Seek 'passion' and tech skills will follow, say recruiting security chiefs Plugging the infosec skills gap with expensive consultants or by trying to hire already skilled people won't fix recruitment headaches, Thom Langford, CISO at Publicis Groupe, insisted at the #IRISSCERT conference in Dublin this week. He argued that the industry should be looking for "passionate people and inspire them", …
"I'm not asking for people to take chances, rather give people opportunities"
Yet another orthogonality presented as a mutually exclusive alternative. You ARE taking chances by giving someone a job to someone who seems enthusiastic in an interview. You might say "You should take a chance to give people opportunities", as that at least isn't disingenuous.
Whether or not you want to take a chance on security in order to give someone an opportunity is another matter. I vote we let enthusiastic people become brain surgeons. The skills (and various liquids) will flow from that!
I vote we let enthusiastic people become brain surgeons.
Not what he was saying.
The whole recruitment process, often led by recruitment agencies is about round pegs for round holes. They get paid to fulfil a contract, that demands a candidate spec, and invariably they start ruling out entire categories of people, until the subset left contain people who perfectly fit the candidate-specification, but few if any can actually do the job. Downskilling and cost savings of in-house recruitment can easily lead to exactly the same process-above-result outcome.
This is nothing to do with IT, or ITSec, it is just a flawed outcome of people not thinking carefully enough about what they do, to achieve the outcome they want. A common problem is to specify the candidate so highly, that anybody meeting that spec would have been doing the job successfully for years. If there's no personal growth, learning, and you're not paying 50% above median salary, why would anybody of that calibre apply? Typically it means the successful candidate either won't stay long enough to be useful, or will be a difficult, under-challenged prima donna, or they're just an out and out liar who blagged thier way in.
When recruiting, hiring managers (in this case IT managers) need to identify the minimum of hurdles, but then to clearly understand what they've got leeway on. In a growing field with limited existing talent pools what does that mean? You want the candidate to have a minimal basic understanding to start with, you want them to have ability to acquire the skills you really want them to build, and most importantly, you want them to have the enthusiasm to want to acquire those skills, and to perform the job. That does mean wading through very large numbers of applications, but if they aren't prepared to put that effort in, they can stick with the normal recruitment process, and complain that they can't get the skills.
I find pretty much the opposite. Headhunters are sending me marginally qualified (if that even) candidates because they want the bonus money. Because I started in security long before it was common I have always dealt with lack of qualifications (hell, I was not qualified on paper for a couple jobs I was successful at).
What I have done is look for 'markers of success'. On resumes & during interviews I look for explicit examples of them doing more or learning more than what was required along with the realization that they don't know nearly enough. I am about 80% successful in getting people who can handle the work. Average around here with managers who care about GPA and buzzword bingo card CVs is closer to 50%
This post has been deleted by its author
There is a difference between caring, being motivated, or having a sense of duty or vocation ... and being "passionate":
Synonyms for passionate: intense, impassioned, ardent, fervent, zealous, vehement, fiery, heated, feverish, emotional, heartfelt, eager, excited, animated, spirited, vigorous, strong, energetic, messianic, fanatical, frenzied, wild, fierce, consuming, violent, tumultuous, flaming, raging, burning, uncontrollable, ungovernable
@AC Indeed, I despise 'passionate' people. Emotion doesn't solve anything.
I recall one manager throwing an absolute fit at us when one of our servers failed. I walked up to the rack and swore a blue streak at the server, looked back at my boss, and said 'It appears bad language won't fix it, shall we try another approach?' he then left us to resolve the problem, quietly, on our own. I never heard him swear in front of me again, certainly toned down his 'passion' a bit.
I would put down my success in IT Security as being down to two things: Ability to pick things up quickly and passion.
I work with plenty of people who lack the passion for the work. Oh they might have some skills here and there, but unless they're prepared to look beyond the next pay-check those skills will hardly be tested.
Being passionate (to me) is a desire to do the job properly and being resistant to those forces that try to get things done quickly and cheaply at the cost of security. You don't always win, but you do get concessions - especially when your foresight occasionally saves their bacon.
The ability to picks things up is mainly driven by my poor memory. It's so bad that I often have to break things down to first principles in order to understand how and why something is happening. Do that often enough and you end up with a solid framework of understanding that can then be applied to many different situations, not just IT related.
"I have a passion for music. Sadly, I can't play a single instrument. But I am enthusiastic as all hell, so here's to applying to the London Symphony Orchestra!"
That statement simply proves you have a passion to make a prat of yourself in public, additionally you have a passion for making spurious arguments using poor logic.
Great rocket science level of insight there 'Thom'.
What's that? You can cross train IT people with proven skilss and experience to work in IT security? Well F%£ me! What next? You should train and mentor people to fill ALL your skill needs? The amazing new insights are just overwhelming me.....
Although the headline suggests that a healthy love life will also magically give you new tech skilss, althouigh some idiot will probably suggest that sooner or later as well.
Now, now, you're making things up. Nowhere does the article mention "training". Just "passion", "inspiration" and "opportunities".
"Lee Munson, senior associate for information security at Publicis Groupe, added that would-be infosec entrants should "demonstrate their passion" and the tech skills should follow naturally."
See? No training required!
Plus pay properly too. I guess they're learning that in the shipping industry right now. I'm guessing it won't be a bumper-Christmas at FedEx or Maersk etc this year. However, most senior executives and CEO's still don't get it....
Why?
They believe they're masters of the universe and it doesn't matter if there's a breach or meltdown. And you know, they're right too, because they all still get to leave with golden parachutes. WTF shareholders, do something???
So where's the gold-plated toilet seat or shower-curtain for tech security workers? Oh yeah, that's right we're inconvenient and disposable plumbers that need to be outsourced to the Cloud or India or somewhere else etc.
