Summary: Knowing what to look for in the search for an InfoSec expert can be vexing and requires an assortment of personal and professional characteristics not easily found in a single person. Rami SaSS, CEO of WhiteSoutce outlines some of the applicant qualities to look for as you begin this important recruitment process.
Amid a climate of rising cyber security attacks and threats, the need for extremely competent Information Security professionals is becoming an increasingly pressing issue for internet-based and software development companies. Hackers are constantly evolving in skill and method, attacking individuals, companies, and governments alike. Knowing what to look for in your search for an InfoSec expert can be vexing and requires an assortment of personal and professional characteristics not easily found in a single person. Here are some tips on what kind of applicant qualities to look for as you begin this important recruitment process.
Professionally knowledgeable through experience. Degrees and certifications are nice, but without hands-on experience they are not worth much. This is especially true because of the degree of speed with which malicious actors adapt to security measures designed to keep them out, easily rendering outdated countermeasures useless.
A good understanding of the criminal hacking scene. Most security attacks today are performed by professional criminals who are part of company-like structures at offices around the world. The stereotypical vision of a lone hacker in a basement does not reflect today’s organized reality. A good security professional should be aware of the global cyber-criminal scene as a whole, in addition to the discussion forums and malware sharing sites it thrives on.
A sensitivity to the impact of security solutions on an organization and quantifying risks. Security almost always requires some kind of trade-off, and applicants with a focus on security to the exclusion of everything else should be avoided. Those with too singular of a purpose can disrupt the delicate harmony of a working environment and cause more of a disruption than the one they’re working to avoid. Your InfoSec professional should have the ability to maintain a reasonable security:UX ratio.
A slight hint of paranoia helps keep the InfoSec professional constantly on his/her feet and keep up with the ever changing enterprise security landscape. The person in this role should be positioned to intelligently and rationally absorb the threat hype – most of it well-founded – on behalf of the entire organization. This requires a constant vigilance and hypersensitivity to the current climate – and keeping up with hacker techniques and developments as thoroughly as possible.
All-encompassing familiarity with security technologies ranging from the lowest networking layer to the highest application layer is a must. This almost goes without saying, but InfoSec cannot be effectively applied through expertise in one layer at the expense of another. Your applicant must be well-versed in every relevant platform and tool.
Understanding the lifecycle of software and applications from their inception all the way to production allows an InfoSec professional to recognize checkpoints required to implement effective security. Software developers focus heavily on eliminating bugs, but not necessarily security gaps. Therefore, the person in charge of signing off on an application’s security must understand each of its major developmental junctures so as to ensure the unassailability of each critical phase.
A business-oriented mind. The ability to discuss and explain security strategy to C-level management helps keep the organization’s security awareness at a high profile, and also enhances constructive communication flow between the two departments. A security expert who does not relate to the needs of development, sales, or marketing teams must be avoided.
Your candidate must be a sure-footed politician. This, like the above, is related to inner-organization communication effectiveness. In many cases, people within the organization will be reluctant to play along with implementing security solutions that require additional resources. A good InfoSec professional will find the way to get necessary people on board to implement the right steps (without stepping on too many toes) when choosing the security strategy and policy.
Rami Sass is Co-founder and CEO of WhiteSource, the real-time open source component management solution which allows engineering executives to effortlessly manage the use of open source components in their software, allowing developers to focus on building great products. Rami is a serial entrepreneur who has founded a number of successful software companies. Before WhiteSource, Rami Co-founded and was CTO of an EdTech startup.