5

So you are looking to hire a fresh graduate to work in an entry-level/trainee IT security role that covers a wide range of tasks: vulnerability research, penetration testing, secure software engineering.

Assuming that you will invite to interview candidates with general degrees in CS/IT and no specific experience of security; what key attributes would you be looking for?

e.g.

  • An interest in security (obviously)
  • An appreciation of current problems in the field
  • Understanding of cryptography

Related question: I see entry level security skills as a problem for industry - what can we do about it?

[can't add new tags: recruitment]

Community
  • 1
sjp
  • 345
  • 1
  • 2
  • 11
  • 1
    (A background check. ;-) – Chris W. Rea Feb 21 '11 at 15:41
  • (Ask what are the last security (or related) book he/she have read and ask also what are the web site reference he read to learn or stay updated on it. If He/she don't have read any sort of book on security or don't know at least some security resource he don't have any real interest on security. – boos Jan 14 '12 at 16:52
  • @boos That's one I use often, as well as what security professionals they follow (e.g. on Twitter). I tend to place a lot more trust in someone if they say they're a fan of PoC||GTFO or Phrack than if they say they're big-time Slashdot users or regulars on HackerNews (though there are a couple domain experts in the comments section of the latter). – guest Nov 19 '17 at 03:19

3 Answers3

8

Generally, you can't expect domain knowledge of a fresh graduate in any field, so you're looking for someone who can solve problems, shows interest in /your/ problems, and will be pleasant to work with. For example, cryptography isn't even common on Computer Science courses, and it's not only CS graduates who will be applying for jobs.

  • 2
    Come to that, understanding of crypto isn't common among people with years of experience either... –  Feb 21 '11 at 16:37
  • I think Graham hit the nail on the head. Security is definitely a niche career. Generalized IT knowledge won't yield them any special characteristics to look for. What will set each interviewee apart is their desire and interest to be in security. Security isn't something you can goto school, learn once, then work in forever. The individual has to be motivated to do well, because security is ever-evolving, they would need to constantly research to keep abreast of the newest threats, and mitigation techniques. Interview as you would any new hire, and keep a keen eye for their desire to learn. – Purge Feb 21 '11 at 16:53
4

My best results have been in hiring from problem solving disciplines or areas. People who are old school hackers (in the original meaning of the term) who like to build, tweak, understand and really grok anything, such as hardware, cars, plumbing, electronics etc have always scored well in my book.

I have also noticed a strong correlation with rock music, and a large number who also like sci-fi (others have confirmed the music link, but I'm not sure whether the sci-fi is just in the folks I know)

There seem to be a high number of petrolheads in the industry as well - this could be an extension of the hacking, tweaking, modding vibe.

Academically, it makes sense to hire from a CS discipline, or one with at least some CS modules (engineering is an example), just down to the reliance on computer systems for everything, but I have also hired from many other disciplines.

As far as crypto goes, the specialists are few and far between, so I would tend to look for people who understand the core concepts, but not bother hunting for someone who can explain the mathematics behind a particular flaw. In general the crypto breaks are all around the people or the config, rather than a particular algorithm anyway.

In addition I would always take a potential new recruit to meet the team at a restaurant or pub to see how they fit in in a social setting. I see this as essential in both small and large teams.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Re correlation, there is also a higher number of martial artists in the security niche, than in the general IT fields... or at least so it seems... – AviD Feb 22 '11 at 07:23
  • Another non-CS discipline that can produce good candidates, is actually law, for when it comes to those sticky policies and regulations. – AviD Feb 22 '11 at 07:25
  • One point I disagree with, is the old-school hackers. Not so much disagree, rather I would qualify it: those guys would do great in the "breaking" sort of tasks - e.g. pentests, reviews, etc. However if you're looking for security engineering / architecture, I've found that a "hackerish" mindset (in the original meaning of the term) fall down flat, and usually don't realize it. – AviD Feb 22 '11 at 07:27
  • @AviD - actually had really good results with those kind of folks - a lot are builders AND breakers. It's that mindset of disassemble/grok/improve – Rory Alsop Feb 22 '11 at 09:24
2

A fresh grad will not have experience and is highly unlikely to have much domain specific knowledge. The key measurable attributes you're looking for will therefore be cognitive - problem solving styles and the ability to learn from fragmented or disorganised information sources. Provided you're willing to go the psychometrics route that is.

On the interview questions front, why the candidate is interested in security will also provide some interesting insights on what kind of reaction you'll see to the tradeoffs which will inevitably happen in implementation and reporting.

Bell
  • 975
  • 9
  • 12