The infosec recruitment process is broken – here’s why

Mark Cutting Analysis, Management, Mentoring, Security, Staff, Training 25 Comments

There’s something very wrong with the recruitment and selection process these days for information security / technology. Data collected from various institutions and the profession in general would indicate that there is a shortage of staff to fill the ever increasing void of infosec professionals – yet we only have ourselves and the incumbent recruitment methodology to blame. In this article, I’ll address the current situation, and provide my take on what needs to be done in order to rectify the situation. A quick disclaimer. I’m no Human Resources expert, and I’m not trying to be. However, I am an individual that has sat on both the potential employer / employee sides of the fence over my career, and to my mind, the recruitment process was flawed then – and still is now. But why is this ?

Let’s take the market from, say, 2003. At this point of my career, I’d just been made redundant and was looking for work. Admittedly, the market was flooded with potential candidates looking for a job. This was during a particular slump in the market, and where several companies either went broke, or made huge redundancies as a method of scaling back their operations to in order to maximise efficiency and reduce cost. The market became a huge sea of talent, all drawn into the same current headed towards the recruiter’s nets. In essence, this was an employer’s market – a term used to describe the ratio between available jobs and suitable candidates – and they knew it. Here’s a classic example of a flawed process. Having been made redundant, I applied for the position of IT Manager for a large trading and investment house in the city. They were in fact a main competitor of the firm I was working for previously, had exactly the same technology and associated processes, and I had the experience they wanted. Great. I submitted my CV and was called by a recruiter around 30 minutes later. After allowing the recruiter to provide the usual rundown of what the job entailed, and deciding I was a suitable match, she then arranged an interview for me. I was full of optimism for this particular role, as on paper, I was the missing piece of their unfinished jigsaw they were looking for. To my mind, I had a superb chance of being successful. Or so I thought.

An unexpected reality ?

On arrival, I (and several other people) were rounded up like sheep and herded into a small conference room where we were asked to take a seat. At each chair position was a pencil, pen, and around 5 sheets of paper facing downwards. A technical test, perhaps ? These guys seem to know what they are looking for. How wrong was I. Sitting at the table with everyone else in equal anticipation felt like a lifetime when in sashayed the HR director (note that I’m using the phrase “sashayed” loosely and in good humour, as this is probably the best way I could describe this particular individual). She introduced herself, and then set about detailing how this particular session would work. Suddenly, my positive mental thinking degraded into complete disbelief – and at the same time, dismay. This wasn’t a technical test. It was an aptitude test ! And to make it worse, the chosen measurement for this pointless (in my view) exercise was to arrange the CEO’s diary for the day. Now, I’m no HR expert as I alluded to at the start of this article, but can someone please explain to me why I need PA skills to run an IT department ?

When asked to start the test, I wrote my name and contact details on the first page, followed by “Could you please give me a call when you have a moment and explain how the technical position I applied for requires me to sit an aptitude test of this nature ? You are wasting your time, my time, and everyone else’s in this room – and insulting their intelligence in the process. Thank you.”

At that point, I downed the pencil, got up, grabbed my coat, and left the room. Nobody said a word. You could hear the tumbleweed rolling, and it suddenly dawned on me that I potentially could have just made a complete fool of myself. It was too late to turn back, so I followed through with my original instinct. Expecting to be the only one taking this stance, I took a casual glimpse back at the corridor – just me as I thought – for about 30 seconds. As I signed out at security, 5 others who were in the room were right behind me. The ironic thing is, that despite all of us clearly leaving for the same reason, no conversation was exchanged. They simply scattered in different directions upon exit.

Did I ever get a call from this company ? No. And I wasn’t expecting it either. But to me, this serves as the classic example of a flawed recruitment process. How does this align with the problem I originally set out to describe ? Perfectly, in fact. Here’s the point. By wasting time and effort on a pointless aptitude test (if you can call it that), this particular organisation missed out on an opportunity to get access to some of the best candidates in the room in terms of experience, and what they could bring to the table. That same principle still applies to today’s information security and technology recruitment process. A model that which, by definition, is badly broken and needs urgent attention.

Why is the model broken ?

The main issue every infosec professional faces today is the interview selection process itself. In virtually all circumstances, hiring managers will defer the research to Human Resources. Whilst this in itself isn’t a bad thing (after all, that is a function of HR), the methodology or approach is. Hiring managers usually set a baseline of what they are looking for along with various “essentials” and “nice to haves”, then HR will align this with the current industry trends in order to determine pay scale etc. As a nation, we’ve fallen into the trap of adopting the (often senseless) notion that certification is essential for InfoSec professionals. This is where the process falls down in my view. For example, take an IT professional who has been in the industry for 25 years plus, who holds no formal certification in the form of CISSP (which seems to be the mandatory requirement these days), yet has been breaking into and securing technology since they were tall enough to sit in front of a pc. For a CISSP, you need at least 5 years of industry experience – that should clearly tell you something. Experience however, enables any competent individual to use their skillset to its full potential in order to either leverage a vulnerability to its full extent in order to prove successful as a penetration test, or use the same level of experience to effectively harden the environment thus reducing the attack vector and space. However, the CISSP isn’t a technical exam in the sense that it requires you to prove your ability to resolve an issue or break into a secured network via an undisclosed vulnerability. It’s a technical exam in the sense of theory. Call me a cynic, but anyone who can read a book and has a good memory can pass the CISSP with brain dumps and practice questions. This isn’t meant as a derogatory statement; it’s an observation which unfortunately rings true in most cases – very much like the MCSE of times past.

And so, the inevitable conclusion.

As soon as the acronym “CISSP” is added to any job description or requirement, you eliminate a significant chunk of the talent pool from any potential selection process. By being under the clearly false illusion that the CISSP is the holy grail in information security, we ourselves have actually created a void in the industry that everyone seems to complain about.

An individual with 10+ years experience in IT is going to be a very strong candidate – particularly if their core focus is around networking and operating system security and its associated technologies. Admittedly, my view could be seen as somewhat biased. Anyone who follows this site and I as a technology and information security professional will know I’m no fan of certification mills. Passing your driving test doesn’t mean you are the safest driver on the road, the same as having a CISSP doesn’t mean you can secure a network from external (or perhaps worse), an internal attack. Being able to secure a network and understand the vast array of complexities that allows a vulnerability to exist in the first place comes with experience. No book is going to teach you to do this without some form of constant exposure. To excel at something like technology and information security takes passion – fire in your belly, and a strong desire to understand what’s under the hood of something rather than just watching it fly past.

Finally, all veterans in this industry are familiar with the term “Paper MCSE“. If you think this doesn’t apply to the CISSP, then think again. Let’s not tar the infosec or technology community with the same brush, and instead:

  • Insist on including those with the relevant experience instead of simply dismissing them.
  • Make the process much fairer with a technical test that is scenario based.
  • Measure how the individual responds and adapts to the situation presented to them
  • Evaluate how they use their experience and acumen to eliminate issues and resolve problems.
  • If you really want an analytical approach, leverage self learning AI and other established techniques to really put that candidate under pressure.

Now there’s an idea for a startup if I ever had one…..you heard it on Phenomlab first, right 🙂

I fully expect to be “burned at the stake” for my take on why this industry has shot itself in the foot. However, there is a small chance that others will actually agree. Let’s see.

About the Author
Mark Cutting

Mark Cutting

Facebook Twitter Google+

Mark Cutting is the founder of Phenomlab.com and Inocul8r.net. He is a network, security and infrastructure expert with more than 27 years service in the Information Technology sector. Mark has a significant eye for detail, coupled with an extensive skill set. Having worked in numerous industries including trading, finance, hedge funds, marketing, manufacturing and distribution, he has been exposed to a wide variety of environments and technologies alike.

25
Leave a Reply

avatar
12 Comment threads
13 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
11 Comment authors
Lawrence H. (Larry) KingMark HoneycuttMark EvansAhmed SharafLaura Dempsey Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Aziz Rahman
Member

I think the fundamental problem here is faulty reasoning and assumptions on what a good candidate must and will have. It’s an assumption that certification equals ability – it’s a stupid one, but that’s where we are – and like you said, it rules out many of the best candidates. Experience and ability aren’t rated as much as they should be, and it’s because the people who make the hiring decisions (or at the very least the selection decisions) have no idea what infosec needs and requires. I don’t have the answer to this problem, except maybe IT managers learning to recruit for themselves, or educating HR on what to look for. Oh, and maybe not resorting to stupid aptitude tests.

