Over the years I’ve hired or helped hire hundreds of computer security folks. Although job interviews tend to last an hour, I can usually tell in a few minutes if I’m talking to the right person for the job.
If I think I have the right person, I will lead them into saying the right things to win the job. If I don’t think so, I usually cut the interview short.
What makes or breaks it for them isn’t on their resume -- experience and skills are table stakes. It’s the trust that I can throw nearly anything at them and they will get the job done.
If they don’t know what they need to know to get a job done, they learn it. I don’t have to tell them. They are self-motivated and don’t complain about every surprise situation. They simply get it done.
When I sense that in a person, I’ll try my best to hire them. I’ll even pay them more than I think they’re currently worth because I know they will grow into the job. That special quality amounts to a combination of passion, willingness, and intelligence.
A passion for the job
First, I need to know they’re passionate about computer security, learning everything they can about most of it and specializing in one or more areas along the way.
Are they up on the latest security trends and issues, or is everything they know five years old? Are they worried about the latest security threats? In computer security, as in other tech areas, you’re only as good as your last two to three years. Keeping up to date is a learned trait among passionate people.
I try to sense if the candidate is attracted to computer security on a gut level. Do they read computer security blogs and articles in their spare time? Is it merely a job, or do they have a personal interest in it? If you love what you do, you’ll do it better.
I also want to know if the person I’m interviewing really wants to work for the company. If the interviewee doesn’t ask what it’s like to work at my company, do they care? I can’t tell you how many otherwise good, intelligent candidates I’ve written off because I could tell I was one in a series of interviews, and my company wasn’t at the top of the list.
Passion has its limits, of course. Computer security attracts more than its share of excitable eccentrics. I don’t want to be stuck with an employee who yells, gets overly frustrated when things don’t go their way, or fails to treat people with respect. I’ve had to endure working with people like that, so any hint of that sort of personality in an interview is a red flag.
Knowledge of what the business needs
A fundamental fact about security is it’s almost always at odds with everyday business operations. Whether it’s two-factor authentication or long, complex passwords, security always puts at least a slight burden on users. Security needs advocacy -- but not to the point of bullying or you’ll hurt the cause.
No one wants to work with someone who is so passionate about computer security that they don’t mind slowing down or interrupting operations. Computer security and business operations should always work toward an equilibrium, with both sides winning some of the battles.
Great communication skills
Everyone thinks they have great communication skills. I can’t tell you how many people I’ve interviewed who lacked those skills entirely, yet when you asked what they thought they excelled at, they cited their communication skills.
First, you need to be a listener -- in the interview and on the job. Rapid-fire blather without pause won’t land you a position. Some of my interviewees are so nervous they talk as if they’re in a NASCAR pit crew.
Even more obvious: Don’t bad-mouth anyone. Whenever someone trashes a previous employer, all I hear is what they'd say of me and my company if it didn’t work out. Successful candidates give me a sense that they have a long history of success in their previous roles and projects. Give me the opposite sense and the interview will be cut short.
I don't want to brag, but in the instances I've used these methods, the candidates I've hired over nearly three decades have worked out well -- even those who were relatively clueless about the technology or the role they were going to fill. I felt absolutely assured that they could learn what they needed to come up to speed.
They not only excelled in the job I hired them for, but ended up excelling at most tasks they took on. I’ve happily watched many of them become managers, bosses, and security technical consultants. Motivation and the sense that there must be a way to accomplish something wins every time.