InfoSec Recruiting – Is the Industry Creating its own Drought?

The InfoSec industry has a crippling skills shortage, or so we’re told. There’s a constant stream of articles, keynotes, research and initiatives all telling us of the difficulty companies have in finding new talent. I’ve been in the industry for over 30 years now and through my role as one of the directors of Security BSides London, I often help companies who are struggling to grow their teams. More recently, my own circumstances have led me to once again join the infosec candidate pool and go through the job hunt and interview process.

I have been in the position of hiring resources in the past and understand that it is not easy and takes time. But having sat through a few interviews of my own now, I am beginning to wonder if we have not brought this situation upon ourselves. Are the expectations of recruiters out of proportion? Are they expecting to uncover a hidden gem that ticks every single box? Is it really true that the infosec talent pool is running empty, or is it that the hiring process in the industry is creating its own drought?

Part of this situation may be coming from the way hiring managers are questioning candidates. There is no perfect questioning methodology, but today, focusing purely on technical questions cannot be a good solution because – LMGTFY – even fairly lazy candidates can study and prepare for any technical questions beforehand. It might seem obvious that a hiring manager needs to look at a wider scope, evaluating the candidate’s ability to learn, adapt, and demonstrate their analytic or creative capabilities, but this is the part that seems to be missed.

I’ve found that candidate questioning within some organisations has become vague and far too open-ended to provide a meaningful evaluation. For example, I recently was asked – and know of a few other people who were asked – the open-ended question: “What happens when you use a browser?”. I won’t go into the pros and cons of this specific question in the hiring process as it is quite well covered in the post: The “What happens when you use a browser?” Question from Scott J Roberts.

This type of question can be answered in so many ways, from a high level overview to the nuts-and-bolts. And when the candidate has been building networks before the Internet was really a thing and was probably already working before the hiring manager was born, they’re unlikely to simply guess which response they should give. Exchanging with and discussing the situation with the candidate resembles the normal process of working and analysing the situation to achieve a target.

Now that I have experienced this type of questioning first-hand, I’ve been dumbfounded as to the total lack of interactivity from the hiring manager across the table. My natural reaction to an unclear, vague or unspecific question is to question it; discuss and clarify to identify a common ground and answer in a more appropriate way. The problem lies in that the hiring manager typically won’t engage at all, simply stating that it is an “open-ended question and to answer how I feel best”. How can this be a constructive way to gauge a candidate’s abilities?

I’ve always taught and been taught that asking questions is a good thing because it demonstrates logical and analytical thinking and shows that you are trying to better understand the situation and audience and react with the most appropriate response. If a hiring manager simply pursues a vague line of questioning they’ll only ever be able to evaluate a candidate by taking a subjective decision. I’ve even heard reports that hiring managers have rejected a candidate on the basis that they felt the person would outshine them.

In people management, one of the rules that you learn is that you need to evaluate performance based on attainable and measurable indicators. I propose this needs to be the same for the hiring process so that the hiring manager can make a meaningful decision.

Ultimately, interviewing a candidate on the principles of discussion, exchange and analytic capabilities will help the hiring manager identify the right person. It’s important to assess whether the person has a good foundational skill set that allows them to analyse and understand the work that needs to be performed. A good candidate not only needs the technical competencies but also the softer skills that help them adapt, learn and acquire the broader capabilities needed to successfully integrate a team. Onboarding and probationary periods are there to allow a team to conduct a final check of the candidate’s technical and soft skills.

So what needs to change? I believe hiring managers need to ask themselves whether searching for that golden needle in the haystack is the most effective way to identify and recruit talent. By changing the perspective that the interview process should be more of a constructive discussion instead of vague and rigid Q&A, companies will get a better view of how that candidate might actually work on the ground. And by adapting questions to the level of experience in front of them, they are likely to see much more potential from every candidate that they engage with. Sure, the infosec talent pool might not be overflowing, but maybe our skills shortage isn’t quite as terrible as we might think.

The post InfoSec Recruiting – Is the Industry Creating its own Drought? appeared first on Liquidmatrix Security Digest.

*** This is a Security Bloggers Network syndicated blog from Liquidmatrix Security Digest authored by Thomas Fischer. Read the original post at: