Hackers for hire : A way to identify top cybersecurity talent

Looking for top notch talent in cybersecurity (to join your technology company) is easily one of the hardest talent searches to do well.

A global shortage of good security engineers -1.8 million worker shortfall by the next 5 years- widens the gap in providing resolution to the evolving issues of protecting your customers' data from malicious activities. There are few avenues for non-security practitioners to identify the right people with the right skills. Apart from sending chat requests to the 'usual suspects' in the top security vendors or providers in your location, or doing a job title search and praying that the candidates you send messages to will be efficiently equipped to help protect your company's assets, is there another way to help grow a cybersecurity team?

After identifying the top notch talent, how should you design the next steps to make a successful hire? This article will cover one of the ways non-security practitioners can search and uncover talent in the cybersecurity domain. The second half of this article will touch on the process.

Many technology companies face the same security concerns:

• Hacks are coming from within the company
• Most IT guys do not do enough research, as they rely on tools
• No one person can specialize in everything: Many job descriptions today are looking for a hire to 'do it all', this is nearly impossible to fulfil
• There’s enough time (always enough time) ... to hack through the millions of lines of source code ...
• Social engineering attack tactics make it way too easy for malicious hackers these days

The same few concerns are faced by many, and savvy companies know that these main concerns becomes a bigger issue at scale.

Bug bounty programs, also known as your best candidate pool

An Example of one of the newest public bug bounty program - Atlassian's July 2017's with bugcrowd. Source: https://bugcrowd.com/atlassian

A bug bounty program helps to create a safer cybersecurity world for everyone. Hackers and security professionals are invited to identify vulnerabilities - bugs - from the source code of companies' sites. Usually a cash payout is the reward.

" Anyone who develops software will ultimately need a bug bounty " - M?rten Mickos, Chief Executive of Hackerone, formerly MySQL

Here are some of the things we did to find top cybersecurity talent

• Make a relevant, updated list of public bug bounty programs held by the top internet companies, or companies in your domain, if you prefer. Start with a larger candidate pool and eliminate later.
• Identify as much information about the profile as you can. We found many who are very active on twitter feeds and on the various security topics found on forums like reddit and HN. At this point, 90% of non-security practitioners give up on the search as many top talents prefer to remain mysterious, and do not list down their personal information. (Some of them are super young as well!)
• Know that there is a number of web crawling tools a good headhunter can use in his arsenal, If you are on the verge of giving up. Tools like Aevy.com help to search and filter from 200 million candidates and is a great way to start and manage conversations. It's also free to use until you wish to hire. If you are looking to start a low volume search, this is a great tool for efficiency. (It's FREE)
• If you are unable to connect directly to a profile you really wish to interview, it is always possible to find a mutual connection to make an introduction. I love to chat with savvy marketing managers for this purpose. They are always cheerfully helpful and know the 'pulse' of their company and their security team, usually giving us useful information on their colleagues who may be exploring other options.
• Compare the profiles found on the 'Hall of Fame' of said bug bounty programs and make a list of 50- 200 people. I find that if there is always around 20 - 30 good talent profiles in your process, it will lead you to at least 2 hires in the next 2-4 months', depending on your hiring standards, the problems you are trying to solve in your technology company, funding stage, your location and other factors.

In an earlier article, I mentioned that :

Good Engineers are able to debug problems better, think of solutions better, understand a program faster and assess potential impact and implications faster.

Some smart Engineers are able to turn $1 million-worth complex problems into $100K simple ones. Then whether or not the problem is able to be solved becomes far less important.

To be an expert in everything is not required.

To recap, here are the ways to look for top cybersecurity talent :

• Pick the top bug bounty programs (that correspond to your domain, if needed)
• Next, identify top talent in this area and find out their contact details, sometimes using third party crawlers
• Now, form a list of 200 top talents for your candidate pipeline and formally interview them for your open roles, for the next 2- 4 months and the expected result will be around 2 good hires.
• Don't give up!

Now for the process

Technology companies typically look for talent profiles who are used to work comprised of 80% research (this includes hands on pen-testing) , 15% routine tasks ... and 5% coffee breaks ;) Unless your role deviates from this equation, do tailor your process to comprise of more technical questions at the first screen. Most questions asked during the screening should be technical questions on coding, cryptography (if it's needed in the role), testing on their best practices and raw knowledge.

A sample of a few questions in coding and cryptography is provided below :

• List different types of XSS attacks / How do you prevent XSS attacks ?
• What's the difference between SSL and TLS ?
• How does an SSL handshake happens ?
• What are rainbow tables and how do they work ?
• What's the difference between symmetric key and public key cryptography ?
• Should you encrypt and then compress, or compress first ?
• What's the difference between RSA and Diffie-Hellman ?

Also consider asking the following questions :

• Do you mainly use open source tools, what is your current methodology?
• Describe your network set-up at home
• Where do you go for your security news?

Part of the cybersecurity talent's daily job is to be in touch with security news updates so expect immediate, well thought out answers to the questions. The answers showcase their level of interest as well.

We particularly like the security blogs of dark reading, the grugq, naked security and project zero. Others worth checking out are malwarebytes, Troy Hunt, and Graham Cluley.

A list of security blogs

It's often been said that the way the talent answers the question will give you an indication if he/she would be interested to help solve the problems your company is focused on solving. If you are already adept at picking up on this, you are on your way to growing a great team of security talent!

Many of the resources mentioned in the article are listed here for your reading pleasure:

• A list of Security Blogs
• Exhaustive list of bug bounty programs
• A list of InfoSec professionals' Twitter profiles
• A list of Engineering Blogs
• Security discussion on reddit

Grab's inaugural public bug bounty program started in July 2017 and this article is a small tribute to the internal security team I helped headhunt from scratch.

I contributed to this article in my personal capacity and the views expressed are my own and do not represent the views of the organization I work for.