Bejtlich posted an excellent email from a reader of his asking how to find competent security personnel. What a wonderfully worded email, and rather than post a huge comment on Richard’s site, I thought I would pollute my own blog with it instead! I’ll try to keep it bulleted (somemthing I’ve been striving to do this year). I also printed out the questions; I try to always honestly answer such things as practice.
1. Unlike some commentors, I really like the questions posed. Sure, they can be vague, but part of a hiring question should be to get the analyst to analyze. What is the interviewer *really* going after, and can you help them along by accepting and adapting to the question? While you’re fiddling over details of the scenario, the incident is still happening.
2. Look for analysts in the right places. If I knew this job and it was in my area, I’d apply or pass it on to others. Are you finding me? I would be willing to bet that the post on Bejtlich’s blog produced several job candidates; I’d bet a better return than current efforts have yielded! Get to places where we hang out….Security Focus has a job board, SecurityCatalyst Forums, and so on. Get your own security blog and join the Security Blogger’s Network to get good exposure and post the job. Or have one of them post it up. Check with your local Infragard (a great place to network!) or even other local professional tech groups like CIPTUG to see if they know people interested or maybe one of them wants to cross-over.
3. I can say the term “senior” can be daunting. Newer security-inclined persons may avoid such a job title, at least at first. On the other hand, the term “junior” might imply entry level or fresh out of college and you might deter some people away. I like more neutral titles, personally.
4. Make sure you’re properly valuing this role. A lot of people will say a manager needs to pony up and pay competitive salaries, but that is often out of the manager’s hands. Perhaps the company itself needs to properly value the position/need and advertise properly. This might mean dropping the “senior” off and grooming some more green persons.
5. I think Richard is correct, there are still few people who can properly answer, let alone actually do, the answers to those questions. However, I think there is still a good number of people willing to be groomed up into such a position or groom themselves up if given the chance.
6. “Am I setting the bar too high?” Maybe. I think accuracy in answers can be fixed, but personality in handling the questions is much more difficult. If they don’t know the difference in responses between a web attack and a client side buffer overflow, they can quickly learn via process documentation or after the first one or two incidents of each. Are they capable of detail, learning, and improvement? Then again, that’s maybe the difference between the “senior” and the “not-senior” guys out there.