eLearnSecurity Blog

Top 5 skills to look for when hiring your next IT Security Employee

Cyber security had become one of the hottest topics in media by the end of 2015. Various companies and financial institutions had experienced such troubles like data breach, malware infections and more.

This year governments and private organizations all over the world continue to implement cyber crime prevention measures.

With the growing number of threats companies started to realize their critical need for IT security professionals, especially Penetration Testers. Those experts join companies to find vulnerabilities, monitor and secure the data, and protect the networks from future attacks. Hackers with bad intentions usually break into less secure systems.


Thousands of job positions in the IT security field open up yet companies have a hard time filling those. There is a serious lack of skilled IT Security professionals.

Companies, instead of just competing for the top talent, are now also training their existing IT staff to be their future IT Security professionals. Fact is, not all organizations will be able to hire the experts they need!

If you are lucky enough to get Penetration Testers in for an interview, then here is some advice. Our IT security researcher Francesco Stillavato shares some tips on skills you have to pay attention to when hiring your next IT security employee:

  1. Programming/Scripting skills

Although the Penetration Tester will not code all day long, knowing the most important programming languages is something he really needs. It will help him understand the tools and applications that he might use or test better. Moreover, knowing some scripting languages will surely help him to speed up and automate most of his tasks.

  1. Good technical fundamentals

A very deep understanding of networking and network protocols is one of the most important skills he needs to have. If a Penetration Tester knows the fundamentals, he will be able to understand everything built on them!

  1. Mastering different operating systems

During a Penetration Testers career he will be “forced” to use different operating systems. Knowing how those systems work, where the information is stored and how to configure it is very important.

  1. Security background

A wide cyber security background is mandatory here! This means the professional Penetration Tester knows and understands system security, web application security, mobile security and so on. He may be an expert in one of these fields, but should always keep himself up-to-date.

  1. Writing and reporting skills

At a certain point your Penetration Tester will have to talk with the non-tech savvy employees. He must be able to explain anything related to IT Security without diving into the technical details.

In case you’ve already hired the IT Security employee before reading this article, but still don’t know if you hired the reliable one, we recommend you to review his profile. There is always an option to give your employee additional training. eLearnSecurity provides many comprehensive and practical IT security training courses.

Your Penetration Tester can upgrade his skills to a higher level, most of our courses are designed to train practically against real world attacks, using the most sophisticated, industry leading and practical virtual lab named “Hera Lab”.

To get started your IT security expert should look through the free demo of our courses and then decide which ones help him the most in protecting your network:


















Your IT security employee has to be able to protect your data from any attacks against your network or web apps. Invest in the skills of your IT security team now, don’t wait until it’s too late.

Update (24/01/2016):

We have got some interesting comments on the issue above and here are some of them:

Evan Bloom Great points Alissa Abaskanova. As a PR consultant that focuses on the risk and security industry I am please to see you included number five – Writing and reporting skills. All too often members of the C-suite, who have no technical knowledge, will want a written or verbal explanation in simple terms about what went wrong, why, how and what is being done to fix the issue – and when things will be back to normal – not to mention ‘what are we doing to see this never happens again?’ The head of the IT security team, or CIO, will have to answer these questions in such a way that all stakeholders understand the message – including the company spokesperson who may have to answer media questions. Most importantly, sometimes IT security leads find it ‘challenging’ to answer questions about what happened from company employees that are not part of the greater IT team. Good post, thanks.

Geoff Termorshuizen @Evan Bloom – Agreed! C-Levels often want what’s beyond their scope of reference. There’s no shame in not being able to operate at the level the technical specialists. That’s why the specialists were hired. While C-Level certainly needs more than “Stuff broke”, they should not expect the technical equivalent of whatever their specialty is. They’re going to waste more time having some poor tech trying to explain things in a way the bosses can understand than it would to actually fix the problem.
At least 1 member of the security group should be a “Translator” person – they’re the ones who understand the technical side, and how to present it to all manner of C-Levels in a way that will satisfy them, but not require any actual course work to understand.
That is a specialized skill set in and of itself.

Brett Anderson Good luck finding them..

