Top security skills you should hire for
Security is obviously one of today’s hottest technology topics – and seemingly getting hotter by the moment. So to make sure your team is not only up to speed, but also ready to secure and stabilize your environment, where should you be looking in terms of security skills?
Without a doubt, pen testing is the top thing most IT teams should have more of – and too few have any at all. The idea behind this “white hat hacker” is to have someone skilled in the ways attackers will come after your code and your infrastructure, and to have them ensure they can’t hack your systems. It’s a sort of pressure test for your IT environment, and a way of spotting the all-too-common holes that an actual attacker will use to get in and ruin you. But having a single penetration tester is rarely enough – you need to be testing your outward-facing infrastructure, your application code, your internal systems – everything.
In fact, in many cases, it may not pay to hire dedicated pen testers. Instead, you may want to look to some of your best and brightest – systems engineers, coders, and so on – and support them with the time and resources to skill up in pen testing. Their insider knowledge of your environment can give them a valuable perspective, and their institutional knowledge of your code and systems can help them navigate the sometimes-complex political environment that always accompanies serious pen testing.
Domain security experts
If your IT hiring practices include some kind of human resources gateway terms like “MCSE” or “RHCSA,” then you might want to reconsider. While those can provide a valuable – if extremely minimal – benchmark for technical domain knowledge, they rarely include significant security expertise. It’s all well and good that your mail server is up and running, which is the level most certifications focus on, but it does no good at all if the server hasn’t been configured to be as secure as possible. One problem here is that many, if not most, skilled security experts loathe certifications, rarely pursue them, and so won’t make it past those HR gates that simply look for a set of acronyms on resumes.
Instead, make sure your teams include some individuals who have real experience with configuring their chosen technologies to operate in a secure, stable environment. In an interview, these folks will differentiate themselves by being able to easily describe a half-dozen or more common security misconfigurations in the products they support – along with suggested remediations. That’s a person you can put to work right away to make your environment less susceptible to attack. Here’s a great post on when to consider technical certs in the interview process.
The problem with security is that it always comes at a cost, either in money, or in convenience and usability. Both of those costs mean people are instead all too likely to compromise on security, which isn’t what you want. That’s where an auditor can step in. Depending on their specialty, they routinely review things like coding practices (and actual code), infrastructure configurations, end-user security practices, and more. They’re the ones who spot a security problem in the making. All the security policies in the world are useless if they’re not rigorously observed every day, and auditors can help you understand where policies are working and where they’re not. Auditors even have their own industry groups, including ISACA, that can provide of-the-moment seminars and updates, to help keep an educated Information Security Auditor up-to-date and relevant.
But that’s not all
Of course, there are other information security roles that are commonly found only in consulting firms or in especially large or regulated firms. For example, experts in digital forensics are invaluable when you are hacked – or when an attempted hack has been made – because they can help you identify what was done, what was damaged and what was stolen. They’re a way to learn from the mistake and do better next time – but for most smaller- and medium-sized companies, having one on staff (let alone a team) may not be financially practical.
That said, all of the foregoing has avoided what may perhaps be the most important security role within any organization: everyone. Making sure that your entire IT team is skilled up in security – secure coding, secure infrastructure design, secure IT operations, and so on – is how you’ll get secure today and stay secure in the long run. Every time a developer writes a line of code, a router operator modifies a setting or a server administrator changes a configuration item, they should be thinking: How will this affect our security? And they should be able to confidently and correctly answer that question. Security, in other words, isn’t something you and a few other people do; it’s something you and your entire organization are. Everyone – even the intern who knows not to click on that spam email – can contribute to a safer organization.
One of the most important security policies your company can adopt is training and education. Here are more tips on exactly how your IT team can create a company-wide awareness about security.
And if your team needs to skill up on security, be sure to check out this webinar from security expert and Pluralsight author, Troy Hunt.