As a recruiter, I often have the question posed to me in a variety of ways, “Exactly what is it that hiring managers want?” What is it that they are looking for when they review resumes and interview candidates?

Conceptually, screening candidates for best fit is a simple thing. If one were to boil one’s attributes down to the bare essentials, they can be summarized into 3 elements: education and training, experience and applied knowledge, and soft skills. While this may seem pretty straightforward, entire industries have arisen to help people grow stronger in these areas, and to help companies measure them.

Training and Experience

The fact that you find yourself reading this article is indicative of the fact that you understand the value of education and training. Whether it be a degree or specialized training designed to help obtain specific certifications, the knowledge gained can teach you how to perform tasks “by the book.” Additionally, completed degrees or earned certifications communicate to employers your ability to stick to tasks and complete them, as well as having some level of specialized knowledge in a field. In an increasingly competitive labor market, many people are turning toward specialized training and certifications as a means of specializing and setting themselves apart from the rest of the pack. Simultaneously, in the face of a growing number of applicants for every open position, many employers are requiring technical certifications as a litmus test of qualification for some positions.

Critics of this approach can readily point to individuals who have earned certifications, but lack real world experience, and struggle to perform the basics of positions that veteran employees who lack certifications can easily perform. However, even the most veteran professional in any field will admit that there is valuable knowledge that can be obtained from such training. Often professionals who have foregone completing their degrees, or other forms of formal technical training, have gaps in their knowledge or have failed to pick up formal methodologies that are expected in larger organizations. Even individuals who are rock solid can benefit from the refreshers that such courses provide.

Having said all that, it isn’t hard at all to argue the value of experience. It is experience that can help someone take book knowledge and apply it to ambiguous situations. Or simply to take abstract concepts and apply them to concrete, real world challenges.

How one weighs the value of experience and training can be debated, but how one measures them is often pretty concrete when it comes to information technology roles. When looking at a resume, for example, it’s pretty cut and dry how much experience someone has in his or her field. And in addition to degrees and certifications, there are a number of tests that people can take to demonstrate their technical skills.

Soft Skills

That said, there’s still a lot of gray area when it comes to evaluating candidates. Two people can interview for a position who look to be nearly equal in terms of experience, yet a hiring manager comes away with a strong recommendation to hire one and not the other. Or sometimes there are even instances in which someone may appear to be even stronger in terms of experience and training, and yet someone else gets the job. Setting aside potential discrimination issues, a very valid difference could be what some would call soft skills, or behavioral skills. These skills are the intangibles that really pull everything together and drive someone’s success or failure in a role.

They are actually so important that some managers will go so far as to forego hiring someone with the right training and experience and instead hire people with the right basic attributes, the “right stuff” so to speak, because it is much easier to provide people with well-defined technical training who already possess the basic behavioral precursors to success than it is to train someone to alter his or her behavior who already has the technical background for a job.

In my experience, I have seen this on many occasions, but two come readily to mind.

The first was a director of a technical call center for a major corporation. Typical of many tech support jobs, most of the support calls didn’t require exceptional technical skills. They DID however, require individuals with upbeat, customer-focused attitudes. Let’s face it, when you are dealing daily with people who use disc drives as cup holders, who employ 123456 as passwords … Well, it can be difficult.

So, instead of hiring technical professionals, who had their A+, MCP, MCSE, and so on, who looked at call center jobs as stepping stones until they could move up to “real” IT positions, she took exceptional customer support professionals out of the company’s regular call center, gave them some technical training, and ended up with an exceptional tech support group.

Similarly, I know of an individual who is now an information security consultant for a major corporation who was originally hired because of his project management skills and other intangibles, though he lacked any IT experience or training at all. He is now considered a top performer in his group, respected by peers, clients, and superiors. (As a bit of history, that same manager had previously had an individual on his team with certifications out the wazoo. Unfortunately, that individual couldn’t get anything done unless he was constantly supervised. One appealing dimension of the new consultant was that he was known to have an exceptional work ethic.)

So, exactly what soft skills are they looking for?

In an ideal world, job descriptions would be broken down into a mix of training, technical skills, and behavioral skills, which would be validated against high performers in those roles. Then, behavioral questions would be used measure those attributes in interviews. Sometimes though, hiring managers will consciously or subconsciously look for indications that you possess these attributes before you even get to the interview stage. That’s why knowing their expectations is helpful. It allows you to think about how to present yourself.

