What To Look For When Hiring Young InfoSec Talent

State of the Industry:

With the Security industry growing faster than ever, more and more students are choosing Information Security as a major/career path. I can't really blame them...it's a technical specialty that can appeal to pretty much any personality, the pay isn't bad, and the job market is great. These things, combined with executive orders from government and many more indicators of industry growth, have created an army of fresh-off-the-block graduates ready to work.

Before diving too much into these attributes, you must understand that there are a lot of roles under the information security umbrella and they all require vastly different skill sets. So I'll try and keep it as general as possible, but realize that sometimes a particular trait or skill is more critical in different roles.

Hiring great InfoSec talent:

Now, you've got some positions open to strengthen the state of your organizations security and are targeting entry-level positions to do so. A few resumes come in, and the interview process begins...

Evidence of Extra-curricular interest

The person you are interviewing has just finished college. There is relatively little you can learn from their previous employment or internships and gauging their interest/passion can be difficult. However, a fantastic entry-level employee will have invested at least a bit of time in advancing their skill set outside of obligation. Some examples include, but aren't limited to:

• Participating in cyber security competitions
• Starting their own tech support business or website
• Doing independent research on relevant topics

Calm, Cool, and Collected:

I'm fairly certain that everyone in Information Security has, at one point or another, had to deal with intense confrontation or very serious situations. Whether that be a data breach, another employee pushing for insecure solutions, or just the late night on-call incident with a stubborn employee. An entry-level employee isn't going to have on-the-job experience handling critical incidents or even just minor system issues in a production environment. It can be daunting and the last thing you need is someone freaking out on top of any issue.

It's harder to gauge this attribute, but you've got to try. The last thing you need is a new guy on the team making negative contributions to an already stressful environment.

Demonstrated Ability to Learn:

Information Security seems like a very narrow field of study from an outside perspective...and I would bet a lot of graduates adopt this same belief to some extent. All of us who do the job everyday know there are tons of skills to learn and you really can't be a subject matter expert on them all...at least not that early in your career. That is why the ability to learn new skills quickly is essential in any InfoSec career.

The quicker a new candidate can get up to speed can mean the difference between frustration/failure and a perfect fit. The plethora of technologies deployed by your company are most likely too expensive for a student to have experience with; whether it be firewalls, IDS, penetration testing tools, etc. 

There are numerous ways to gauge this trait, but not one clear cut solution. For instance, asking questions like I list below can give you some insight into a new graduates ability to learn:

• "Describe a time you researched a new skill to solve a problem."
• "What is one challenge you are proud to have overcome in school or at your internship?"

Summary:

As the InfoSec field grows, more and more graduates are attracted, and applying for entry-level positions. While this creates more options, it can also create a lot of bad options. By determining if candidates possess extra-curricular interest, even-tempered personalities, and the ability to learn, you can significantly reduce the risk of hiring an sub-par performer. 

What I've chosen to write about above has been taken from my experiences while interviewing InfoSec candidates. It's also what I've learned are qualities that may have landed me my first career. That being said, it's not a tell-all solution. There are certainly other qualities that can be measured to judge a candidate, and I'd love to hear your thoughts! Leave a comment below if you have any experiences to add and help the community!

Thanks for reading,
Travis Romero, Security Advocate/Incident Responder