In today's deep recession, accented by continuing layoffs, it might be hard to believe that good security jobs are hard to fill, but they are. Or maybe it's more accurate to say that it's hard to find good security people for those jobs.
I recently helped hire a Web security analyst for a client with a large number of IIS and Apache Web servers. After filtering out hundreds of inexperienced candidates, I settled on a half-dozen people with relevant experience, education, and credentials. (I care about qualifications in that order.)
During my interviews with all six hand-picked candidates, I was surprised to find out how much they did not know about Web security. They couldn't tell me the difference between a XSS (cross-site scripting) attack and a cross-domain attack. Most were unaware of how to harden the base Web server OSes, and most were unable to describe a SQL injection attack. Only one knew how to isolate different Web sites from others using security accounts and application pools. On a positive note, at least two of them had heard about banner ads being used for malware distribution.
When I informed the candidates aware that they would be responsible for keeping up with the latest ASP/ASP.Net and PHP attacks and vulnerabilities, all to a person expressed surprise that PHP or PHP apps had any vulnerabilities. After the third candidate said this, my jaw dropped. Upon hearing this from the very last candidate, I was just depressed. Where have these people been living? Do they read beyond Facebook and Twitter?
I ended up hiring the only candidate that seemed to express genuine interest in learning more about PHP vulnerabilities. I was doubly depressed that this interview mimicked one I gave a few years ago. Times had changed, but not the quality of the candidates.
More of the same
As I was ruminating about these sad turn of events, a trusted friend who is the CSO at a large Fortune 100 company called to vent about exactly the same issue. This CSO is the type of boss any of us would want to work for. He's an above-average intelligent guy who loves computer security, protects his team from the politics, and gets his staff involved with all the cool toys. When you join this team, you're surrounded by other smart security experts. It's a dream job with a nice salary.
So my friend called up a trusted computer security headhunting firm, gave them the qualifications of his desired candidate, and waited to interview the preselected cream of the crop. His findings? Exactly the same as mine. He was befuddled by the poor showing across the entire group of candidates. He thought 90 percent of them were wholly unqualified. He was so tired of getting security-certified people that could not answer basic questions -- and we're not talking rocket-science inquiries.
Example: "Tell me what you know about Conficker." Most responded that they didn't know that much about "Conflicker" (note the added "l"), except that it had infected a lot of computers and was overhyped. Another example: "Tell me five things you would do to harden a Windows computer." He expected he'd have to cut off most of the candidates, thinking they'd have an exhaustive list of techniques to recite. Heck, I can name five things I'd do related to password policy alone. Instead, none of them came up with five items. Most only came up with two or three things. One asked for the question to be repeated. Yeah, he didn't get the job.
Hire knowledge, not certificates
These anecdotes reinforce my belief that security certifications do not guarantee the overall quality of a candidate. Holders of the No. 1 most popular -- and overrated -- certificate (you know which one I'm talking about) ran the gamut from adequate to nearly clueless. How did they pass that exam?
I will say that, from my experience, any of the SANS certification courses tend to turn out very knowledgeable candidates. The organization is one of the few doing it right. Any job candidate with a SANS cert should be given special move-to-the-head-of-the-line consideration.
[ Find out which IT certifications are hot in this cool job market. ]
If you're applying for a security job, learn as much about the job before you show up. Find out what OSes and applications the company runs (no, don't pen test and enumerate their computers without permission) and what security tools are preferred. Be prepared for any security-related question. Practice ahead of time. Research security problems and malware related to the involved platforms. Lastly, when asked a question you should know, don't get caught with a deer-in-the-headlights look; rather, have your answers ready to go. Come up with a few good general responses that will work well against any general security question, but don't make them so vague that the interviewer knows you're being evasive.
Also, don't dog your former employer. The same goes for criticizing any product or platform until you know how your interviewer feels about it. Insulting the interviewer's favorite technologies won't earn you any extra points.
Another tip: Don't brag about your black-hat, illegal exploits until you find out whether your intended employer is into hiring malicious hackers. (Most aren't.) Lastly, if the hiring manager tells you the company is going to do a routine legal background check as a part of the employment process, don't ask if it will be state or federal. If you do, it will probably be both.
Ultimately, the candidates we both hired were the most subject-knowledgeable of the bunch. You could tell they were well read, both in terms of favorite Web sites and security books. Mostly, the successful candidates were enthusiastic about the subject. That came through. They weren't just looking for a job; they were looking for a career, with specific goals and contributions in mind.
My last piece of advice: If you're having a hard time winning a job after repeated interviews, maybe it's time to seek professional interview advice or conduct fake interviews with a friend who is honest enough to tell you the truth.