There are times at work when I consult with large organisations. During those consultations I sometimes design cyber security platforms for the clever analysts to use.
When that happens, I work with a quite robust delivery team to recruit the right people into the role. The roles tend to be temporary and customer facing, yet highly technical with difficult timelines, limited resources, and changing demands.
In this post I’ll outline the criteria I look for in the people. It’s not necessarily what you’d expect.
You’d think that hiring engineers to build a cyber security platform would be straightforward. Such as finding skills related to platform components, such as data storage or networking, or finding skills related to cyber use cases, such as hacking, big data ingestion, threat intelligence, and devops.
Initially, you are right. In the job description there will be some technical requirements, and if you cannot hang, you shouldn’t apply. But here are a few secrets:
- You don’t have to be perfect at everything listed, but you do have to get me on the phone and arrange to meet me.
- I’m more interested in how quickly you learn new things and how eager you are to do well than some course or certification you’ve taken.
Get me on the phone. Explain your situation. And then set up a plan in between our phone call and when we meet. That plan is simple:
- Find a few technologies you aren’t so skilled at but will need for the role.
- Rapidly academically learn about them (read a book or take a free video course or just watch a few hours on youtube).
- Once you have the language, build a little project.
- Document all that you’ve learned before we meet.
When I took a job a few years ago, I had never had working experience in relational databases or Regex. It’s just not something I had worked in. During my, “I’m serious let me interview” phone call, the hiring manager told me all the tech I needed to know. I didn’t know much of it, but I said that I learn quickly. We arranged a meeting a week later. In that time I did exactly what I did above and put my little CRUD script on Github. At our meeting I explained what I did, showed my honest weakness, but also expressed how interested and serious I was, and showed how quickly I learned.
Those are more valuable (on some level) than being the best. And it’s easy for me to write that, because if you were the best, you wouldn’t be seeking this kind of advice.
Second pro-tip: Get over yourself. You are part of something bigger than yourself. No one owes you anything. You owe yourself everything. Get over yourself and focus on the process and making big, wonderful things, and you won’t come across like a jerk.
Here is the golden advice. A lot of technical security people think they’ve solved the hard part – the super technical stuff – and they disregard the non-technical skills. Things like communication, time management, matrix management, persuasion. But here is the thing. When I hire for technical roles, those roles tend to be in customer delivery. Those people will often need to meet the customer and interact with business people. They’ll need to work with project managers and finance. They’ll need to work with HR and follow sometimes stupid processes.
I don’t care how smart and capable you are, if during our conversations I get the impression you will make life difficult by either being a jerk to HR, you won’t follow process, you will be arrogant in emails to project managers or customers, or that you can’t use emotional intelligence to convey difficult information in meaningful ways, or that you are unwilling to change your opinion, then your technical skills mean nothing to me and my team.
Here is the secret, for charismatic people, technical skills are the hard things. For technically skilled people, non-technical skills are the hard things. Just because you can code doesn’t mean I want you in front of a customer, or that you’d want to be in front of a customer. But cyber security is increasingly important. Doing good security is a business decision. And if you can’t understand how business works, you have no place on my team, nor will you have long in this industry, because in a few years the super-technical jobs will be fewer as we invest computers that write their own algorithms and SOC operations that rely on orchestration and automation.
Skills You Need
To summarise, I need the following:
- An ability to understand business
- An ability to quickly learn new things
- An ability to convey complex information in easy-to-understand ways
- A technical ability as defined by the technology involved (duh, I still need tech skills)
If you notice, tech skills are required but not exclusive. Succeed in cyber security is more than just technical skills, despite what you might think.
Let me know what you think.