Last Updated on March 26, 2024 by Dave Farquhar
We have a cybersecurity talent shortage. You know it, and I know it. But part of the problem is self-inflicted. We don’t know how to interview.
A common complaint about security professionals is that we’re all smug know-it-alls. We have that reputation because that’s precisely the kind of person our interview process is designed to find. We won’t solve the cybersecurity talent shortage and our people skills problem until we get beyond looking for people who can pass CISSP in a suit.
The cybersecurity talent shortage isn’t just about the money
This article states that companies insist on only hiring superstars and only want to pay them $85,000 a year. That’s a slight exaggeration, perhaps, but it’s not far off. I won’t talk specific numbers for obvious reasons, but there was a year, fairly recently, where I was in negotiations to take a job. I gave the potential employer a number that was near the midpoint of what someone with my skills, experience, and accomplishments can expect to get in the St. Louis area. I had hard salary data because sometimes recruiters slip up and tell me more than they’re supposed to.
I wasn’t asking for the high end. I was asking for something near the midpoint. They told me what they had in mind was a good 25 percent less. The discussion didn’t go very far after that. I liked the manager and the team, but in a multi-offer situation, I had no reason to take a low-end salary.
The money’s a problem. Someone with a lot of experience isn’t going to give up their seniority and start over again on their accrued vacation time for a $2,000/year raise.
But there’s another problem besides the money. When a superstar walks through the door, how many companies even recognize it?
Security teams don’t know how to interview
The overwhelming majority of interviews I’ve had for security jobs amounted to giving me an oral certification test again. The question is whether they’re giving me Security+ orally or if they’re trying to give me CISSP orally.
But here’s the thing. I already passed those two tests on paper. I literally had a guy turn me down for a job once because I forgot during the interview that FTP uses both ports 20 and 21, and I just said port 21.
Ironically, within six months of that interview, I dealt with an FTP issue on the job. FTP was against corporate policy but we had no other viable option. I had to layer TLS onto FTP to turn it into FTPS–not SFTP–and make it all work in production. What ports were involved was the least of my concerns. I had to describe my mitigations in excruciating detail so I could get that vice president to sign that risk acceptance. And then it took about two days to get it all working.
The majority of questions I’ve heard in a decade’s worth of job interviews involve asinine, rote facts. Knowing a bunch of random junk only gets you so far. It’s the application of that random junk that gets you somewhere.
Is it any wonder IT organizations hate working with their security departments because it’s full of a bunch of smug know-it-alls? That’s what their interview process is designed to find.
How doctors interview doctors
I can’t find the article anymore, but nearly a decade ago I found an article that argued that IT professionals need to interview each other the way medical doctors interview other doctors. The article observed that a doctor can have a brief conversation with another doctor, and then at the end of the conversation, can then tell a third whether the other doctor is a competent doctor or a quack. Not only that, doctors can interview outside of their specialties and still make a reasonable judgment about each other.
Doctors don’t ascertain one another’s competence by quizzing each other. They talk shop. They aren’t going to find a doctor who never makes mistakes with this method, because that person doesn’t exist. But they will, at the very least, weed out the incompetent candidates with that method. And then if they have more than one qualified candidate, they have to have more discussion.
One of the best things you can do if you’re involved in hiring decisions is to learn how to interview like a doctor.
How the last interview on my team went
My team recently hired a new security engineer. I recused myself from the interview, since I knew him from a previous job. We were better served by having people who didn’t know him conduct the interviews, and see if they shared my opinion of him.
Here’s the thing. He told me after the interview process was over that he didn’t get a single technical question in the whole interview process.
Maybe he didn’t think so. But his technical savvy came up in every conversation we had about him in the process.
Instead of asking him CISSP questions, they got him talking. And once you get security professionals to start running their mouths, they soon reveal whether they’re charlatans or savants. Once you establish the candidate isn’t a charlatan, you need to find out whether you’d enjoy working with the person, and if the person brings something to the team that it currently lacks. Our candidate checked out in all three areas. So we hired him.
You don’t find MacGyver by quizzing
I’m not sure what you do after a round of asking candidates to compare and contrast inherent risk and residual risk, define cross site request forgery, or rattle off ports and protocols. You’re going to have several who do that just fine. How do you pick between them? Flip a coin?
I’m good at my job. How good? Usually in my first year I make it mathematically impossible for me to accomplish as much in my second year as in my first. I get a lot done fast, in a field that has a reputation for just tracking technical debt getting worse and worse every month until something catastrophic happens.
I’ll even tell you how I do it. Vulnerability management is measuring how well people push patches. I pushed patches for a living for 10 years. When I talk to the people who push patches today, I understand the challenges of their day to day existence. I use my tools to measure their success. Then we work together to replicate and extend that success.
I always get the job when we have that conversation. But it’s only come up in interviews twice. Everyone else was just checking to see if I could pass CISSP while wearing a suit.
This approach even expands the pool
One more thing. A recruiter told me that the St. Louis-area CISOs held a secret meeting a year or two ago to talk about how they’re going to solve the talent shortage. They observed that they keep stealing the same people from each other’s teams and increasing salaries beyond what they really want to pay.
The CISOs aren’t going to get the talent surplus they want until they expand the pool. And the way you expand the pool is by identifying raw talent in the interview process, so you can hire and develop that talent instead of getting into a bidding war over people already in the field.
There are approximately 500,000 vacancies in the security field in the United States alone. But until the industry as a whole changes how it interviews, that number is only going to grow.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.