Recently while discussing an ordeal one of my customers went through due to a bad hire, we started discussing a different criteria that makes a big difference with hiring. The benefit of experience is seeing patterns and applying them to other related things. A bad hire can have grave consequences for even the most healthy companies. For this article we’ll focus on the information security criteria of new hires. For starters I’ll share some of the good and bad patterns, then we can address together the value of applying this to your hiring practices. If you are not involved with hiring you might want to apply the information to help you understand your strengths or build up areas of improvement.
One factor I’m going to leave out of this is the InfoSec infrastructure and culture of your company. If it wasn’t good you wouldn’t be able to tell if you were hiring the right people or not, everyone would have problems. Your websites would be getting hacked, your Email accounts would be getting shut down because they were sending spam and an abundance of other similar issues would exist across the board.
What Good InfoSec Hires Look Like
How do you know you have employees that should be ranked as good in terms of information security? The biggest factor is, do you ever have any problems with their computers and accounts due to some compromise? Good InfoSec hires will rarely if ever open suspicious Emails. They will rarely if ever click links they shouldn’t have. They will rarely if ever have to talk to IT or have a system restored due to a security issue or compromised account.
What characteristics do good InfoSec hires demonstrate?
There are a number of things that you can look for to help make better hiring decisions. Here are some traits that a good InfoSec hire would have:
- Responsibility – individuals that exhibit responsibility will be less likely to make careless mistakes that compromise your security.
- Street Smarts – being able to spot a con is actually a very valuable trait. A little street smarts goes a long way, candidates that are too innocent and lack worldly experience are much more likely to become victims of phishing attempts.
- Generosity – Greed is one of the predominant traits that criminals play on, an person who is fiscally generous is much less likely to fall into these traps, or others, that could have a huge fiscal and reputation impact on your company.
- Digital Native – candidates who have a strong mastery of software, social networks, computers and smart devices are much more likely to understand the ever present risks and instinctively make good decisions.
These are just a few traits, it is likely that others are also valuable, if you have suggestions to add use either the comment or contact me to share.
What Bad InfoSec Hires Look Like
We know what a good hire looks like on a deeper level, but what about a bad hire? This one is perhaps more obvious. Bad hires will be people who struggle with technology or always seem to be having problems due to carelessness or a lack of knowledge. Here are some of the characteristics a bad hire would exhibit:
- Carelessness – candidates who are careless will struggle with issues like identity theft, become victims of scams and face infiltration from Malware and viruses.
- Innocence – adults in the work force will need some basic protections, candidates that are too innocent are an easy mark for some kinds of exploitation.
- Greed – people who might be willing to compromise values or fall for scams due to greed are not good hires. Greed also tends to replicate entitlement, and greedy people will think things are owed to them and be less likely to produce quality work.
- Technology Challenged – lacking experience with technology means that certain things will be learned the hard way.
Suggestions are welcome, and I think there is a great opportunity for a lively discussion about this in the comments or privately via Email.
Tips for making good InfoSec hires
The good news is, the traits that make for good InfoSec hires will serve your company well. Thinking about how to analyze and determine these is very valuable. Here are some interview questions and hiring concepts that might help you find the ideal employees:
- Ask candidates if the last time they had a problem with a computer or smart phone. What was it related to? What did they do to fix it/get it resolved? You can follow up with more specific questions about viruses, malware, etc.
- Call both references provided and seek out others that they did not mention, but may be listed in their LinkedIn or other profiles. One technique that might be helpful is to check for people you have in common at those companies, they will be more likely to introduce you to the manager they worked with. This could be a great option to determine the character qualities of your candidates.
- Present a scenario that the candidate is unlikely to have knowledge, see if they are able to deliver a potential solution using gut instinct. This will help determine their street smarts.
- If they have stated software or technology skills that you are very familiar with, talk about those things to gauge how well they really know them.
You can do better…
These are some examples but I’m willing to bet you can use the concepts and come up with even better options that fit your company and candidates better, after all you know your business better than anyone else. The main intention of this article was to help you avoid a bad hire that could hurt your company. Most of the people I work with aren’t huge companies and cannot afford to make poor hiring decisions… do you have any tips to share that might help others?