Marcus Dempsey
Member

Nice article, one of the issues I see from the recruitment process is that the recruiters and/or HR department have absolutely no clue in what they are after. From what I can gleam from my experience, is that departmental managers who are looking to hire someone provide the information to the HR team, who then distill it down into what they think are key terms and correct terminology (which is usually wrong), to then have the recruiters have their fun tweaking the requirements. I learnt a long time ago not to rely upon recruiters, and if I did, not to give them an editable word document for them to adjust to “make me look better”, in other words say I do 90% of the stuff I don’t. I once went for a technical job for a large manufacturer many years ago and was sat down at a table, a bit like yourself was was asked to write a story and talk about the seasons and all the fluffy stuff. Not one technical question. After 10 minutes, I did a similar thing to yourself, I got up and walked out, and never looked back. I eventually found out, if you were successful in that stage, you had to have another 5 interviews to win the role!! With regards to why the model is broken, I fully agree with you here Mark, it wasn’t too long ago that there was a flame war on Twitter about the value of the CISSP certification… Read more »

Marc Kisner
Member

Great article outlining why HR can be a hindrance to employing the best candidates. The situation you describe about taking aptitude tests while in the company of other competing candidate is laughable and achieves nothing. A face to face interview with the hiring manager is much more valuable. HR should look after existing employees and not be directly involved in finding new talent as they miss the best candidates due to the reasons your outlined. The whole world is in a rush all of the time and wants to consume everything immediately without taking the time of being objective and thorough. We all have the issue of work load and BAU takes precedence normally but thats no excuse for not thinking things through. I have just been through the process of retraining and seeking employment within Cyber Security. It amazes me the difference in ability and thoroughness from one recruitment agent to the next. Then add in the HR element and its a case of box ticking for skills when having no idea what those skills actually mean. Plus add in the key word search that recruiters and HR use to search for candidates and we end up being processed like a digital document and not a human being. If it carries on like this we will have robots making decisions about our lives and careers. On a positive note certain HR people, recruitment agents and head hunters are excellent. The ones who take the time to get to know… Read more »

Pete Strouse
Guest

Part of the issue stems from the fact that HR and recruitment are often lumped into the same bucket and not treated as the separate functions they are. I was previously in charge of HR and recruiting departments in tandem in a security assessment firm, and can tell you the model simply doesn’t work. Another issue is that recruiters are not trained properly to truly understand the industry in which they recruit. Most recruiters are simply keyword searchers and don’t understand any of the key concepts behind the roles they are trying to fill. Recruitment in general is broken, not just in InfoSec. Fortunately, security recruitment experts do exist…you just might have to be willing to pay them.

Rich Gardner
Guest
Rich Gardner

InfoSec professionals come in all shapes and sizes… a CISSP does not fit the category for probably 80% of the jobs that are in the marketplace today. Lets not forget that a CISSP is a mile wide and an inch deep on most of the 10 domains. As a candidate, I would also challenge the hiring managers to show why a CISSP is valid in the position they posted. I have had my CISSP since 2006 and used the skills in less than 20% of my positions. I also hold a CISM and CGEIT in which the previous statement also holds true for about 20 to 30% of the positions that I have held. The same argument is flying around about Certified Ethical Hacking (CEH) – these certifications just show some level of understanding of the information security process and issues that have to be addressed in day-to-day business. In my humble opinion and as someone who has hired security professionals, I tend to take the job that needs to be filled, break it down to what a middle of the road candidate should have from a skills perspective and give that to the HR manager. I also formulate questions for the candidate that are both based on their resume and general industry knowledge. For example, I would ask a candidate, please rate yourself on Windows and/or Linux – grade yourself from 1 (knowing very little) to 10 (uber-geek) – If anyone says a 10 I know they are full… Read more »

Laura Dempsey
Member

Hi throwing my hat in this ring – slightly different take on the subject – massive shortage of skills keeps getting bandied about. I disagree, the talent is there we just need to harness it. There is however a massive shortage of Women in tech and that is part of the overall problem & picture. Flexible working and recognising transferable skills is where I’ll be starting.

