Why Technical Screening is Important
What Causes Data Breaches?
The common causes for data breaches deal with mistakes made in configuration and support. According to the Identity Theft Resource Center (ITRC), there are seven different causes for data breaches: accidental web/internet exposure, data on the move, employee error/negligence/improper disposal/lost, hacking/intrusion, insider theft, physical theft, and unauthorized access.
Most of these risks can be mitigated by skilled security architects, engineers, and analysts. Security personnel are trained to handle the complex nature of the digital age. The challenge is to avoid costly hiring mistakes and find the most qualified and skilled candidates for your company.
The Screening Process
The most difficult part of the recruitment process is screening the right candidates from a large applicant pool. This can take non-technical staff a great deal of time. Relying on managers to review large numbers of resumes and filter out which candidates should move forward is an inefficient process to fill a position. Technical positions enjoy a very low unemployment rate and skilled technicians are secured quickly, so a lengthy screening process by non-technical staff will often cost you the most qualified candidates.
Let’s say you have narrowed your applicant list down somewhat and think you have several who warrant further discovery. A human resources partner can usually determine if a candidate is a culture fit and is knowledgeable about the company itself. While positive, these findings can’t reveal if the applicant has the skills and experience needed for the position. How can you tell who understands encryption and hashing, dealing with VPNs, and working with analysis of logs and data coming from many sources? Is IAM the same thing as Active Directory Services? What is the difference between Identity and Access? What is the CIA triad and why is it so important when dealing with security? Why AAA? Are information security, IT security, network security, and cyber security all the same thing?
The terminology and “buzz” words of the industry are confusing to most non-technical staff and can even throw less-experienced information security technicians. Using technical evaluation platforms is only nominally helpful, because of their general approach. Standard evaluation platforms test for specific skills or present basic coding challenges that aren’t geared to a specific position. Job requirements are specific and interviews should be focused on finding out if the candidate understands how to meet those requirements. Many non-technical personnel will not have the expertise needed to determine if a candidate simply possesses basic knowledge of the specified platforms.
The Derrico Solution
Derrico handles information security, network security, and cloud security screenings, helping employers and recruiters to determine the skill level of security analysts, engineers, and architects. There have been screenings where the candidate didn’t understand basic security terminology handling the CIA triad and working with AAA, preventing a hire where the candidate would have been training and working at the client’s expense. The candidate had trouble going into the differences between hashing and encryption. He expressed he had been studying for his CISSP and understood the buzz words, but only had a shallow knowledge of overall security and dealing with the subject matter needed to work within the skill set needed. Derrico has technical screeners with in-depth knowledge dealing with overall security analysis, engineering, and architecture.
Derrico handles the screenings over the phone and through video/audio calls. There have been candidates who try to get through the screenings by having other technical people take the screening for them and the hiring manager or recruiter will ask for a screenshot of them or a partial video of the screening to show it is the correct person taking the screening. There have been screenings where the “candidate” would be moving their lips, but the words never matched up with the lip movement on the screen and it wasn’t an audio delay. The “candidate” would be looking around without their lips moving, but their speech was continuing.
Derrico has also handled screenings for a security position in which the candidate had no formal training, but was able to dive deeply into vulnerability scanning, handling PEN testing, and working with SIEMs dealing with reporting and analyzing data. The candidate was able to show excellent knowledge regarding finding security vulnerabilities and working with developers and engineers to “plug” the holes in the systems and applications securing the environment. This candidate was hired and excelled in their position dealing with PEN testing and vulnerability management.
Derrico has been conducting technical screenings for the last two decades. We understand security and the specialized assessment of security analysts, engineers, and architects who work with data centers and handle complex cloud and hybrid environments. Outsourcing technical interviews to Derrico helps you save valuable time, while still ensuring your new hires are a proper technical fit for a highly-effective IT department.