Thursday, August 23, 2007

So you want an IT job?

Readers here know that Richard Bejtlich's Taosecurity is a favorite read for me. On Tuesday, he posted "What Hackers Learn that the Rest of Us Don't", and included a bit of commentary about his views for hiring IT staff.

I've had the pleasure of working with IT staff from a variety of backgrounds, from the computer lab IT guy who was a fine arts major, to the gifted Windows admin with a marketing background. They have taught me that a CS degree or an MIS degree frequently isn't the best indicator of suitability to the job. One infamous quote from a CS major undergrad that I knew was "I don't care how the computer works, I just program for it!". That's the same as "I don't care about edge cases, it works most of the time!", or other quotes that scare security folks every time we hear them.

As Bejtlich points out, native curiosity and interest - paying attention to the edge cases and the little details are some of the things that can make a hacker successful. The same goes for hiring an IT professional. During the past few years, I've developed a short list of things that I look for when hiring:

  • Curiosity - if I mention a new technology, technique, or other area of interest, does the candidate ask questions, and do they absorb knowledge?
  • Passion - not everybody can go home and play with things for the entire night, but do they actively enjoy doing what they do? Do they want to do it? I tend to ask candidates what their home network looks like, and how they're securing it. I ask what they'd like to play with, and what opportunities they've had and what they've enjoyed.
  • Laziness - not the bad kind, but the right kind. I look for someone who does it right once, rather than badly over and over again.
  • Active learning - are they expanding their knowledge, either formally via courses and training, or informally by tinkering?
  • Active pursuit of knowledge. Far too many candidates come in who read a security magazine once a month to stay in touch. That's not a useful way of staying up to date in the modern security world. Ask your candidate what they read to stay up to date, and what mailing lists they're subscribed to. I look for depth and breadth of knowledge seeking.
  • Personality - can they make and take a joke? Can they deal with users? How do they come across?
So, what do you look for in an IT candidate? And how does a security professional differ?

1 comment:

MTI said...


I always try to get and IT candidate to propose a band-aid fix for a hypothetical situation. I'll lay out the problem, state the available resources and see if they can come up with an acceptable "quick-fix" from the mix without automatically resorting to spending money. If they can, then I ask them to pick it apart and show me the problems with the plan and how to back out of it gracefully when a permanent fix can be made. In the end this really captures the creativity, imagination and tinkerer's mind of a good candidate.