If I need to employ Penetration Testers, what are the procedures to follow and how to examine candidates to know their skills and qualifications.
Also, I need to know what are the examinations/certificates that I should look for in the employee and for me.
If you have no experience with hiring "hackers", it sounds like you want to be more secure, but may not have the biggest need yet. I would consider working with a reputable consulting firm on a few small engagements. See how they do their assessments and what type of deliverables they provide. Question everything they do, and every report they give you, every finding. While you will initially be hiring them for their services, what you get long term is their methodology, style, etc. Be sure to interact with the actual pen testers. For some big firms, they outsource it overseas and just put local guys in front of you to explain the findings. Try to insist on local testers to come on site. You will unlikely be able to steal the consultants who work for due to non compete clauses in your contract, but they might have friends, etc. Pick their brains as much as you can.
Another option would be to find local meetups for ISSA, ISACA, or more hands on security groups like those spun off from b-sides (e.g., Chicago's BurbSec). There are often people at these types of events looking for work, or who know someone who they recommend.
I personally put a low value on certs. There are a fair number of more "suit" like hacker-types who pursue these, but most of them are just tests. You want to screen the person and their knowledge, which may be hard if you yourself do not have a hacker background. You might want to try a head-hunter, but head-hunters are salesmen and they aren't a good fit for every company. In terms of certs, one of the better ones is the Offensive Security Certified Professional because its a hands on certification, and they want to make it hard to pass; they also have a good focus on documentation. Communication and documentation is ultimately just as important as finding security problems. You might want to see if they have a CISA or CISSP, but there are a lot of people with those certs who are not hands on or do not focus in that area. There are some other things like Certified Ethical Hacker and Security+, and GIAC has a number of more specialized certs GPEN and GWAPT which may be useful. Ultimately, certs are a consideration, but you want to evaluate the individual's knowledge - there may be a really good pen tester who just never bothered to spend the time and money, whereas on a question only test someone just studied up well.
Also, when hiring hackers or pen testers I would strongly recommend looking into background checks, criminal checks, etc. Military service and government clearances (active or expired) may also be considerations.
You may also want to ask a question over at Workplace.SE about hiring technical specialists and hiring people outside of your area of expertise.
Your need in hiring a penetration tester will depend on your company and type of work. In some cases it will be required (for example, if you process credit card payments, pen-tests need to be done regularly). If however, you are part of a small organization that does manufacturing for non-critical assets, then its possible that a pen-test might not be the best spot to spend your security budget. It also might not be necessary to hire a pen-tester full time but rather have an annual consultant come in and review the network.
When you are hiring someone for a pen-testing job, you need to examine several things:
This is in addition to the normal interview process for any resource.
I'd suggest looking at these links to more comprehensive information:
Additionally, a related question (from the view of an applicant)
