Panelists included #1 best-selling author of Hackable: How to Do Application Security Right, Ted Harrington, and James Holley, former Chief Information Security Officer at Caterpillar, and currently, Managing Director in the Cybersecurity practice at Ernst & Young. To download the full conversation from our Ethical Hacking event, click here.
Cybersecurity has been a top business concern for decades; however, in recent years, it has become a more dangerous threat to organizations and individuals. Cyber-attacks have surged by more than 400% over the last year, with these attacks becoming more intelligent and continuing to grow.
Chief Security Officers around the world are outsourcing, insourcing, or creating hybrid cybersecurity teams to reinforce the organization’s security posture to prevent attacks and are forming strong crisis response teams to mitigate the consequences of a breach.
While assessing who to hire, how can companies ensure they are making the right decision to build the strongest team? Beyond the technical skills required of a candidate, personality, creativity and curiosity are some of the qualities that cannot be trained and are often just as essential.
Below we share several key qualities to evaluate in a cybersecurity candidate during the hiring process highlighted during the Ethical Hacking event.
Security is a company-wide concern, and security professionals must be able to speak about these sophisticated issues in layman’s terms to be understood and get buy-in from the organization’s leaders. Strong security professionals are approachable to those without the same in-depth technical knowledge and make it feel safe to ask questions. Too often, technology and business teams are siloed when their goals must be aligned to be effective.
In order to gauge a candidate’s communication skills, consider asking questions such as:
- How do you see the security team’s goals contributing to the overall business’ goals?
- How would you explain the value of penetration testing to someone in our finance department?
- How would you explain the importance of utilizing a multi-factor authentication system to someone in our marketing department?
A strong candidate would demonstrate their ability to communicate technical issues in language anyone in the organization can understand. Their patience and detail in answering these questions, and using minimal technical jargon, may be a good predictor of how they would communicate on the job.
Security professionals must be able to act quickly and calmly when communicating a security breach. While employers should prepare questions that test a candidate’s knowledge and abilities, they should also ask situational questions that allow for more insight into how a candidate performs under stress. This could include:
- What would your first 10 minutes look like after discovering a data breach? What actions would you take?
- How would you communicate with a member of your organization that there was a successful attack?
- Describe a time you had to act quickly to mitigate a threat. What did you do, who did you communicate with, and how?
As LaSalle Network’s Director of Technology Services, Paul Wallenberg, told CSO magazine, “It’s not just the CISO who adjusts when a crisis happens; the whole security department and the whole organization does as well.” Candidates who remain calm in a crisis and emphasize the importance of communicating with empathy often are valuable team members while working in a high-stress atmosphere. During a crisis, security professionals must ensure proper communication between team members while mitigating security issues quickly. Candidates who can explain their process clearly and concisely, and who emphasize teamwork as an important factor, likely have a strong crisis response.
It is essential security professionals collaborate well with their team and across departments within the company, as well as third-party teams, as many organizations utilize third-party vendors to help with vulnerability and/or penetration testing.
To gauge a candidate’s collaboration skills, consider asking questions such as:
- How do you envision your day-to-day job?
- How would you go about assessing risks?
- In your prior roles, how have you communicated risks with the company?
- How would you conduct a Whitebox test versus a Blackbox test? How would you communicate with external vendors in both instances, if used?
A candidate should demonstrate an understanding of how the security team partners with different departments and vendors by either discussing how their team collaborated in the past or discussing their plans to improve communication and collaboration. They should mention collaboration both with various teams and vendors as a regular and frequent part of their day-to-day job and a key part of assessing security risks. A strong candidate will value any chance to gain insight from others into potential security risks and will highlight the importance of performing a variety of testing.
When hiring from this in-demand talent pool, it is important to consider not only what hard skills are essential to the role, but the soft skills needed to make up an effective team that works well within the broader organization.
If you’re looking to add strong cybersecurity talent to your team, we can help. Contact us here.