The debate over hiring security professionals typically centers around the relative importance of two criteria. When hiring a security professional, are security certifications necessary or should experience weigh more heavily than certifications? Both are arguably necessary today. There are individuals who have such extensive experience that accomplishments and reputation trump certifications, but the main body of security job descriptions seek some form of certification.
What Value do Certifications Add?
A certification managed and conducted by a trusted third party establishes an empirical baseline for competency in any discipline. Certification programs require a minimum number of years of practice from professionals before they may take the exam. Some require re-certification and a commitment to maintaining competency through continuing education.
A certification is like an SAT or MCAT. It measures what a candidate remembers and what she's been taught. To some extent, a certification also measures what a candidate's learned through experience, and how well she is able to analyze a relatively small and contained information set in a small amount of time.
Field Experience Complements Certifications
Certification programs can't tell you whether a candidate's strong suite is defining, designing, implementing, reverse engineering executables, analyzing traffic or administering secure systems or networks; whether he or she operates best as a leader or follower; works well in groups or alone; reliably meets benchmarks; presents effectively to managers and subordinates; or performs well under stress. These are important hiring criteria, but they are hard to evaluate without serious consideration of an individual's prior work experience.
Asking open-ended questions during interviews is a good way to assess these skills in a candidate. Ask the candidate to share an experience with a project or incident that had a successful outcome. Ask her to describe her role and contributions. Next ask her to share an experience that did not have a successful outcome. Listen and continue to ask questions until you form an impression of the candidate that you can't possibly get from a resume. At the end of a properly conducted interview, you should have a "profile" of your candidate, i.e., "leader, responsible, self-effacing, works well with others..."
Is this enough?
Character is as important a prerequisite as experience and certifications for security positions. Certifications and experience are important hiring criteria, but trustworthiness, work ethic, and professional integrity may be the most important hiring criteria for security professionals. Many certifications now require that recipients are familiar with a specific body of knowledge, meet a certain level of experience, and comply with a professional code of conduct.
If your hiring process doesn't consider professional ethics, re-think it now.
Comments