Looking for top notch talent in cyber security (to join your technology company) is easily one of the hardest talent searches to do well.
A global shortage of good security engineers -1.8 million worker shortfall in the next five years - widens the gap in providing resolution to the evolving issues of protecting your customers' data from malicious activities. There are few avenues for non-security practitioners to identify the right people with the right skills. Apart from sending chat requests to the "usual suspects" in the top security vendors or providers in your location, or doing a job title search and praying that the candidates you send messages to will be efficiently equipped to help protect your company's assets, is there another way to help grow a cyber security team?
After identifying the top notch talent, how should you design the next steps to make a successful hire? This article will cover one of the ways non-security practitioners can search and uncover talent in the cyber security domain. The second half of this article will touch on the process.
Many technology companies face the same security concerns:
- Hacks are coming from within the company
- Most IT professionals do not do enough research, as they rely on tools
- No one person can specialize in everything: Many job descriptions today are looking for a hire to "do it all"; this is nearly impossible to fulfil
- There's enough time (always enough time) to hack through the millions of lines of source code
- Social engineering attack tactics make it way too easy for malicious hackers these days
The same few concerns are faced by many, and savvy companies know that these main concerns becomes a bigger issue at scale.
Bug bounty programs, also known as your best candidate pool
An example of one of the newest public bug bounty program - Atlassian's July 2017's with bugcrowd. Source: https://bugcrowd.com/atlassian.
A bug bounty program helps to create a safer cyber security world for everyone. Hackers and security professionals are invited to identify vulnerabilities - bugs - from the source code of companies' sites. Usually a cash payout is the reward.
"Anyone who develops software will ultimately need a bug bounty " - Mårten Mickos, Chief Executive of Hackerone, formerly MySQL
Here are some of the things we did to find top cyber security talent
- Make a relevant, updated list of public bug bounty programs held by the top internet companies, or companies in your domain, if you prefer. Start with a larger candidate pool and eliminate later.
- Identify as much information about the profile as you can. We found many who are very active on Twitter feeds and on the various security topics found on forums like reddit and HN. At this point, 90 percent of non-security practitioners give up on the search as many top talents prefer to remain mysterious, and do not list down their personal information. (Some of them are super young as well!)
- Know that there is a number of web crawling tools a good headhunter can use in his arsenal, If you are on the verge of giving up. Tools like Aevy.com help to search and filter from 200 million candidates and is a great way to start and manage conversations. It's also free to use until you wish to hire. If you are looking to start a low volume search, this is a great tool for efficiency. (It's FREE)
- If you are unable to connect directly to a profile you really wish to interview, it is always possible to find a mutual connection to make an introduction. I love to chat with savvy marketing managers for this purpose. They are always cheerfully helpful and know the "pulse" of their company and their security team, usually giving us useful information on their colleagues who may be exploring other options.
- Compare the profiles found on the 'Hall of Fame' of said bug bounty programs and make a list of 50- 200 people. I find that if there is always around 20 - 30 good talent profiles in your process, it will lead you to at least 2 hires in the next 2-4 months', depending on your hiring standards, the problems you are trying to solve in your technology company, funding stage, your location and other factors.
In an earlier article, I mentioned that :
Good Engineers are able to debug problems better, think of solutions better, understand a program faster and assess potential impact and implications faster.
Some smart Engineers are able to turn $1 million-worth complex problems into $100K simple ones. Then whether or not the problem is able to be solved becomes far less important.
To be an expert in everything is
To recap, here are the ways to look for top cyber security talent:
- Pick the top bug bounty programs (that correspond to your domain, if needed)
- Next, identify top talent in this area and find out their contact details, sometimes using third party crawlers
- Now, form a list of 200 top talents for your candidate pipeline and formally interview them for your open roles for the next two to four months, and the expected result will be around two good hires.
- Don't give up!
Now, for the process
Technology companies typically look for talent profiles who are used to work comprised of 80 percent research (this includes hands on pen-testing), 15 percent routine tasks - and 5 percent coffee breaks. ;) Unless your role deviates from this equation, do tailor your process to comprise of more technical questions at the first screen. Most questions asked during the screening should be technical questions on coding, cryptography (if it's needed in the role), testing on their best practices, and raw knowledge.
A sample of a few questions in coding and cryptography is provided below :
- List different types of XSS attacks / How do you prevent XSS attacks?
- What's the difference between SSL and TLS?
- How does an SSL handshake happen?
- What are rainbow tables, and how do they work?
- What's the difference between symmetric key and public key cryptography?
- Should you encrypt and then compress, or compress first?
- What's the difference between RSA and Diffie-Hellman?
Also consider asking the following questions :
- Do you mainly use open source tools? What is your current methodology?
- Describe your network set-up at home.
- Where do you go for your security news?
Part of the cyber security talent's daily job is to be in touch with security news updates so expect immediate, well thought out answers to the questions. The answers showcase their level of interest as well.
GitHub suggests these ones:
- Andrew Ayer https://www.agwa.name/blog/
- Andrew Hay http://www.andrewhay.ca/
- Ars Technica http://arstechnica.com/security/
- Brian Krebs http://krebsonsecurity.com/
- Bruce Schneier https://www.schneier.com/
- CyberSecPolitics http://cybersecpolitics.blogspot.com/
- Dan Kaminsky https://dankaminsky.com/
- Dark Reading http://www.darkreading.com/
- Errata Security http://blog.erratasec.com/
- Google https://security.googleblog.com/
- Graham Cluley https://www.grahamcluley.com/
- Homeland Security News Wire http://www.homelandsecuritynewswire.com/topics/cybersecurity
- Kevin Beaumont https://medium.com/@networksecurity
- Krypt3ia https://krypt3ia.wordpress.com/
- Lawfare https://lawfareblog.com/topic/cybersecurity
- Malwarebytes https://blog.malwarebytes.com/
- Matt Suiche https://medium.com/@msuiche
- naked security https://nakedsecurity.sophos.com/
- Project Zero https://googleprojectzero.blogspot.com/
- Roger McClinton https://www.infosecblog.org/
- Securelist https://securelist.com/
- Team Cymru https://blog.team-cymru.org/
- the grugq https://medium.com/@thegrugq
- The Security Blogger http://www.thesecurityblogger.com/
- The State of Security http://www.tripwire.com/state-of-security/
- Trail of Bits https://blog.trailofbits.com/
- Troy Hunt https://www.troyhunt.com/
- welivesecurity http://www.welivesecurity.com/
- Wired https://www.wired.com/category/security/
- ZDNet http://www.zdnet.com/blog/security/
It's often been said that the way the talent answers the question will give you an indication if he/she would be interested to help solve the problems your company is focused on solving. If you are already adept at picking up on this, you are on your way to growing a great team of security talent!
Many of the resources mentioned in the article are listed here for your reading pleasure:
- A list of Security Blogs
- Exhaustive list of bug bounty programs
- A list of InfoSec professionals' Twitter profiles
- A list of Engineering Blogs
- Security discussion on reddit
Grab's inaugural public bug bounty program started in July 2017 and this article is a small tribute to the internal security team I helped headhunt from scratch.
I contributed to this article in my personal capacity and the views expressed are my own and do not represent the views of the organization I work for.
Ready to bulk up your cybersecurity talent? Join 100offer and get platform support for your company's hiring efforts now.
*This article was first published on LinkedIn. It has been edited for style.
Hiring managers, feel free to spread the love and advice. Email contribution suggestions to email@example.com.