Part 1 – Acquiring Talent In Information Security

Hiring Great Fantastic Penetration Testers

What does it take to become a successful penetration tester? How do you identify, hire and stimulate your staff? Did you know, some of the best penetration testers I know have origins from system administration and networking? Let’s discuss some different points to keep in mind when assessing current and future penetration testers 

Unfortunately, this industry attracts “wannabes”; people who have fallen in love with the adrenaline of hacking but instead of seeking to understand they seek only to solve, commonly known as script kiddies. There is nothing wrong with being a script kiddie, many of them have a burning desire for hacking, but does not really tip the scales when it comes to demonstrating thorough understanding of technical content. For a employer to consider hiring someone like this, one of the many “I really want to be a hacker” types, they need to complement their passion and enthusiasm with the technical know how and demonstrated interest. Being a hacker, i.e. a penetration tester, is commonly viewed as a cool, elite and almost mysterious craft. I must imagine some people consider hackers are wizards rendering magic to break into computer systems…

Are pentesters wizards..?

When recruiting penetration tester we want to identify people with passion and interest, yes, but perhaps even more importantly, identify people with an interest in improving underlying skills and filling knowledge gaps; the genuinely curious and problem solving kind. The people who ask the questions “Why?”, “Why does this work?”, instead of hammering the same commands in repeatedly, not putting to figure out what is happening behind the scenes.

Let’s figure out what it takes to become a fantastic pentester.

Aptitude, Attitude, and Initiative

I listened to a talk by my colleague, friend and penetration tester Adrien de Beaupre, and he gave a talk on important facets of pentesters whom have the potential to become very skilled. Some of the points made in the talk was the following points:

  • Aptitude – The talent to naturally pick up and learn new things.
  • Attitude – A kick ass attitude helps.
  • Initiative – Initiative to be independent and take charge

In every job interview and discussion with a prospect I try to uncover these three important traits of a person. Some things are better observed when watching someone do problem solving, for example while working on a challenging security issue; more on that later.

Aptitude

Aptitude is a vital component especially in Information Security. Why? Because cyber security is a ever-changing landscape of bugs, technologies and configurations. The ability to quickly take on new knowledge, re-use old knowledge in new contexts and adapting to what is happening, is very crucial for a penetration tester.

We are living in the Age of Information and the ability to figure out which information is relevant and applicable to the situation of the penetration tester is key. Have you ever noticed some people just seem to pick up on new things easily? It is often due to their natural ability to learn and process pertaining a certain topic. There are varying levels of aptitude someone possess, however aptitude is not the only important factor, it also boils down to how much hard work they are capable of putting in!

Attitude

A “can-do” attitude, and not giving up when things are rough, e.g. if you are not finding any interesting findings during a test, it is important to still believe the only reason you are not finding vulnerabilities is because you are not good enough, not because the application is fully secured (even though that is sometimes what seem to be the case).

Some penetration testers will go the extra mile to try uncover vulnerabilities. They might install software locally to lab and learn more about the target systems. They will dig deeper, do more research and perhaps most importantly of all, utilize their colleagues and friends for aid and help when stuck on a problem.

Sometimes penetration testing can be tiresome and extremely challenging. A healthy attitude is then important, and when paired up with initiative, you have a superior combination to tackle any challenges you might face.

Initiative

You can’t always rely on other people doing the ground work for you. In many cases we need to exploit opportunities that exist, but may be undocumented and not already researched. Will a penetration tester give up and not realize which opportunities exist, or instead utilize their initiative to explore and experiment?

Being able to adequately and independently uncover most of the opportunities a penetration test scope has is an important asset for penetration testers.

Traits To Qualify As Penetration Tester

Knowledge 

Knowledge is without a doubt extremely important, but just how key should it be when considering prospects? A good mix of Aptitude, Attitude and Initiative might make up for the lack of knowledge. For existing employees, knowledge should in almost all scenarios be of a prioritization to nourish and stimulate. However, for new hires it may not have the same significant impact on the work you expect them to deliver after the on-boarding process. Knowledge can always be added later, and one of the deciding factors on how much knowledge should weigh would be to look at how well your organization supports:

  • sharing and transferring existing knowledge, 
  • effective training on what you plan to utilize the prospect on, 
  • self-study, interest and aptitude of the individual,
  • desire, discipline and dedication. 

A mature and modern organization could probably well do with a less experienced and knowledgeful employee as long as the points above are covered.

Ethics And Integrity 

In this field of work, and for security in general, trust is key – especially within penetration testing. Staff will gain access to a plethora of secrets and insider information, such as the stock market, intellectual property in terms of schematics, source code and designs, or compromising details regarding the operations of the company. Ask yourself about the prospect you are considering hiring:

  • Do they emanate trust and confidence in doing the right things?
  • Would you trust your own trade-secrets to them?
  • Have they been in trouble in regards to ethics and integrity before? A background check before hiring someone is never a bad idea.

Personality tests can sometimes help uncover alarming aspects in regards to someone’s personality concerning ethics and integrity. How well they work and how much you should trust such tests is a different matter, but consider applying these testes for candidates which you have a second thoughts about, at least to try remove any sense of doubts before hiring the person.

Valuing Experience 

Experience goes a long way in penetration testing. Most cyber security knowledge areas can easily be acquired later on. It’s really hard to teach someone the valuable lessons that come from experience. To gain experience, you have to be challenged and work through different technologies. This experience will lay the foundation for being able to connect the dots and see the bigger pictures. Because of how experience is valuable in Penetration Testing, I often very much appreciate finding candidates with a background from IT Operations and System Development, not Information Security alone.

Intellectual Honesty 

An important factor for any penetration tester is honesty and being honest about gaps on their own skillsets. An intellectual honest person is probably more inclined to ask colleagues for help to further produce a high quality product for their customers and to stimulate their own need for learning. The opposite person would probably protect their ego than to admit they did not know something.

A few points which indicate a mature and honest penetration tester: 

  • Readily admit the things they do not know. Don’t pretend to be an expert if you’re not. 
  • Come clean on mistakes and problems. 
  • Be honest about risk and conclusions. 
  • Admit you, and nobody else, will ever find every single vulnerability. Residual risk will always be there.  

What is Next?

Next week we will continue this blog post so make sure to follow us on Social Media for the latest updates. In the next post we will discuss:

  • Assessing New Prospects
  • Hiring Through Hacking Challenges
  • Retaining Talent

Did you like this post? Tag us on Social Media:

This article is written by Chris Dale, Principal Consultant and Founder of River Security and SANS Certified Instructor. He has many years experience developing and building penetration testing teams and has hired dozens of people. Here is Chris’s take on acquiring talent within the Information Security industry.

You can follow Chris on Social Media here: