There's something very wrong with the recruitment and selection process these days for information security / technology. Data collected from various institutions and the profession in general would indicate that there is a shortage of staff to fill the ever increasing void of infosec professionals - yet we only have ourselves and the incumbent recruitment methodology to blame. In this article, I'll address the current situation, and provide my take on what needs to be done in order to rectify the situation. A quick disclaimer. I'm no Human Resources expert, and I'm not trying to be. However, I am an individual that has sat on both the potential employer / employee sides of the fence over my career, and to my mind, the recruitment process was flawed then - and still is now. But why is this ?
Let's take the market from, say, 2003. At this point of my career, I'd just been made redundant and was looking for work. Admittedly, the market was flooded with potential candidates looking for a job. This was during a particular slump in the market, and where several companies either went broke, or made huge redundancies as a method of scaling back their operations to in order to maximise efficiency and reduce cost. The market became a huge sea of talent, all drawn into the same current headed towards the recruiter's nets. In essence, this was an employer's market - a term used to describe the ratio between available jobs and suitable candidates - and they knew it. Here's a classic example of a flawed process. Having been made redundant, I applied for the position of IT Manager for a large trading and investment house in the city.
They were in fact a main competitor of the firm I was working for previously, had exactly the same technology and associated processes, and I had the experience they wanted. Great. I submitted my CV and was called by a recruiter around 30 minutes later. After allowing the recruiter to provide the usual rundown of what the job entailed, and deciding I was a suitable match, she then arranged an interview for me. I was full of optimism for this particular role, as on paper, I was the missing piece of their unfinished jigsaw they were looking for. To my mind, I had a superb chance of being successful. Or so I thought.
An unexpected reality ?
On arrival, I (and several other people) were rounded up like sheep and herded into a small conference room where we were asked to take a seat. At each chair position was a pencil, pen, and around 5 sheets of paper facing downwards. A technical test, perhaps ? These guys seem to know what they are looking for. How wrong was I. Sitting at the table with everyone else in equal anticipation felt like a lifetime when in sashayed the HR director (note that I'm using the phrase "sashayed" loosely and in good humour, as this is probably the best way I could describe this particular individual). She introduced herself, and then set about detailing how this particular session would work. Suddenly, my positive mental thinking degraded into complete disbelief - and at the same time, dismay.
This wasn't a technical test. It was an aptitude test ! And to make it worse, the chosen measurement for this pointless (in my view) exercise was to arrange the CEO's diary for the day. Now, I'm no HR expert as I alluded to at the start of this article, but can someone please explain to me why I need PA skills to run an IT department ?
When asked to start the test, I wrote my name and contact details on the first page, followed by "Could you please give me a call when you have a moment and explain how the technical position I applied for requires me to sit an aptitude test of this nature ? You are wasting your time, my time, and everyone else’s in this room - and insulting their intelligence in the process. Thank you."
At that point, I downed the pencil, got up, grabbed my coat, and left the room. Nobody said a word. You could hear the tumbleweed rolling, and it suddenly dawned on me that I potentially could have just made a complete fool of myself. It was too late to turn back, so I followed through with my original instinct. Expecting to be the only one taking this stance, I took a casual glimpse back at the corridor - just me as I thought - for about 30 seconds. As I signed out at security, 5 others who were in the room were right behind me. The ironic thing is, that despite all of us clearly leaving for the same reason, no conversation was exchanged. They simply scattered in different directions upon exit. Did I ever get a call from this company ? No. And I wasn't expecting it either. But to me, this serves as the classic example of a flawed recruitment process.
How does this align with the problem I originally set out to describe ? Perfectly, in fact. Here's the point. By wasting time and effort on a pointless aptitude test (if you can call it that), this particular organisation missed out on an opportunity to get access to some of the best candidates in the room in terms of experience, and what they could bring to the table. That same principle still applies to today's information security and technology recruitment process. A model that which, by definition, is badly broken and needs urgent attention.
Why is the model broken ?
The main issue every infosec professional faces today is the interview selection process itself. In virtually all circumstances, hiring managers will defer the research to Human Resources. Whilst this in itself isn't a bad thing (after all, that is a function of HR), the methodology or approach is. Hiring managers usually set a baseline of what they are looking for along with various "essentials" and "nice to haves", then HR will align this with the current industry trends in order to determine pay scale etc. As a nation, we've fallen into the trap of adopting the (often senseless) notion that certification is essential for InfoSec professionals. This is where the process falls down in my view. For example, take an IT professional who has been in the industry for 25 years plus, who holds no formal certification in the form of CISSP (which seems to be the mandatory requirement these days), yet has been breaking into and securing technology since they were tall enough to sit in front of a pc.
For a CISSP, you need at least 5 years of industry experience - that should clearly tell you something. Experience however, enables any competent individual to use their skillset to its full potential in order to either leverage a vulnerability to its full extent in order to prove successful as a penetration test, or use the same level of experience to effectively harden the environment thus reducing the attack vector and space. However, the CISSP isn't a technical exam in the sense that it requires you to prove your ability to resolve an issue or break into a secured network via an undisclosed vulnerability. It's a technical exam in the sense of theory. Call me a cynic, but anyone who can read a book and has a good memory can pass the CISSP with brain dumps and practice questions. This isn't meant as a derogatory statement; it's an observation which unfortunately rings true in most cases - very much like the MCSE of times past. And so, the inevitable conclusion.
As soon as the acronym "CISSP" is added to any job description or requirement, you eliminate a significant chunk of the talent pool from any potential selection process. By being under the clearly false illusion that the CISSP is the holy grail in information security, we ourselves have actually created a void in the industry that everyone seems to complain about.
An individual with 10+ years experience in IT is going to be a very strong candidate - particularly if their core focus is around networking and operating system security and its associated technologies. Admittedly, my view could be seen as somewhat biased. Anyone who follows this site and I as a technology and information security professional will know I'm no fan of certification mills. Passing your driving test doesn't mean you are the safest driver on the road, the same as having a CISSP doesn't mean you can secure a network from external (or perhaps worse), an internal attack. Being able to secure a network and understand the vast array of complexities that allows a vulnerability to exist in the first place comes with experience. No book is going to teach you to do this without some form of constant exposure.
To excel at something like technology and information security takes passion - fire in your belly, and a strong desire to understand what's under the hood of something rather than just watching it fly past. Finally, all veterans in this industry are familiar with the term "Paper MCSE". If you think this doesn't apply to the CISSP, then think again. Let's not tar the infosec or technology community with the same brush, and instead:
- Insist on including those with the relevant experience instead of simply dismissing them.
- Make the process much fairer with a technical test that is scenario based.
- Measure how the individual responds and adapts to the situation presented to them
- Evaluate how they use their experience and acumen to eliminate issues and resolve problems.
- If you really want an analytical approach, leverage self learning AI and other established techniques to really put that candidate under pressure.
Now there's an idea for a startup if I ever had one…..you heard it here first, right I fully expect to be "burned at the stake" for my take on why this industry has shot itself in the foot. However, there is a small chance that others will actually agree. Let's see.