Note to HR: InfoSec Applicants are not Necessarily Mainstream Or Ode to the InfoSec Personnel Paradi
They say the only constant is change. This is exceptionally applicable to the IT area and personnel at this junction. This is representative of the new workforce as they change with the times. The implementation of technology at early ages has had a distinct force on the latest group of employees and potential employees. The new workforce has new motivations, focus, and level of documentation sophistication. This new set of workforce is clearly not the same as prior generations.
With this change has also brought challenges to the Human Resources area of business operations. There is a distinct lack of personnel in InfoSec. The HR Department is tasked with adding persons to the IT and InfoSec Departments, yet there is a limited number of personnel. This is due to a number of drivers at this time, including the number of University and College programs, availability of training programs, etc. The personnel moving into these positions, backfilling others who have left due to retirement or lateral movements, are from a new generation which are vastly different than the prior ones.
Next Generation for InfoSec Staffing
The new source for staffing IT have their own manner of carrying themselves. With this change of focus and other attributes, there are new behaviors which naturally follow this. InfoSec adds an entirely new layer of complexity to the vetting and hiring process. The HR staff have not yet gained an appreciation for this new focus. To further the complexity, the average InfoSec member is not like the mainstream IT person.
We tend to be a bit more curious than the other mainstream IT personnel. We are always looking at the environment and thinking about this, connections within this, and other attributes. This is not simply taken for granted. We look at a process, dissecting it and analyzing how the pieces work together. We don’t think the app or process is fine. There certainly may be better ways for this to process the material or data, and we think about how this is so. The InfoSec person may look at what it is also connected and look for a data flow process diagrams.
The InfoSec staff member tends to be suspicious. The person may look for the loose string to pull, waiting for the remainder of the garment to unravel. Seemingly this is not applicable or a benefit to InfoSec. This actually is beneficial in that the InfoSec person does not simply look at the entirety of a project, app, or module to review or test and state this is fine. The qualified, motivated person will look for a vulnerability. Once this is found, by extension the person will continue to look for further issues associated with this, until the issue is tracked all the way until there is not an issue noted. Once there are no further areas to review, the effort will slow down.
In addition, the person looks at new ways to attack/breach/compromise the target. Any minor issues that seemingly would be a non-starter are tracked down and researched. This may be from new hardware, software, techniques, protocols, encryption, and other security facets which are presented. These new facets should be taken into account with the HR Department as they search for new persons to complete the InfoSec teams. The questions from their boilerplate questionnaires may include additional questions touching on these areas, so that they may gauge on some level the candidate’s underlying focus and psyche.
Other New Facets to Take into Account
The InfoSec person may not have the fully documented, overly specific timeline on their LinkedIn profile. The information may be a close to the reality of the situation. The picture posted may not generally present the candidate in professional attire. With InfoSec, there are severely limited instances where a tie is required. This is due to the environment itself, and the InfoSec integral contact with the C-level being limited. There may also be a funny or IT-centric picture posted instead of their own picture. This could be of HAL, a mathematician, the person’s pet, a formula, or other picture. This could be something as mundane as them sitting at a desk.
The candidate may also have an interesting job title from their current position or if they have owned their own business. Their duties may be of a Director or Chief Info Architect, while their LinkedIn title for their current or past position may be Chief Disruption Officer or another unique name. These are harmless. The intent with these is not to deceive, but to show a bit of humor and levity.
While these are noteworthy, there is a pertinence with these also. This shows the person is creative. The mainstream candidate may have been trained to primarily think within a set of parameters, or within a box. The worthy InfoSec person on the other hand will be thinking well outside of any parameters with the intent to find a way secure the potential vulnerabilities.
With regard to the picture, although this may be funny or ironic, there may also be a secondary focus. The person may not want their picture online. There are certain instances where a caricature is more prudent to be presented. With certain apps, facial recognition is enabled. There has been research done which indicates a simple 2D picture, with certain apps and security features, is enough to gain access. While MFA is a good thing, this shows it may be bypassed. There are other uses for this, including false social media accounts and websites that could be used for nefarious activities with this information. There are much worse things than having a picture of a squirrel or an icon as a LinkedIn photo. This is not a fraudulent or otherwise intentional act that was meant to mislead anyone who would or would not depend on this information. There would also not be an intent to be disrespectful or mislead other parties viewing the profile. If the picture would be of a clown, the intent would not be for the person to try and make everyone viewing the profile they were actually a clown.
Suggestions
At this junction in time, it is not the easiest act to find qualified, motivated people to work in InfoSec. There are people that hide behind certification instead of showing their InfoSec abilities through work experience. With this process, there needs to be some level of application of common sense with the hiring process in this field. The HR representatives involved with the process, the mind-set needs to be flexible. The HR staff should not have a stagnant mind. With this stagnation, the view of the field remains in a certain state while the remainder of society has moved well on. The mind is much like a parachute; it only works when it is open.
Not every person is hiding something. At times, candidate’s backgrounds are not as complete or documented as others. In InfoSec, at times the candidates may not have contiguous employment or documents for the entirety of time worked at an institution. There may be periods of research, school or other related areas.
If certain HR Departments do not allow some form of variance or make it too difficult for a person to apply and complete the hiring process, the candidate will move onto another business. There are ample opportunities present in the field to allow them to accept another position and be gainfully employed as a productive member of society.
The choice is up to the individual HR Departments. Common sense and flexibility can be applied, or day by day, bit by bit, the InfoSec teams will slowly diminish in numbers at their facility. At some point, there will be a significant issue. This attrition is easily spotted, especially by competitors looking to poach your staff.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.