As recent stats reveals, the cyber market is expected to grow from $77 billion in 2015 to $170 billion in 2020. The ISARA and RSA survey also shows that almost half of the respondents consider cyber criminals and non-malicious insiders as the key actors exploiting their enterprises. Thus, cybercrime plays the key role because it encourages companies to spend more on security.
While cyber security market is growing, its labor market experiences severe problems. By the end of 2015, more than two-thirds of senior-level technology professionals confirmed they have experienced the effects of software security talent shortage. Along with this trend, around 2 million security related positions will be at risk of not being closed by the end of 2017. Despite the company’s size, both startups and large enterprises suffer from such dynamics.
How can I keep the software security talent?
Not only searching but also keeping software security talent is a challenge for most companies. In this situation, paying lots of money is not the way out. Recently, Cybrary conducted a study that showed the salary of the vast majority of software security employees starts from $25 000 exceeding $100 000. According to Dice, the yearly salary of software security engineer may reach $233 333. So money is not the key factor for a software security talent to work for your company unless he earns $10 000 monthly.
What can you do about it? In fact, the most appropriate strategy is obvious: creating a working environment your employee won’t leave. By using CNA’s experience, you can concentrate on your company’s reputation and team environment that include on-the-job training and learning opportunities.
OK, I’ll find the way to keep the worker. But how to identify the real security geek?
In 2015, ISACA and RSA reported only less than one-quarter of all applicants had enough qualifications to work as software security employees. Thus, you’ll inevitably face the need to invest plenty of resources and energy in hiring a security talent.
But how to make the right choice and distinguish a real software security specialist among hundreds of applicants claiming to protect your company? We offer 6 interview techniques to help you identify the real software security geek.
1. Ask about their security software development experience
Because of high cost and increased demand for software security professionals, the role of experience gains critical importance. In this situation, many companies tend to raise the ante of necessary experience while searching for software security specialist.
Inflated demands make the hiring process more complicated. As IDC reports, chances are high to find a candidate with up to 5 years of practice within just 3 months. Oppositely, you may need a year to close the position of a 10-year experience worker.
Even if the experience of your future worker is the key requirement, keep in mind that you cannot rely on it heavily when it comes to real-time situations in your company. Because of their ongoing development, software security threats change fast. Hence, the key thing you should consider while looking at your applicant’s experience is not the list of his previous achievements, as he might have been working as a part of team, but specific skills he had demonstrated while gaining this experience.
2. Don’t underestimate the role of education
If the experience of your applicant isn’t satisfactory, it’s not the reason to stop the interview. In fact, their educational background is also very important. It’s a common practice for companies to attract talented IT students and train within the company. For example, Intel heavily relies on hiring a broad pool of students to meet the software security demand and create innovative teams. In this case, you can help a talent reveal himself in the situation when the educational system doesn’t have enough resources to provide relevant cases for students’ training.
3. Consider any security certification (OSCP) obtained
On this aspect, certifications of training show that the candidate has already obtained all necessary skills to work in the field of software security. In particular, Foote Partners justified the sharp increase of importance (almost 4% in value) while considering 69 security certifications in the last quarter 2014. Auditing, hacking, and forensics are the most demanded certifications.
In this situation, consider OSCP as a proof your candidate has gained a particular skill. In other words, it indicates the readiness of a novice to compensate the lack of experience and/or education and demonstrate the necessary skills.
At the same time, OSCP cannot be the ace in your hand while choosing a candidate. Actually, high cost of gaining a security certification keeps small enterprises away from these programs. Thus, make an in-depth investigation of your applicant’s OSCP, and consider its absence in complex with the previous job experience. Don’t also forget to ask about the size of his previous company. If it was small, your software security talent may lack certification because the company hadn’t enough resources for this.
4. Propose to analyze previous achievements and failures
After collecting facts about your applicant’s past, let him reflect on it. Let him analyze both positive results as well as failures and their impact on corporate security. These reflections can reveal the locus of control of your applicant: candidates with an internal locus of control feel sure their actions impact the result and are ready to gain responsibility for their actions. Oppositely, candidates with external locus of control look for someone to tell them what they should do and try avoid any responsibility.
What does that mean for hiring a security software expert? The first type (internal) are ready to take ownership for their stack of tasks and are more likely to bring fresh ideas and suggestions in terms of building a project. Those of external type are better at delivering tasks and working under someone’s control.
Remember, it’s more important to reveal the failures and the ways your candidate has gone through them. “How often have you taken the server down at your previous company?” – that might be an example of a failure-revealing question. Of course, that’s not the thing an expert can do, but that’s your way to reveal some sensitive information about the candidate.
5. Test the knowledge
After looking at your candidate’s experience, education, and certification, it’s important to get a rough idea of the candidate’s knowledge, meaning software, systems, development concepts, programming proficiency, and other general skills. If your candidate meets your expectations after the previous sessions, proceed to test this knowledge.
The key goal of this technique is to ensure your security candidate is a real expert. You can start this part of an interview with a general question. For example, ask him to compare the level of security for open-source projects and proprietary ones, potential security risks for open Wi-Fi networks. You can also let your applicant provide a definition to software security or ask what “pentest” stands for and when this method is usually applied.
Furthermore, you should understand whether an applicant is able to maintain software security in your company. For this aim, suggest to analyse your company’s potential security problems. While listening, distinguish how the candidate defines the goal of information security within your company. Encourage applicants to ask questions about your company, current projects and the team he’s going to join. This way, you’ll check the general understanding of software security and his ability to implement his knowledge in practice.
6. Is he up to the latest news within the industry?
By asking this question, you can see the degree of your candidate’s involvement in the field. Ask about his favorite software security blogs, online magazines and resources, forums, and methods of self-development.
By the number of sources he’ll list you can reveal potential commitment of your future employee to continuous learning. By reading news, your candidate demonstrates interest to the up-to-date trends that are important for his future work. Such eagerness to learn can compensate the lack of experience or certifications.
Among the key software security skills you should consider, we recommend you asking about cryptography. It involves deep understanding of mathematics (as it’s algorithm-based) and can be applied to real-time situations. As an important data protection method, chosen type of cryptography reveals both studying and practicing potential of your candidate. Finally, the fact that your candidate uses cryptography at home shows the level of expertise within software security field. In particular, ability to adjust software methods to personal needs reveals your candidate’s ability to finding fresh approaches, which is a great bonus for his future work in your company.
So what should I do if I need to hire a team of software security specialists?
Software security specialists are highly demanded today, so you should try hard to choose the best members for your team. Software security talent is a mix of experience, skills, and personality traits that an employer should consider in complex to make the right choice. Remember that you are looking for enthusiastic, smart, and skillful person with necessary background and passion for maintaining software security in your company.
Nothing’s impossible. Are you still challenged to find the right person? That’s not a problem anymore, just let us help you!
This was a very meaningful post, so informative and encouraging information, Thank you for this post.