Wrote to a newspaper giving them details of a simple hack that bypassed their pay-wall. I suggested a small donation to charity. Reaction? Indifference! 'We know about that, but we're waiting for an update to AMP'.
Go away! They didn't even ask if I found other vulnerabilities! Who does that... ??? ... The interesting part was, anyone could execute the hack in seconds. Whereas they assumed it only worked if users printed out subbed articles, or saved pages to mobile devices etc.
Lazily, they 'assumed' most readers wouldn't bother. WRONG! Bad assumptions guys. Any browser, truncate URL - bang! ... But isn't that the story of security in 2017! ... Can't happen to us: Equifax / Uber et al etc.
Passionate / enthusiastic typically translates as work extra hours for no extra pay.
Even though longer hours mean (for huge majority of people) quality of your work declines, so short working day gives far better quality "work".
A lot of security related work is phenomenally tedious, so a good thing to look for is people who are not easily bored and are rigorous and dogged, "leaving no stone unturned" mentality would arguably be a good thing but not as cheesy as "passion" .
(And security passion gives odd images e.g. "Finding that buffer overflow got me moist" (the more graphic ones not gender neutral)
About f**kwitted recruitment con-sultants
Fun fact
Such companies are independent agents (in the sense they do not take ownership of the goods IE you, themselves)
So they are not actually working for you, or their "employer" but themselves.
Something to keep in mind.
Although from what I've seen this is recritments speak for "Obedient," "Tractable" and "Uninterested in money."
There's no problem having people working in a field such as IT who don't have passion. They may well have solid skills and do their jobs well but don't expect them to show any motivation than necessary, they will work hard but they only do just as asked, they will work 9-5, nothing more.
The truly passionate people in IT bring something extra over the "day-jobbers", they bring a drive and motivation go beyond what's required. You get something extra. The passionate people will not only learn the task at hand and deliver on time, they will read more on the train home, they will go home and play with the technology in their own time, evenings and weekends, they will step outside the remit to learn the "satellite skills" too. Now mix two or more of these people together and you have to be careful, they will try to out do each other, they will gel and produce some great pieces of work. However controlling them then holding them to a project brief can be hard, they will chomp at the bit to show how much bigger and better a project can be, and uncontrolled they can take projects off track very quickly. I know, 'cos I've been passionate about working in IT since I was 7 years old, it's all I ever wanted to do, 40 years have passed and the passion to learn more about IT seems to be ever more insatiable each year that passes.
However passionate people are useless without good strong management with the ability to understand how to harness that passion and use it. If you don't have good management all the drive and passion will be wasted, projects go off track, over budget and run late. I'm glad that as a driven person, just like several of equally passionate colleagues, we'd easily go off track if our manager didn't keep the reins tight and ensure he guides us appropriately. The reason we're so proud of our dept, every single project for the last 12 years, on time and under budget but it happens due to the right mix of strong driven people and a good quality manager who knows how to harness us.
The passionate people will not only learn the task at hand and deliver on time, they will read more on the train home, they will go home and play with the technology in their own time, evenings and weekends, they will step outside the remit to learn the "satellite skills" too.
But how many would describe themselves as "passionate"? Or treat a job advert that specifies it as anything but wanker-speak to be avoided?
Indeed.
It's one of those words or phrases ("team player*" is another) that con-sultants think is a nice verbal short hand for what they are looking for but is often perceived as "Bu***hit alert. Avoid."
Let me suggest that most (actually) "passionate" IT people are too introverted to ever consider using such a word about themselves. It will only surface when amongst their peers.
*It took me a long time to accept that this didn't mean you had to be a real outgoing type to be one.
Meanwhile the "non passionate" go home to partner, possibly kids, get excited about (non job related) hobbies
I made a conscious decision to have a meaningful & enjoyable life outside of work & involving others. But you can guarantee on the few hours when I'm in work I'm way more productive per hour than those that live in the office.
"But you can guarantee on the few hours when I'm in work I'm way more productive per hour than those that live in the office."
I often found that the most productive time was on the way home, even just walking across the car park. Without the focus of what was on the screen the sub-conscious seemed to be able to take a wider look at whatever problem I'd walked away from and come up with a solution.
I often found that the most productive time was on the way home, even just walking across the car park. Without the focus of what was on the screen the sub-conscious seemed to be able to take a wider look at whatever problem I'd walked away from and come up with a solution.
That's where I do my best writing, when I'm nowhere near a computer or paper (or at least am not in a situation where I can bring up the machine to type, IE: driving).
Can't believe this guy is a CISO. Apparently, he has connections somewhere.. because it cannot be on merit and management skills.
There are so many different areas in INFOSEC, that to be so narrow when it comes to hiring professionals is idiotic (to say mildly).
For instance, to conduct penetration testing and red team skills for a person without at least 3 years security experience will take 2-4 years to become proficient. This doesn't include the huge amount of costs associated with training. On top of salary, you can expect to pay in excess of 60K.
I don't mind providing individuals right out of school a chance to prove themselves; however, I wouldn't make an entire INFOSEC organization full of them. Even so, I want to see some background displaying computer skills beyond OS configuration and administration.
Now the LAZY PART--Let's not forget one of the jobs of a CISO... and this is to ensure those who work in INFOSEC are motivated to accomplish a common goal.
If you have an expectation, then ensure employees have the resources (training, systems, etc.)required to do the job in an efficient manner. Don't expect them to become overly creative and find ways to apply Band-Aids.
If as a CISO, you find a good percentage of INFOSEC employees aren't meeting your expectations, then first look in the mirror... and ask yourself, if you're doing everything you should.
If you're unable to motivate and provide leadership, then it's time someone else fill the CISO role. Because you're spending too much time on the golf course or trying to impress those in the corporate board room.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
