By: Dawid Bałut
I really enjoy attending security/business conferences. But it’s not that I’m going there to learn how to do security, because if that would be the case then I’d go for DEFCON or Derbycon and learn from top hackers on the planet. I go to business conferences because I want to listen to the problems others have and observe the way they’re approaching them.
One problem I see continuously since – pretty much – ever is a struggle of starting internal security department. Is it really that hard? May be, but how do you know if you’re keeping the same approach and attitude and make the same mistakes all over again? If your approach doesn’t work, maybe give this one a shot.
Create a sane job description and show the money
While creating a job posting be honest and tell that you’re looking for your first security dude and offer good compensation. For the first hire you need to offer really good compensation. If your organisation is X years old, there are probably tons of messed up basics, and these things aren’t fun things to do, so just pay for cleaning it up. Honesty and money are good starters.
Be humble in your job description and say that you’re looking for a Linchpin who wants to dedicate himself to secure your organisation. If you don’t know what/who a Linchpin is, then you’ve missed a lot of good content from Seth Godin. Go buy and read this book, because it has huge value for HR teams nowadays: Linchpin: Are You Indispensable?
In short, a Linchpin is an artist doing work no one expects him to do in a way no one else is able to do. Linchpin is a person who will work his ass off to make your organisations secure because he has a feeling that it’s his own business.
Once you’ve read Seth’s book, read What keeps me in the security industry by Jeremiah Grossman and you’ll understand that I’m not talking about unicorns, but people who actually exist out there. If you’re cool with that, prepare for a hard work and start looking for such people.
You don’t need to start out by hiring 10 specialized people, each for network security, desktop apps security, web app security, incident response, security awareness trainings, and obviously a manager and head of department, like there wouldn’t be enough bureaucracy in the world already.
Just because those are the security vacancies at Microsoft, doesn’t mean you need same set of people. Those big corporations know what they’re doing(I guess), but you don’t.
The worst thing you can do is to compile requirements from all those positions into one job offer. I’ve seen too many job descriptions with requirements I won’t be able to read before the midnight and meet before my sixties.
If you haven’t done any security in the past, it’s perfectly fine to hire one security generalist.
Security is a lot about a creative mindset, so if someone has been in InfoSec industry a couple of years, he’ll have solid fundamentals to build security in other areas.
Start small and grow according to your needs and capabilities. He’ll tell you if he needs more help, but for now focus on supporting him with all resources you have.
Find a 10Xer
Go and find 10Xer security dude. They are out there, listen to them, let them breathe and compensate them well. If you require someone to have fancy certifications, do what you tell him, follow dumb procedures, then don’t be surprised that you need 10 people to do the work. I wrote about this on my personal blog: Root cause analysis haters, obedience lovers and myopic players.
I know people who love security so much that they would work 16 hours a day to secure your organisation. Give them the opportunity and they will do everything possible to secure your business. This is second reason why you should offer decent compensation. We’re talking about 10Xer, who’s doing a work of a few people, so expecting him to spend his life for regular 9-5 pay is cruel and ridiculous.
The best security teams I know were built exactly this way. It all started with one crazy security passionate, who worked his ass off to build the security from the ground up.
He built great fundamentals, setup good relationship with upper management so security was actually taken into business considerations. After a while he couldn’t scale anymore so he started looking for help, and because he believed in what he was doing, it was easy to attract his offline fellows to join the team.
Great people know other great people who want to work with great people, simple as that.
Security to me is a bit more special than other industries, because most of the hackers I know are creative troublemakers who don’t really like to be told what to do and follow rigid set of rules. They want to poke things, make magic happen, have an impact and build something bigger than themselves. And they really do appreciate places in which they can be themselves so if you create right culture and environment, people will stick with you and do more than expected – but this is not security specific actually.
If you start building your security department by hiring great professionals and then expecting them to be checkbox dudes, then you’ll have hard time securing your organisation, because people who really care about security don’t like to be deceived.
Trust is everything, and if you abuse it too much, security folks will just leave or won’t want to bring colleagues to your organisation. Why would they do that to someone else if they themselves regret joining?
Promises not kept and feedback not given lead to burnouts. Those crazy people will spend entire days working for you and if you don’t let them breathe they’ll stop seeings the point in anything they do and will burn out. You don’t want this, as an employer and a human being.
Realize that you can’t afford the unicorn you’d like to have on your team
And don’t get me wrong, I appreciate the fact that some organisations really want specialized professional, or that some professionals want to have comfy 9-5 job which pays the bills at the end of the month. It’s all fine, who am I to judge, everyone has own priorities in life. The key to understand this part is to read it from employers perspective because they’re having problems with hiring. Good InfoSec professional doesn’t have problems finding a job no matter if he’s 9-5 or around the clock madman.
I do know there is also a plenty of extremely skilled 9-5 people, but most of them are out of reach for small organisations dreaming about hiring them, because they already have great jobs with crazy compensation. It’s not easy to find inexpensive professional in the market where demand is far higher than supplies.
It all boils down to reality not matching expectations(or vice versa), so if you’re having hard times hiring security professionals then maybe you should reevaluate your expectations and that 3xA4 job description. I know you’d want to have a team of Mitnick, Dan Kaminsky, Mikko, lcamtuf, Taviso, j00ru and Dave Kennedy. We all would love that, but well, you kinda can’t afford them so deal with it.
Recognize and hire cheap “talent” while they’re cheap, because that “cheap” won’t last long.
One of the best things to do is to ask a security professional you know to help you form the job offer. If you don’t know anyone(wow), then hire a consultant to help you determine your organisation’s needs.
Dear HRs, please stop stealing job descriptions from other organisations. You’re being paid to build great teams, not copy/paste job offers, so put in the work.
Yes, you need to educate yourself on security industry. Yes, you need to talk to people and ask them for opinion on your job offer. Does it require a lot of guts to implement this concept? Yes it does. But hey, I’m writing this for organisations which actually want to do something productive, not for those average ones expecting miracles to happen.
Market is tough, get over it. Adjust and make an effort or stop whining and deal with failure.
I’m leaving you with above as a food for thought, and in meantime I’ll be working on a next article, in which I’ll go more in-depth on how to actually find a good security professional so in case you decide to go with linchpin security dude, I’ll give you a few tips on how to attract them to your organisation.
EDIT: After this article has been released I wrote an in-depth InfoSec recruitment guide “Employment expectations’ mismatch and recruitment pitfalls in InfoSec” which is a great supplement to this article.