One of my current responsibilities is looking after the recruitment of new professionals into our security practice.  I’m therefore well-placed to notice the current dearth of truly outstanding security professionals looking for work.   With a view to (perhaps) helping out those looking to interview with us at some point in the future, please note the following:

  1. Security is NOT a technology problem.  I don’t care how many capabilities your favourite UTM kit has, it will not solve all of our clients issues
  2. An application does NOT have to be free of vulnerabilities in order to enter production.   We’re dealing with risk management here folks: test your application, fix the problems you’re worried about and move on (keeping a watching eye).  Bear in mind that your testing is dependent upon the skills of the testers you use – just because they didn’t find a problem, doesn’t mean that there aren’t any.  There’s always a degree of risk management, if only to avoid paralysis by analysis.
  3. Compliance is not the same as security.  I don’t care how many tick-boxes you check.
  4. You must be able to talk to the business types:  you must be able to establish rapport with non-technical types and understand the risks that they are prepared to accept as well as those they are not.
  5. We are there to help our clients, not to pretend that we understand their business better than they do.  Some experiences are transferable, some aren’t – recognise that some people may know better than you.
  6. Clenching your teeth, sucking in your breath and shaking your head is no longer an appropriate first reaction to being told that someone wants to do something “outside of policy”.   Ask them why first.   And then you can consider, only consider mind, the negative body language.  However, you should also be considering whether your policy still meets the needs of the business.
  7. Threats, vulnerabilities, business strategies etc evolve – sometimes rapidly.  Security solutions must not be static or you will be cast adrift.
  8. Security is fun.  You need to understand a vast swathe of technologies and business processes in order to protect them.  Never forget that we’re actually quite lucky to work in such a fluid and wide-ranging subject area
  9. Regardless of the fluffy stuff above, sometimes you do have to say No.   You require the strength of character to stand behind a justified opinion,  always recognising that there will usually be an escalation route that chops your legs from under you.  You must be prepared to do the right thing.
  10. There are few, if any, absolutes in security.   So feel free to completely disagree with this list…

I hope that’s a vaguely useful list of beliefs that I’m looking for potential candidates to display.  But always bear in mind [x] – I’m open to discussion.

One final note to those who may be tempted to try and adopt the tenets above simply to get through our recruitment process.  Please don’t – even if we don’t spot the subterfuge (unlikely), you’ll only find yourself operating in an alien culture which you’d probably not enjoy!