InfoSecurity Professional INSIGHTS Archive: April 2020

Building a Cybersecurity Team: 5 Keys to Proper Vetting

By Jason McDowell, CISSP

Companies from all industries are looking for qualified cybersecurity professionals to fill the skills gap in their current workforce. Demand is high, and many companies are willing to pay top dollar to those who possess the skills they need. With this high-demand, high-paying environment, what could go wrong?

Plenty.

Need drives demand. In this case, companies want skilled cybersecurity professionals who can provide the expertise needed to satisfy the requirements that apply to their industry. Additionally, each industry has its own sense of urgency to meet these requirements. For example, the medical industry may be driven by the prevention of data breach-related fines; thus, their immediate priority may mean more pre-audit or post-breach activities for investigative purposes. Another scenario may be a contracting firm bidding on a contract with cybersecurity requirements; without meeting those requirements, the company will lose the bid. In each situation, an organization is willing to devote more cyber resources to meet regulatory or contractual requirements.

The danger lies in the busyness and urgency of the resource rallying process. With the exception of companies that specialize in information security, many view cybersecurity as an odd duck. Accurate valuation of the cyber role remains very challenging, and many managers lack even a basic understanding of what cybersecurity professionals do within the organization. Add in the urgency factor to meet industry-specified cybersecurity requirements, and an honest effort to meet the requirements can quickly devolve into corporate desperation. And desperation, whether from an individual or corporate perspective, never leads to positive results in the long run. Not fully understanding what is needed, but knowing it is needed now, is a perfect recipe for poor decision making.

Desperate yet uninformed employers are caught in a tough situation. As cybersecurity becomes a need rather than a want, employers must respond by making the field’s specialized workers an integrated part of their current workforce. With aggressive cyber talent acquisition and looming requirements that need near immediate addressing, what gets lost in the shuffle? Proper vetting.

The easiest customers to sell to are the ones who aren’t quite sure what they’re looking for. They just know they have a need to fill and are eager to have someone else define the solution. Regardless of the industry, there is an endless supply of individuals ready to sell whatever they have to whoever is buying.

High salaries and high employment availability have opened doors for many legitimate candidates looking to begin a merit-based career in cybersecurity. However, the unfortunate flip side to this is that desperation—and uninformed hiring managers—can also attract imposters. These “cybersecurity professionals” want the fast pass to a coveted job, so they seek out boot camps and test strategies in a focused effort to adorn their resumes with certifications to command the highest salaries possible. For this type of applicant, money is the sole focus, and the knowledge and experience required to support exam scores are disregarded as foolish considerations for those who don’t know how to play the game.

In today’s day and age, fast talking and the right credentials can open doors into organizations in need of quick hires. Candidates avoid applying at places where managers are well informed and properly vet each potential new hire; the uninformed make easy targets.

Here are five fundamental considerations for every leader ready to build their cybersecurity teams.

1. Look beyond words to past actions
   Judging a candidate’s potential effectiveness based primarily on their certifications can be a dangerous gamble. This should go without saying; however, some industries have been led to believe that obtaining specific certifications qualifies the candidate to perform at full capacity for senior information security roles. For example, specific to the DoD, if a candidate holds one of the minimum qualifying 8570 baseline certifications, that individual can potentially be identified as an Information System Security Officer (ISSO) for a specific system. Although the title of ISSO is listed on the resume, investigate what actual experience the candidate has before acknowledging the full nature of the claimed role. If the candidate has the experience to back up his or her previous roles, then requesting some detailed descriptions of past projects will likely be met with excitement and pride, rather than abstraction and half-baked answers.
    
2. Post thorough job descriptions that make filtering easier
   The filtering process begins with the job announcement. Soft and vague job descriptions yield soft and vague candidates. Even worse, vague job descriptions are an easy target for the hustlers and scammers mentioned above. Cybersecurity can many times be mistaken as a soft skill by uninformed companies. Rather, cybersecurity is a synergistic combination of broad technical competence, proficiency in multiple security domains, and well-developed communication skills. Taking the time necessary to create comprehensive job announcements will pay off in the end—and will increase the likelihood of attracting legitimate candidates with the right skills and the right amount of experience.
    
3. Remember the importance of character
   The cybersecurity role is a position of trust, and as such, the character of the candidate is of utmost importance. Character is not subjective, but rather an objective quality that can be assessed during an interview. A key and fundamental trait of good character is honesty, which can be initially assessed through consistency. Looking for inconsistencies in a candidate’s background should not be seen as rude, but rather prudent, considering the importance of the cybersecurity role. Additionally, basic vetting of a candidate’s references can also provide transparency into what kind of person the candidate will be once hired. A quick glance through professional social media profiles can provide troves of information on the legitimacy of both the candidate and his or her references.
    
4. Watch your wallet
   The cybersecurity field is ever growing, and compensation is continuing to create an understandable draw to the industry. In vetting candidates who are interested in growing in the field, versus those whose primary focus is money, take notice of what a candidate’s primary initial concern is. Red flags include the candidate calling out a specific salary target before the meat of the interview even begins. Additionally, if the candidate’s overall focus is what he or she can get from the company (e.g., salary, clearances or certifications), beware: This may be a sign that a precalculated personal agenda is trumping the best interests of the company.
    
5. Know what’s needed, not just who’s needed, to do the job well Management and hiring officials can no longer afford to claim ignorance with regard to needed cybersecurity skills. Today’s business landscape demands a basic understanding of information security, and the lack thereof opens the door not only to traditional logic-based attacks, but to human-based exploits by unscrupulous characters looking for fast cash. Ensuring a basic level of information security knowledge for those hiring officials screening cybersecurity candidates is crucial for proper vetting.

Cybersecurity is experiencing immense growth, and that means more opportunities for those willing to devote themselves to the field through education, training and job experience. Unfortunately, due in part to uninformed employers and ethically compromised candidates, employment of these veritably-inexperienced-yet-smooth-talking opportunists continues to be a blind spot for many companies.

Please note that we are talking about people who exaggerate their real-world experience, maybe even their credentials. We all understand that everyone has to start somewhere, and that for those just entering the workforce or making a career change, they won’t tick off every item in that job description. But, they may be ideal for an entry-level position where they can gain the skills needed to eventually move into a more advanced cybersecurity role.

A small amount of due diligence goes a long way in properly vetting new hires. These five considerations above are a great start.

Jason McDowell, CISSP, is a past contributor to InfoSecurity Professional magazine, the companion publication to INSIGHTS.

---

View INSIGHTS Archive >>