Recruiting ethical hackers: What HR should be looking for?
Recruiting for ethical hackers/pen testers is incredibly difficult. Not because the right people aren’t out there, but because an ethical hacker’s job description and therefore CV is not a typical one.
Recruiting for ethical hackers/pen testers is incredibly difficult. Not because the right people aren’t out there, but because an ethical hacker’s job description and therefore CV is not a typical one. Pen testing as a career is all about using the natural aptitude you were born with. It’s easy to teach skills, how to use different tools etc. but attitude and a way of thinking are not things that can simply be picked up.
HR personnel are not security experts, and we don’t expect them to be, but that makes filtering through CVs an almost impossible task. I tend to request HR pass all CVs on to me when I’m recruiting because the right candidate isn’t always the most obvious one on paper and I wouldn’t want to miss out on a great employee simply because they’ve missed a keyword off their CV, or don’t have all the certifications I’ve noted down as being of interest.
Nevertheless, there are some aspects that HR can look for when recruiting.
Certifications and qualifications
Most jobs will require a candidate to hold a set of certifications and qualifications to make it past the initial screening process. Ethical hacking is no different but it’s more of a grey area. Asking for security-related certifications and qualifications is something HR should definitely do, but I’m often hesitant to advise that they disregard candidates who don’t have them.
For example, we see a number of CVs from excellent, experienced security consultants with well-regarded qualifications under their belt, but nine times out of ten, they don’t have the kind of technical experience required for a role in a pen testing team.
Equally, I’ve come across several excellent ethical hackers who have no official qualifications or certifications, but instead demonstrate their abilities and way of thinking through more practical tasks that go beyond the realms of education and push the boundaries of security.
Certifications and qualifications can form a small part of the puzzle, but I can’t stress enough the need for additional experience and skills to be displayed by a prospective candidate. While these are harder to detect on paper, there are some keywords that HR can look out for when scanning a CV.
The first two I’d always expect to see are vulnerability assessment and pen test – a CV without either of these phrases on it, simply won’t get through.
Burpsuite, OWASP Zap, Fiddler, NMAP – These are a few tools that I would expect a potential candidate to have had experience in using and would detail in their application. There are exceptions, however. For example, CVs that simply note Kali Linux experience without describing which of the tools in the distribution they have used and for what purpose are generally bad CVs in my opinion. Whilst Kali is an excellent security-based Linux distribution, no one is likely to have used every tool distributed with it, and an experienced ethical hacker would know that and be able to be more specific.
Passion is a very difficult thing to infer from a CV, but the best ethical hackers out there aren’t just looking for a way to pay the bills, it’s in their blood, and it’s who they are. So, when it comes to recruiting an ethical hacker, personality traits and qualities are so important.
They are of course a lot harder to measure when reading a one-page document than certifications, experience and skills, but over the years I’ve learned to read between the lines and spot any attributes worth exploring.
For instance, not many people would consider delving into their hobbies or what they do in their spare time on a CV. However ethical hacking is no 9-5 job, it’s a lifestyle. When I pick up a CV, I want to see what the candidate gets up to outside of traditional working hours, has he/she spent any time on Hack the Box type challenges or participated in capture the flag (CTF) exercises for example?
One light-hearted question I often ask when a candidate gets to an interview stage is, “How many Raspberry Pis have you got?” I want to see someone who pushes the boundaries, who is inquisitive and experimental, and simply knows what they want. Understanding what’s in their toolbox and how they fill their spare time can really help with that.
HR certainly have easier roles to fill than that of an ethical hacker, but hopefully this blog provides some tips not only for HR personnel but also those looking to update their CV to ensure it ends up in the right pile.
Calling all penetration testers...
We’re always interested in meeting potential candidates to join our growing team of expert pen testers. If you think you’ve got what it takes, we'd love to hear from you.Drop us a line