ‘educated’ paper tigers build diagrams and battle with excel, your attackers are mapping your entire infrastructure and human workforce, trying to find the easiest way in. You need at least someone on your team who would have an idea who is out there and how your organization could try and stop them.
Building a team starts with finding the right individual elements for it and if I could sum up the whole chapter into one sentence, it would be “Hire for passion”, adding one more word: discipline.
The kind of passion which is visible throughout the career or personal development path of an individual – in their favorite projects, tools, participation in events, courses taken, projects completed, achievements, favorite books, the focus of their studies.
Any skill for any job can be learned and trained within reasonable amounts of time, granted the person is smart and motivated. But passion for a specific field is hardly learned – it is either there or it isn’t.
Coupled with discipline, passion generates tremendous results in the mind of an individual and as a result in their professional and personal life.
How do you recognize passion?
Look beyond the recognizable certifications on their resume. Ask them when they’ve first gotten interested in security, what has drawn them towards it, what keeps them interested and how do they see the state of information security in the world in 5 years. Look for understanding beyond mere knowledge of facts.
Discipline is easy to notice. From the first glance at someone you could see if they’re disciplined or not – their dress code, haircut, hygiene, manner of communication, to their resume, their past life experiences, education (where self-motivated learning gains more points than a degree).
Give them a practical task to complete
Always give tasks right there during the first conversation with the candidate. You don’t have to waste your and their time in asking about their greatest weaknesses or their hobbies – going straight to the point first will allow you to filter out quicker and help unfit candidates find their matching job faster.
Don’t just focus on technical or programming tasks – try and give them real life business problems to solve. Look for the way they solve problems – do they introduce even more business obstacles by suggesting impractical and difficult, exotic solutions? This way of thinking is very difficult to change and you should avoid people who behave in this way.
Even if they don’t have the answer or solution it is very important how they will approach solving the problem. Being startled and puzzled is one thing, starting thinking logically and seeking multiple solutions is better. If the candidate puts business first and builds their secure solution around that, you’ve got a hit.
Have a baseline
Have a list of questions, defining the baseline which would eliminate those who are unable to answer them. For example, not being able to differentiate between a hash and an encoded string or explain the difference would mean the interview stops then and there with no further questions, no matter what level you’re hiring for.
Have a list of funny questions
Why not ask what is the difference between Chuck Norris and Bruce Schneier? If they laugh, you’ve got a hit. If they look puzzled and don’t recognize the second name, it is probably a good time to ring someone else.
Their favorite books
Any professional who is serious about their job reads books on the topic all the time. Their complete infosec reading list should be huge if they’re over 30 – and if they’re 20-something, it should be at least 10 books long with at least 2-3 favorite classics, one of which should definitely be “The Art of War”. Generally I would not hire anyone who does not read – not necessarily only security-related books, but books in general are incredibly important. I’ve heard people saying that books are overrated and they get all their information from blogs – no comment on that.
Building the team itself
This is probably the most difficult task – as interpersonal relationships are sometimes very tricky and seemingly perfect candidates for different job roles might be completely personally incompatible. Mature people work together ignoring their personal differences, while the young and inexperienced generally tend to participate in conflicts. Having this in mind, look for team members with life experience – even though the term is hard to define, you most likely understand what I mean.
People who are able to express themselves well also tend to be good team players, but don’t forget that sometimes introverts who prefer being left alone can be extremely productive, too.
Team building events are extremely important – not just going out, but giving the whole team tasks such as working on the new firewall design every day of a week for an hour builds a collaboration environment, at the same time showing weak spots and opportunities for improvement in the team relationships.
Years ago I created a ‘checklist’ for hiring infosec professionals – which does just that. It checks for specific signs of passion for the infosec field. Yes, it does not apply to everybody and yes, it is not a measuring stick to compare against every single hire you are going to make – but you could use at least some of the questions in it to gauge someone’s involvement in the field.
Some points in the checklist might seem very irrelevant or silly – but please remember they are there for a reason. For example, the nickname ‘muts’ would be recognizable to anyone who has worked with the Auditor, later BackTrack, later Kali – linux distribution for a number of years. Recognizing this nickname means that the person has been active on IRC in those early years – and participating in IRC while working with security tools at the same time means being a part of the community, knowing people in that community on a level which is beyond ‘connecting on LinkedIn’ and reading blog posts of famous authors. That is why this point is there – the same applies to the other points in this checklist. This specific point is applicable for penetration testers and security auditors and is not applicable for forensic specialists, for example. That is why you should only apply the questions which are relevant to the position you’re hiring for and for which you understand the underlying reasons. It is a very tricky checklist, I understand that – but it is at the same time valuable in finding people passionate for the infosec field.
|INFORMATION SECURITY PROFESSIONAL HIRING CHECKLIST AND SCORES|
|This checklist can successfully determine the real-life applied skills of an information security professional beyond the regular, standard questions asked at an interview. This checklist is “cheat-proof” as there are no online interview questionnaires containing any of these questions.|
The value of each question is in the meta-knowledge supposedly existing if answered positively. You can use it as a pre-screening tool – anyone who cannot get to the passing score (which is 50%) should never be hired in the Information Security Field.
Any technical skill can be learned in a limited amount of time – becoming a part of the infosec community and breathing security is not learnable – this is what this checklist “checks” for.
|NAME RECOGNITION AND COMMUNITY COLLABORATION|
|1. Bruce Schneier|
1.1. Knows who he is – 1 point (famous cryptographer, security and privacy expert, security author)
1.2. Knows the title of at least one book written by him – 1 point
1.3. Has read at least one book by him – 3 points
1.4. Can name at least one “Bruce Schneier Fact”, or at least the meaning of the phrase – 3 points (http://www.schneierfacts.com/, a humorous fan site dedicated to Bruce depicting him as Chuck Norris – an example is “Bruce Schneier’s secure handshake is so strong, you won’t be able to exchange keys with anyone else for days.”)
2. HDM (H.D. Moore)
2.1. Knows who he is – 1 point
2.2. Has spoken / interacted with HDM at least once in his life (virtually or live) – 1 point
2.3. Has used Metasploit and can describe how Metasploit works – 3 points
3. Knows who is the author of S.E.T., Social Engineering Toolkit – 3 points
4. Knows who Joanna Rutkowska is – 3 points
5. Knows which IRC channels to use to reach the infosec professionals who present regularly at DefCon, BlackHat, BruCon, CCC, etc. conferences – 5 points
6. Recognizes the company “Offensive Security” and knows what it does (created the Kali (BackTrack) distribution, runs the Offensive Security training courses” – 3 points
7. Knows who “muts” is (Mati Aharoni) and where to find him (creator of Offensive Security, can find him on IRC) – 3 points
|PRACTICAL SECURITY SKILLS|
|MINIMUM PASSING SCORES|
|Name recognition and community collaboration – 15 points|
Books – 10 points
Practical Security Skills – 25 points
Practical Knowledge – 10 points
Total minimum passing score: 60 points