As someone who has been hiring, managing and of course - applying for roles I have observed that not everyone know what they are looking for in people to fill the key roles. Hiring the wrong people can make the difference between having effective staff and being fed 'spin' from the wrong staff until you find out in a financially and reputationally damaging way.
This is something that is being done wrong at all levels, you need the right engineers/advisors/analysts but also the right people managing them. A poor choice at the top can set a company back significantly. (You can have all the materials to build a perfect house, but if you have the wrong person putting it all together then the house is likely to be plagued with issues until it falls down!)
So, how can you ensure you're making the right decisions? While it's unlikely to ever be 100% certain from just an interview, the methods discussed in this article can help eliminate unsuitable candidates. This will provide a brief overview along with some tips and tricks. For more detailed guidance, we offer additional insights to our business subscribers on interview techniques, job description creation, performance monitoring, and other key aspects of assembling the right team.
Let's begin by examining the options for candidates in general:
We will start with looking at their experience, Cyber Security is a relatively new field to the IT Industry so how do you look at experience when there is not a lot of time for this industry to 'flesh out'?
Experience is a crucial factor, especially in the relatively new field of Cyber Security within the IT industry. Despite its novelty, Cyber Security isn't entirely new; it's been prominent in defense and banking/financial sectors. You'll encounter individuals with over 20 years of experience, albeit lacking formal certifications. These people 'just do it', do you want to hire these people who have not got certifications? of course! I would personally choose someone who has experience over certifications any day. You can then offer them the time and costs associated with getting certified, this will not only be a boost to your company when discussing with customers or auditors but will help to retain key members of staff who are hard to replace.
But what about those with certifications? does that make them less worthwhile? no but they should be led by someone with the experience. The experience will come but they need to be supported by someone either a direct manager or a consultant who can be retained for a period to support them as they grow.
The key lies in effective resource implementation and support. While this might seem obvious, many people managers struggle to provide adequate support in the relatively new domain of Cyber Security. It's essential to understand that hiring a security engineer isn't a silver bullet for securing your company.
So, how can you identify the right candidate?
Look for individuals who display curiosity and critical thinking during the interview process. They won't just boast about their skills but will inquire about necessary resources, budget allocations, and executive support. Their questions can provide valuable insights into their understanding of the role's requirements and their potential to secure your company.
If you are unsure about an answer and who to go to, there are many consultants who can spend time discussing the question with you and help to identify whether this is a genuine question or something that can be ignored. It is worth spending some money to consult with a specialist BEFORE hiring, rather than deal with the issue after it's too late.
What else should I be looking for?
During interviews, watch out for red flags such as exaggerated claims about security focus or roles unrelated to security being portrayed as pivotal. These hints can help identify genuine candidates from exaggerators or fabricators.
We will have focused hints and tips available to our business subscribers as we want to try and limit the tactics used being available to anyone who has the power of google, but we have a few hints and tips here to help you at least initially.
They exaggerate their focus on Security, some people take security seriously and will always embrace it in every role they have worked in. You can tell these people due to the way they present their answers to questions, conversely you can see the lack of passion either through being too dramatic or fuzzing the details (how to spot this will be covered in a paid article).
Their role had nothing to do with security, yet they claim it was everything. People who exaggerate their role are a big red flag in general but doubly so with security.
They have worked in industries where security requirements are lacking, yet they talk about Fort-Knox level security being implemented at every stage. Again some specific examples will be provided in the paid model, this will help you to identify true stories from fabrications.
Conducting technical or knowledge tests is also advisable. Practical scenarios and obscure knowledge inquiries can reveal a candidate's problem-solving abilities and depth of understanding.
The nature of these tests will change depending on the role you are hiring for, if you are unsure what appropriate tests to use I would recommend reaching out to a consultant for ideas (or keep an eye on our business articles that will be updated regularly with tests and hiring tips).
Ongoing assessment
Ongoing assessment is crucial for all IT roles, but particularly in Cyber Security. Regular evaluations tailored to the role's requirements are essential for identifying strengths and weaknesses.
As this is a new subject - how do you know what tests are suitable to that role? Well again consultants can help Executive teams to prepare for this, executives don't need to be experts but should be able to measure the performance of staff against KPIs that are suitable. Google and ChatGPT are great resources to set this up initially, but are not accurate against each industry so you should always discuss with someone who knows. That way you are not setting your staff up to fail, but you will be able to identify the weak links.
Note: As part of our upcoming Business packages, we will be sending out CEO Briefing emails which can provide spot check recommendations in general as well as specific to emerging threats. This will help you see how responsive your teams are being, as well as ensure you are aware of what the current risks/threats are.
It is also a good idea to get an audit in from either an auditing company or a less official consultant who can provide an honest appraisal of your current cyber security stance.
Summary
In summary, hiring Cyber Security professionals requires careful consideration. Certifications shouldn't be the sole basis for acceptance or rejection. Continuous monitoring and improvement are vital for maintaining security effectiveness. Consulting with industry professionals throughout the hiring process is highly recommended.
Certifications are not everything, candidates should not be rejected or accepted based on their certification status.
Continuous monitoring and improvement should be key, this is something that can cost you a lot of money and reputation if you don't keep it up.
If you'd like to delve deeper into this topic or require assistance with other aspects, feel free to reach out for a free initial consultation.
Comments