No Experience No Problem? Cultivating Cyber Security Ninjas

” Cyber security requires a different way of thinking and acting – hire for character, passion, critical thinking skills, and agility.”

Currently there is a push for maturing organizations from IT to Security, from a staff of one to a team, and elevation of security from sub-reporting roles to board/CEO direct report.  As organizations attempt to hire staff for badly needed security roles they are having trouble finding staff for open positions.  There are so few people that have true security experience, and of those even fewer with cyber warfare experience.  The mass majority of companies I’ve worked with and people that have asked for help on this in the past few years is staggeringly consistent – you can’t find highly trained and experienced staff for cyber security and if you do you can’t really afford them.

In the world of the NFL – yes I love fantasy football! – if a team spends all their money on a franchise QB the rest of the team usually suffers over time.  It’s not complicated, they just can’t afford super stars in other positions.  Sadly this often results in a team being out of balance, such as a great QB with no offensive line to protect him.  He ends up being so busy trying to shotgun and run he can’t find open receivers or gets injured and so on.  The lesson learned here is that you have to manage your security team like a great NFL team, in a balanced fashion.  There is a place for superstars, when you’re filling huge gaps or already have massive talent that needs that spark.  But in the end you must make your priority the TEAM overall and never lose sight of that.

I’ve done a lot of hiring of extremely talented and amazing individuals in the Cyber Security world over the years.  The first thing I look for is character.  I train just about anyone to analyze code but I can’t train character.  People either push others down or lift them up as they rise to the top. I look for team players that focus on championing the team instead of their own personal gain. I also look for people that are able and willing to communicate with others in an effective manner.  I’m willing to overlook personality and communication differences as long as you focus on the team and hope you do the same with me. Most importantly, in a world where you can’t find many talented and experienced staff, you have to cultivate it for people with potential.

Cultivating cyber ninja’s is no easy process but it does rely upon a few key factors in the hiring process.

  1. Passion
    They must have a passion for what they do.  Have they shown initiative to get out and learn things on their own, pursue training, get networked, etc.  If you don’t see passion you may be settling for mediocre or a book smart person that lacks the drive you’ll need in the demanding world of Security.  Be sure to ask them what motivates them and where they see themselves in the future – it’s either a technical engineering path or that of management.  This passion and vision will help you as a hiring manager to identify who has the right passion for the right position.
  2. Critical Thinking Skills
    There is no box in security – hire people that can think out of the box.  I often evaluate this by looking for perseverance in an interview.  It’s when someone has failed and responds well to a technical question or challenge that I can see best how they’ll survive in the world of security.  If they are book smart they’ll look at everything through the eyes of what is supposed to be instead of what may be.  Security experts are constantly being lied too and attempted to be subverted by sophisticated adversaries requiring a different approach and intense critical thinking skills.  This necessarily involves extreme analytical skills paired with outstanding problem solving.
  3. Ability to zoom in and out
    All too often super geeks get lost in the finer details of a singular problem set or challenge.  The great geeks can zoom in and out, on both tactical and strategic levels.  You’ll see this in how they respond to project management challenges and interactions with others.  Great geeks can focus on relationships, large scale birds eye views, but then also zoom in to the finer details where it makes sense at that time to do so, in a dynamic fashion.  This is a type of thinking agility and scope that few have in the world of cyber geekdom.

I recently had a discussion with a respected colleague about IT versus Security.  We tossed around the concept that some people are just naturally crafted for IT and operational skills and positions while others are for security.  In fact, we often (if not always) see that IT people are IT people and security people are security people.  Often IT leads is the initial path from which a security expert arises, but IT people tend to stay IT people.  This is about how people thing, organize their lives, and most of all how they think and adapt in a workplace.  This is why in one study it was found that the number one most likely factor to lead to compromise was hiring IT into security roles.  Yep – if you hire super smart hard working IT people into a security role you’re MOST LIKELY to create an intrusion or major risk event for your company in the long run.  Often hiring IT staff means current staff in a company are promoted into a new role that the company has not had before.  While this has benefits of them knowing people, process, and technology, it seriously lacks what matters most for the new role and way of thinking and approaching risk management.  This is why so many organizations are using managed security services now to help leap frog forward as they build out new areas of their company and move towards risk management maturity overall.

As a manager you must carefully identify where a person best fits for their role, as the IT super star or the Security super star, etc.  Building out your team with the right people in the right jobs is essential.  As you seek to hire new security staff, you’ll have to identify in most cases diamonds in the rough that can be cultivated over time into a cyber security ninja.