I polled some people in the information security field, asking them what they look for, and here’s a sampling of the answers I got:

Communicating the Big Picture:

This was the top response, by far.

Anyone who has been in the industry very long has met the consultant who thinks that he or she is God’s gift to the profession and that anyone within earshot should respectfully obey his commends, just because he said so.

Anyone who’s a parent knows that you can only get by with using the “because I said so” command so much before it begins to foster resentment. Depending on the credibility you have with your kids, and their ages, the number ranges between zero and three times a year. In a corporate environment, it is especially important to be able to explain the big picture to people.

This implies really two sets of skills: the ability to understand the big picture from a business perspective, and the ability to tactfully communicate it to people at varying levels in an organization. Here are a couple of quotes on this point:

“One invaluable ‘soft’ skill for an information security professional is the ability to tell a compelling story. The complexities of information security are well over the heads of many of the executives who ultimately need to fund and sponsor security initiatives. The ability to explain complex risks and vulnerabilities – or – to tell the story of the information security environment to a non-technical audience is a rare and extremely valuable asset.” – Jarrett B., Senior Consultant

“In today’s environment we are funded, at least partially, with regulatory compliance. It is not enough to know we need to encrypt drives to protect data, but they need to figure out how to come up with a business reason and tie it to monies so business operations understands why we need to encrypt drives.”– Phillip O, Systems Engineer at a security technology company.

“Infosec professionals need to be able to explain the purpose behind the security protocols, not just enforce a mandate. For example, your hire can’t intimidate people into compliance–it won’t work in the long haul. They need to come beside them as peers and be able to discuss the *why* of the security measures and how they practically protect the end user and the organization.”– Aaron G, VP of Information Technology

Passion for Knowledge:

This just about goes without saying in the information security profession. Whether in a “hands on” role that deals with things like intrusion detection and forensics, or high-level consulting that deals with regulatory compliance, we live in a changing world. A good information security professional must constantly upgrade his or her technical skills and industry knowledge or be left behind.

“Someone who never gets tired of research, study and learning.” – Allan M., Infrastructure Administrator for a County Government

Others:

I got a number of public and private responses when I sent out a request for feedback on this issue. As mentioned previously, attitude and work ethic generally get high marks in any role. Additionally, several other items stood out:

  1. the ability to handle stress and conflict,
  2. analytical skills – which meant the ability to dig deep for information, the ability to make correlations,
  3. multitasking and/or project management got mentioned, often in the context of a good work ethic,
  4. and finally, I’m not certain it is technically a skill, but Phillip O. also mentioned Integrity, which I thought was noteworthy.

Whether it is a skill or not, it is certainly important, since so many stories in the news boil down to how a lack of integrity can wreck companies and careers.

So what?

Anyone with a reasonably skeptical or analytical mind has got to be asking how this information is helpful. Here’s how.

First, ask yourself to what degree these qualities are evident in the way you conduct yourself at work and at home. Can you be relied on to do something when you are asked to, or when you say you will? Are you the person who’s willing to take the time to explain something to the non-technical business partner, or do you largely ignore them and hope they will just leave you alone so you can do your job? Do you go over and above what is asked, or do you just do the minimum it takes to get by because you have higher aspirations than your current job, which isn’t worthy of your talents?

The habits you form now will stay with you wherever you go, whether good or bad, and the reputation you establish in your current job will follow you throughout your career.

Additionally, hiring managers are increasingly relying on social media to check out candidates before they even decide to conduct phone screens. If you have a presence online, what does it tell people about you? Are all of your Tweets snarky comments about video games, sports teams, and the Big Bang Theory, or do they demonstrate that you’ve matured since high school? Does your LinkedIn profile demonstrate an interest in a variety of things based on your group membership? Do you have at least a few substantive recommendations that reflect the skills we have discussed? Do you even have a LinkedIn page? If you have a blog, was your last post in 2006, and was the content something that would reflect positively on you as a job-seeker, or is it filled with spelling and grammatical errors while at the same time proclaiming how great you are?

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

We are hopefully returning to a healthier economy, but there will never again be a time when your public online persona isn’t something you want to cultivate as much as you cultivate good habits.

What about you? What do you think are the key skills for someone in an infosec role, and how would you go about evaluating whether someone demonstrates them?