Hiring security staff in 2020
Sam Sargeant Chief Security Officer •
First off, yes - I am hiring new security staff. I’ve been thinking about the sort of candidates we hope to recruit, which led me to write this.
I want our team to provide a role that gives space for autonomy, expertise and purpose. Daniel Pink describes these properties in his book Drive. For those on a time-budget, he also recorded an animated summary of this idea.
So I think about those dimensions when thinking about security staff. How might the candidate expectations line up with what our organisation provides?
Common operations work might include “threat hunting” – actively looking through systems to find new intrusions. Do they enjoy the freedom to explore endless leads? Is the prospect of unstructured data daunting or uninteresting?
Are they confident in their assessment, able to raise issues that deserve attention and develop a feeling for the noise that surrounds any operations centre?
Autonomy is balanced with teamwork. What happens when a security risk needs to be balanced against delivery and other project risks? Can the candidate support a good discussion that covers both sides? How do they respond when those discussions become difficult?
Are they curious to understand how complex systems work - from assembly instructions through to decentralized command and control protocols? Are their strengths instead found in running repeatable processes and high levels of integrity?
A curious approach is considered important in a range of IT careers, and security is no exception.
None of us is across everything. It’s important to understand the wholeness of the challenge we face and where our knowledge has gaps, lest we fall to the Dunning–Kruger effect.
A key to unlocking that expertise is a systematic approach to the work. Not just because an understanding of computer systems helps us understand risk, but because security itself is a process that is part of a wider risk-management system. Teams that can drive repeatable high-quality work will be successful.
There is a great deal of ambiguity when managing security risks. How likely is it someone can perform a technically complex attack? It might be highly unlikely, but it’s not impossible. Security staff should be able to express when something is uncertain and communicate that for managers. Those that really shine can help communicate that guide others through that thinking process.
There are many intrinsic motivations that might lead someone to a career in security. We are privileged at InternetNZ to have a position that allows us to have a wider impact beyond our own organisation.
By managing the security risks we face, we can support the entire organisation to make a wider impact on issues that affect the security of NZ.
By reducing the harm from security incidents we support an Internet for good.
By removing the complex security barriers to participation & enhancing trust we can help extend the benefits of the Internet to all.
Cybersecurity is an ever evolving area, and the skills needed to succeed in the field need to be updated as each new threat emerges. This makes it a challenging and rewarding career, and for us as an organisation, we’re looking for candidates who are ready to help us stay safe online.
Our domain is the Internet, and we should lead by example in how we operate alongside the vision we’re looking to achieve.