Find Security Talent in Unusual Places

My Mom Said it’s OK If I Code For You Guys: Finding Security Talent In Unusual Places

Teenage rebellion manifests itself in many forms, and it takes a visionary to recognize genius in it. While some demonstrate their angst with green hair or eardrum-piercing speed metal, there also exists a subculture of teens who buck the system with code. Indeed, teen hacker activity runs the spectrum from mischievousness to outright criminal activity. Somewhere in the middle are the hackers who, out of curiosity and challenge, use their programming skills as a way to assert, discover, and have fun. Keep an eye out for that group – they may wind up being the most important protectors of your company.

Take the case of Jon Oberheide who, as a 17 year-old in 2010, sat in a Starbucks in Ann Arbor, Michigan and repeatedly hacked his way into the internal network of Arbor Networks. The company is, ironically, an infrastructure security company, so one can only imagine the level of freak out that happened when they discovered their network was being exploited. Arbor’s Chief Security Architect at the time, Dug Song, identified the young Oberheide as the dark hat, but rather than alert authorities, he hired Oberheide to join Arbor’s security team. Seven years later, Song and Oberheide have co-founded device security company, Duo Security, that’s received $49 million in venture capital funding.

Network and data security isn’t taken lightly. Hacks and security breaches have created major issues to the brands and bottom lines of companies and governments all over the world. Most people have a very negative view of hackers and prefer a law and order approach to their activities; lock ’em up and throw away the key. But security is hard and it requires a unique skill set, and the Song and Oberheide story demonstrates that if you can find people who approach security with determination, skill, and a sense of unabashed enthusiasm, it’s probably best to get them on your team. CEO and founder, Tim Prendergast, along with Robert Half CISO, Eddie Borrero, recently presented at an Amazon Web Services (AWS) Summit in San Francisco on the topic of finding and hiring security experts. One piece of advice from Tim was, “look for aptitude, not experience.” There’s a pragmatic element to this, especially when there’s a huge need for highly qualified security experts in the job market. It also speaks to the speed of innovation in this space; just because you’ve “done” security for 15 years, doesn’t mean you’re capable of building the best security monitoring tool for the cloud. Someone who has beaten you at your own game, however, is probably a solid candidate.

Tim and fellow founder (and CTO) Justin Lundy approach security expertise as something that must always be evolving and growing. The best security engineers are those who understand the severity of what is being secured, but are able to pair that with a sense of discovery and a deep understanding of what physicist Richard Feynman called “the pleasure of finding things out.”

It’s hard to find talent when you’re beholden to the traditional game plan. Resumes will tell you something, but there’s no substitute for seeing a person in action, especially when being successful at things they aren’t getting paid to do. Dug Song said, “Some of the best hackers don’t come with credentials or an Internet degree. A lot of this is driven by curiosity and a longing to learn more about systems.”

If you approach recruiting as a search to identify ability and desire, you might be surprised at where your next great hire comes from. Skill and desire know no age, gender, or orientation of any kind. Your next great security engineer could come from almost any walk of life or demographic. He or she might even need a permission slip from school to leave school for the interview. When you find that person, make an offer before you notice your data has been leaked.