Geoff Termorshuizen Brett Anderson – That is a problem, but I think one of the IT industries own making.
I remember back in the early 90’s, people could do it *ALL*. They understood networking, they could script/code, they could administrate *nix environments and Windows networks (Windows servers were rare), they could create web pages.
As tech started diversifying, IT started to specialize. People who script or write in C, can’t always create web pages, or manage networks. Those who are web developers, don’t admin the servers. Network admins stay away from servers. From the employee side, there is some overlap – Cisco network admins can script as needed for their devices, etc. Their bosses, however, tend to be more like “You do <x>. Leave <y> to that department.
We need to encourage JOATs and to make being proficient at IT as a whole something that is encouraged and well rewarded. Specialization should be for when one is well-capable in IT as a whole, and not a career-limiting path from day 1

Raphael Dlv One big important point is missed… Shame that it’s not really mentioned. Its being enthusiastic.
Being as enthusiastic like a little girl at a Justin Bieber concert when an awesome exploit is out, or something awesome has been found that can help people. Its much easier to teach someone eager to learn than a so called “know it all” That is what’s important.

Chuck Mackey All 5 skills identified are lean completely or substantially toward technical proficiency. Certainly required and commendable, but not a complete list based on my experiences over time. I’d add: 1) possessing an inquisitive mind; 2) ability to handle pressure from multiple sources; 3) integrity; 4) a keen appreciation for the ‘business side’ of security; 5) commitment.

Jon Salisbury I have 25 security engineers on staff and we just ask the following few things.
Ctf (what is your involvement?), question (where do you perform your research?), 3 scenario driven ethics questions. If you think your security guy should also be a consultant you are getting the wrong guy. Your best security guys should not be great communicators. They should be hard to communicate with.
If you know what those answers above should be then your golden with your sec Ops men.

Update (2/02/2016):

Deon van Jaarsveld Good article, as someone who is sitting with the problem of what people want and having done some interviews recently I agree and disagree with a lot of the current posts.

I find a lot of people hiring are not sure what they want. They want someone with skills in a wide variety of areas and must be qualified with everything possible. No-one will ever know everything, so you can specialize in one or two areas or generalize in a lot but there are few people I know that can do both. It should never stop you from trying but some people need to realise that you may need more than one person for a role.

@Jon, I agree that many really top InfoSec guys can be difficult to speak to, but it is a skill they will need to develop as there will not always be a person to ‘translate’ for them and as brilliant as they may be if they cannot convey the information for others to action it can become a problem.

Chris Rooney I guess it isn’t really a skill, but I ask about people’s hobbies. I try to look for folks that enjoy things like Sudoku, angry birds, tetris, play with brain teasers, put puzzles together and word find puzzles. I also ask people if they have ever cheated at video games, built a mod, or created their own content. I get asked why I do that. For me, in most cases we can teach folks the technical skills. You can’t really teach pattern recognition, enthusiasm for solving problems, spotting anomalies quickly/easily, a desire to find out what makes something tick, and to re-purpose things in order to solve a larger problem. Although this might also be why I have far more INTJ and INTP types in my group than should be allowed by any sane standards.

Geoff Termorshuizen Chris Rooney – Consider adding “Which do you prefer – Star Wars or Star Trek?” to your question list. While it’s a fluff question on the surface, like as not, if the applicant is coming from a technical background, they have views on this. As it’s usually a 1) hot-button topic and 2) completely unrelated to what their actual job is likely to be, it’s a nifty way to see how they handle being thrown a curve-all, and how they handle a hot-button issue. As they’re typically going to answer more emotionally than a regular interview question, it’s a good measure of how they’re likely to be influenced should a hot-button item come up at work. Plus, it can lead to interesting revelations on how they process information they’re interested in.

Varun Parikh I would like to add reasoning skills as a security professional would see organization from a prospective no one sees it from. Must eat, drink and live security all the time.

Michelle Weston strongly consider security professional services, at least to compliment what you’re doing with your direct hires. You are so correct in saying it is very tricky to hire for all the necessary things, maintain their interest once hired and make sure you don’t get left with jack of all trades, master of a few yet dated skillsets. How many can discuss micro segmentation, software defined data centers, regulatory statues for industry and understand the challenges posed in the specific line of services or products of your business? Just call Unisys if you want to avoid sleepless nights spent worrying about being the next firm in the news!

Akshaye Kalkura security is a mindset and ppl must think like criminals..only then will they be able to protect properly..spy movies, spy novels, kevin mitnick etc etc..out of the box thinking and don’t fuss around security certifications for experienced people…

Mats Davidson Loyalty. Interesting; Loyalty is the most valued by some, but it is not a skill is it.
Glad to see “Programming/Scripting skills”, but the reasons mentioned are a bit unambitious… A specialist with system programmer skills is able to create tools and do magic if needed.



Tags: , , , , , , ,


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go to top of page