Hiring competent people in cybersecurity is always important, as you cannot secure what you do not understand. The trouble is often those who are performing the hiring do not have an in-depth understanding of cyber security and what specific skills and experiences are required to perform a cyber security role well.
Why is this so important?
- To do cybersecurity effectively depends on a combination of experience, learnt skills and talent. The devil literally is in the details and you won’t develop a feel for evaluating risks, and in turn, the controls required to mitigate those risks without putting in the hours. In essence operating in a cybersecurity role beyond your capabilities is putting your employers business at risk and in turn is putting your long term career at risk also.
- The ‘Faking it tell you make it’ mindset just won’t work long term in cybersecurity, you may get away with it for a while, but in this day and age where everything you do is digitalised and available at a few mouse clicks – it can unravel very quickly. Better to spend your energies on genuine capability growth.
- People operating outside of their zone of capability is a primary cause of a lot of cyber incidents. Bad decisions, incorrect assumptions, etc all stem from not having an innate ability to self check and confirm. Better to walk on solid ground than to run on thin ice.
In this article, we provide some pointers and red flags to look out for that indicate a person is jumping onto the cyber security bandwagon and presenting a somewhat overly ‘rose tinted’ view of their cyber security achievements and experiences. BTW Some ‘putting in the best light’ is to be expected in CV’s, what we are referring to is taking that way too far and presenting a overly false impression of skills and experiences. Also covered are a few key things to look out for during the interview process that will help in separating the wheat from the chaff.
1. The 180 degree abrupt Career Shift…
This may be obvious or not in their CV but if you see a sudden dramatic change in focus to cybersecurity, especially in the last 4 years, I’d treat this as a Red Flag. Especially if they have several years under their belt doing something totally none cybersecurity work prior. Treat as a clear sign of bandwagon following, especially if they have no prior certifications or qualifications that relate to cyber security.
Now for a junior role this may not be that much of an issue, but if you are hiring someone where direct cyber security ability is key and so expected to be enacted on a day to day basis, this could be a problem.
If they do make it interview you should be probing the transition period, why the change? Were they not succeeding in their prior career direction?
2. Too rapid a climb…
Another give away is when they climb too rapidly in roles and scope, especially a transition from technical in senior management occurring in one step. Typically you want to see at least 2 years in each role, anything less than 18 months (and especially less than 12 months) consider a Red Flag. This could indicate someone role hopping to avoid accountability for prior mistakes or a business picking up on their inability and the person jumping ship before they got pushed (or did they get pushed?). It might just be that the business did a downsize as well, so you should ask why during the interview.
3. Excessive buzz word bingo
If the CV contains more buzz words than actual substance, this can be concerning. There should be evidence of the application of cyber security techniques and outcomes alongside the buzz words, in effect a few ‘war stories’ that can be discussed during interview that shows the skills being applied. If its all buzz words and no stories, big Red Flag.
4. Too much timed experience
Another quick check is to compare how long they have been dedicated to cyber security and the duration of cyber security experiences they claim to have. For instance, they cannot have 10 years experience in Firewalls if they have only been doing cyber security for 5 years. This would be something certainly worth questioning about during the interview.
5. Too varied
People tend to develop their areas of expertise and focus more on those over time; a CV that does not focus, or shown a progression across different areas of focus, should be a big Red Flag. This could indicate buzz word stuffing or a lack of ability on the part of the individual, they may not be able to be an expert in any cyber security field.
Also look out for ‘unsupported expertise’, for instance its very difficult to be an expert in Code Security if you do not have a programming background. Again ask about it during the interview.
6. Certifications only
If someone only has certifications and no related academic qualifications (or years of relevant experience), this could be a problem. There are a lot of security certifications out there which are not that hard to get, especially once you have one in a given area, accumulating more of the same is easier. Quite a few of them are more memory tests than actual ability. You need to check why the certification was taken, was it a role requirement?
7. Title expansion
This can be a bit harder to detect but its where a job title seems rather too ‘grand’ for what it should be. For instance, someone could take an ‘IT Technician’ and morph it into ‘IT Cybersecurity Technician’, or ‘Systems Analyst’ morphs into ‘Cyber Security Analyst’. The easiest way to spot this is check the size of the business they were employed at and roles you can see on LinkedIn, if it was a medium or small sized business its very unlikely they will have such fine grain role differentiation.
8. No ‘just for fun’ tech
Cyber security revolves around technology, therefore you want to see strong evidence that the person is actually technical and enjoys using and applying technology. They should have other interests that are based on a technology mindset. For instance hobbies that have a strong technology or theoretical basis (model aircraft, electronics, metal working, wood working, etc). A complete lack of such hobbies (or no hobbies at all) should be a small Red Flag.
During the Interview
Genuine cyber security people with solid experiences will often have ‘war stories’ that have shaped their careers; they will be able to present these, and the outcomes and learnings, in a highly focussed form. They will be able to clearly demonstrate their role, what they did and the outcomes. They will also have a clear understanding of how human factors come into play when doing cyber security. In effect they will have ‘lived’ doing cyber security and have an eye for it in its many different aspects. It will have become second nature for them and they will happily talk about it all day long if given the chance.
We hope the above points will help you in finding good cyber security staff for your open role. These are only some of the basic techniques we have used in assessing capabilities and fit for cyber security people, either for open roles or when checking 3rd party supplier personal (to make sure they can actually keep a service secure). We can perform much more detailed assessments and provide this as a service for businesses, if you are interested, please contact us.
What if you are want to get into Cybersecurity?
First off do not BS on your CV. Focus, tune and tweak, yes but do not BS. Cyber security, at its core, is about dealing with people who use technology in businesses and making that secure. A lot of your job will be around gaining trust and having trust in others, if you BS your way into a cyber security role, what does that say about how you can be trusted? An employee would much rather have someone be honest and state what they know they are capable of, what they are training up on and where they want to go. This is SO much more powerful than a BS laden CV, it shows integrity, to shows drive and it shows honesty, all very positive qualities to have in cyber security. Also, if a potential employee likes you, they could set up training and support to help grow your career… Start off as you wish to continue and want to be treated.
Also remember if you do BS your way into a cyber security role, its very likely you could be putting that business at undue risk, and in turn your future career in cyber security could be a risk if they get breached as a result. Just don’t do it.
There are many valid paths into cyber security and everyone has something to bring to the table, just do so with integrity, you will go that much further.