Top 5 skills to look for when hiring your next IT Security Employee

Geoff Termorshuizen @Evan Bloom – Agreed! C-Levels often want what’s beyond their scope of reference. There’s no shame in not being able to operate at the level the technical specialists. That’s why the specialists were hired. While C-Level certainly needs more than “Stuff broke”, they should not expect the technical equivalent of whatever their specialty is. They’re going to waste more time having some poor tech trying to explain things in a way the bosses can understand than it would to actually fix the problem.
At least 1 member of the security group should be a “Translator” person – they’re the ones who understand the technical side, and how to present it to all manner of C-Levels in a way that will satisfy them, but not require any actual course work to understand.
That is a specialized skill set in and of itself.

Brett Anderson Good luck finding them..

Geoff Termorshuizen Brett Anderson – That is a problem, but I think one of the IT industries own making.
I remember back in the early 90’s, people could do it *ALL*. They understood networking, they could script/code, they could administrate *nix environments and Windows networks (Windows servers were rare), they could create web pages.
As tech started diversifying, IT started to specialize. People who script or write in C, can’t always create web pages, or manage networks. Those who are web developers, don’t admin the servers. Network admins stay away from servers. From the employee side, there is some overlap – Cisco network admins can script as needed for their devices, etc. Their bosses, however, tend to be more like “You do <x>. Leave <y> to that department.
We need to encourage JOATs and to make being proficient at IT as a whole something that is encouraged and well rewarded. Specialization should be for when one is well-capable in IT as a whole, and not a career-limiting path from day 1

Raphael Dlv One big important point is missed… Shame that it’s not really mentioned. Its being enthusiastic.
Being as enthusiastic like a little girl at a Justin Bieber concert when an awesome exploit is out, or something awesome has been found that can help people. Its much easier to teach someone eager to learn than a so called “know it all” That is what’s important.

Chuck Mackey All 5 skills identified are lean completely or substantially toward technical proficiency. Certainly required and commendable, but not a complete list based on my experiences over time. I’d add: 1) possessing an inquisitive mind; 2) ability to handle pressure from multiple sources; 3) integrity; 4) a keen appreciation for the ‘business side’ of security; 5) commitment.

Jon Salisbury I have 25 security engineers on staff and we just ask the following few things.
Ctf (what is your involvement?), question (where do you perform your research?), 3 scenario driven ethics questions. If you think your security guy should also be a consultant you are getting the wrong guy. Your best security guys should not be great communicators. They should be hard to communicate with.
If you know what those answers above should be then your golden with your sec Ops men.

Update (2/02/2016):

Deon van Jaarsveld Good article, as someone who is sitting with the problem of what people want and having done some interviews recently I agree and disagree with a lot of the current posts.

I find a lot of people hiring are not sure what they want. They want someone with skills in a wide variety of areas and must be qualified with everything possible. No-one will ever know everything, so you can specialize in one or two areas or generalize in a lot but there are few people I know that can do both. It should never stop you from trying but some people need to realise that you may need more than one person for a role.

@Jon, I agree that many really top InfoSec guys can be difficult to speak to, but it is a skill they will need to develop as there will not always be a person to ‘translate’ for them and as brilliant as they may be if they cannot convey the information for others to action it can become a problem.

Chris Rooney I guess it isn’t really a skill, but I ask about people’s hobbies. I try to look for folks that enjoy things like Sudoku, angry birds, tetris, play with brain teasers, put puzzles together and word find puzzles. I also ask people if they have ever cheated at video games, built a mod, or created their own content. I get asked why I do that. For me, in most cases we can teach folks the technical skills. You can’t really teach pattern recognition, enthusiasm for solving problems, spotting anomalies quickly/easily, a desire to find out what makes something tick, and to re-purpose things in order to solve a larger problem. Although this might also be why I have far more INTJ and INTP types in my group than should be allowed by any sane standards.

Geoff Termorshuizen Chris Rooney – Consider adding “Which do you prefer – Star Wars or Star Trek?” to your question list. While it’s a fluff question on the surface, like as not, if the applicant is coming from a technical background, they have views on this. As it’s usually a 1) hot-button topic and 2) completely unrelated to what their actual job is likely to be, it’s a nifty way to see how they handle being thrown a curve-all, and how they handle a hot-button issue. As they’re typically going to answer more emotionally than a regular interview question, it’s a good measure of how they’re likely to be influenced should a hot-button item come up at work. Plus, it can lead to interesting revelations on how they process information they’re interested in.

Varun Parikh I would like to add reasoning skills as a security professional would see organization from a prospective no one sees it from. Must eat, drink and live security all the time.

Michelle Weston strongly consider security professional services, at least to compliment what you’re doing with your direct hires. You are so correct in saying it is very tricky to hire for all the necessary things, maintain their interest once hired and make sure you don’t get left with jack of all trades, master of a few yet dated skillsets. How many can discuss micro segmentation, software defined data centers, regulatory statues for industry and understand the challenges posed in the specific line of services or products of your business? Just call Unisys if you want to avoid sleepless nights spent worrying about being the next firm in the news!

Akshaye Kalkura security is a mindset and ppl must think like criminals..only then will they be able to protect properly..spy movies, spy novels, kevin mitnick etc etc..out of the box thinking and don’t fuss around security certifications for experienced people…

Mats Davidson Loyalty. Interesting; Loyalty is the most valued by some, but it is not a skill is it.
Glad to see “Programming/Scripting skills”, but the reasons mentioned are a bit unambitious… A specialist with system programmer skills is able to create tools and do magic if needed.