In the last 5 days I have seen a lot of posts about the following:
- Infosec is hard.
- There is a skills shortage
- There is a ton of fakes out there, how can we find the real pros at infosec
This line of argument is getting kind of tiresome. To answer the first part of this argument - yes we know infosec is hard, many industries are hard.
on the second point. I think the skills shortage is actually inflated because if you actually sit down and take the time to read some job ads for infosec roles for small and large companies alike you keep seeing requirements to have weird / obscure products or experience with them in excess of 5 years. This is silly, We should really be looking for aptitude or attitude for a number of security roles rather than 7 years experience with HPE Fortify or equivalent. You also have the opposite end of the spectrum where you see job descriptions so vague that it looks like somebody has done a Ctrl + F and just replaced the job name (recruitment agencies I’m looking at you).
And finally point 3 how do we seperate the gold from the gold plated? Easy look at their street cred.
- Do they have infosec projects they are passionate about? If so give them some points.
- Are they continuing to invest in education and professional development? If so more points.
- Can they pass a technical interview? Hold up. I have seen many guys pass technical interviews with flying colours, however basic skills like being able to communicate with people or chase up dependencies are severely lacking. I think we need to move to a new style of technical interview I.e. we give them a small project to do before or after the main interview - if they can do it awesome, if not it’s probably an early warning sign.
- Look at their experience if they have it and reference check, this didn’t happen as much as you would think.
Until next time,
The Security Sleuth