Ahmed Sharaf
Member

I appreciate the post Mark and can identify with your perspective. I take about 200 – 250+ self-driven hours a year of security training, understanding vendors and their products while improving my skills constantly. I am one of those that has been in security and the Internet since almost the beginning. We were the upstream ISP for the L0pht so I guess you can say I am genetically wired to be security/hacker aware. Even though I have operated largely as a sales person throughout my career, I am also a System Admin/Engineer since 1995. I do not hold a single certificate, but I have operated on the Internet/Network/Security for decades. Most security personnel are required to take 16-20 hours of training annually to maintain their certifications. I always hear the grumbling in the room when they are asking for how to receive credit. I do not have a number, I just type in my name. Truth to me is, I could care less about the credit. I always ask myself, “do I understand the subject matter?” “is it important?” “how does it relate to my use cases?” and “can this deliver value?”, otherwise it is just a check box. This is the attitude I see from most certified security personnel. “It is just a check box.” This is unfortunate because many are not driven by the passion, they are driven by the pay check. to really stay on top of this industry, you have to be wired a certain way… Read more »

Mark Evans
Guest

I have felt nothing but a quiet rage when taking qualifications which will get past an applicant tracking system. Mentioning no names; one of the “Industry Gold Standard” exams is in excess of four hours long and has 200 or more questions. I have read people complaining about it being “too difficult”. I came out – after passing the exam in 75 minutes (probably ten of which were me just wondering if I was on a new episode of “Candid Camera”) – seething. The quality of questions was absolutely appalling. I exaggerate (but only slightly) when I say that the questions were of the quality of: Q: You need to ensure that a message is received by a recipient with proof that it hasn’t changed in transit. Do you use: A: A hashing algorithm B: A picture of Elon Musk C: A hammer D: Press “D” if you identify as “moronic” It was so frustrating! What made it worse was that I knew people were PROUD of this particular qualification. And then – what about those who had FAILED?! As a (sometime) hiring manager, I won’t add a list of qualifications to my job requisition to Recruitment. If the Applicant Tracking System jettisons someone because they can’t tick the CISM box then I’m abdicating my responsibility to hire the best people for my employer. I had my fingers burnt by “paper MCSEs” back in the day. They could quote the network traffic for a DHCP request (“Hi Dora!!!”) but –… Read more »

Mark Honeycutt
Member

You knew this would hit a sore spot on the top of my head, didn’t you Mark?!  You’re right with every detail of your assessment.  What drives me most insane is that the industry is letting itself become a watered-down bastion for degree holders who have paper, yet no experience.  It leaves those of us who have learned through trial and error and experience locked in a dark closet with no food or water.  HR folks have no clue how to evaluate the hundreds of resumes they get for a job, so they do what HR folks do — grade them based upon what credentials a person has.  It’s the credentials that kill, and they are getting deadlier by the day.  Have you ever heard of certificate mills?  Of course.  I hear the ads on the radio every day.  “Billy Bob was driving trucks six months ago, but today he has a rewarding career as a IT Security Specialist.”  I met a kid (he was 19 years old) who had something like 18 certifications.  He went to one of those IT cert mills and got them in 18 months.  What’s wrong with that?  He could barely turn a PC on.  He was kicked off the project in two weeks.  We found out that he eventually landed a job working for the state which tells me something right there.  But that’s another story.  

Lawrence H. (Larry) King
Member

 As you know, I am trying to build a site Netinstruct.com to help educate and train new IT and Cybersecurity professionals as well as help them find jobs. One of the things I have been thinking about doing is also adding a section for recruiting staff and hiring managers to help them align the jobs role with realistic expectations and certifications that match to roles they are trying to fill. What are your thoughts on this and what could I do to make this even better?I still have a long way to go. I have to find or curate content to add to my site. MIT OCW and NIST have both given me permission to use their content but I still have to build the course around that content.