For cyber security engineers, working for Whitehall fails coolness test
MoJ blog argues the best cyber security specialists should be incentivised and encouraged to shape departmental security practices “along the lines they feel comfortable”
A senior Ministry of Justice security leader has expressed the department’s frustration at the difficulty in hiring security engineers with the most appropriate skills for the job.
In a piece written by an anonymous recruiter posted on the MoJ’s Digital & Technology blog, the author says the department is looking for people who have ethically hacked systems to hack its systems.
What it is not looking for in a security engineer, the blog says, is people who, on the back of “countless years of experience....with hundreds of assessments....they know to deliver a templated report that looks like a list of results from an automated scan. Their client expects it, which means their risk team is happy, everyone’s backs are covered and everyone gets paid. Happy days.”
The blog recounts how ten candidates have been interviewed in three months for a security engineer role.
The blog points out, “Anyone who’s done enough recruiting as a specialist in their field will know that (unless your organisation is constantly attracting a specific type) candidates often reflect the state of an industry.
“If I were to go with trend, the first few candidates would indicate that a lot more ethical folk want to hack, rather than hacker folk wanting to be ethical,” it adds.
The blog goes on to express disappointment in what the department was hearing from candidates.
It says expectations from the department of the candidates were for them to offer a “combination of consulting and architecting experience, with a massive entrée of penetration testing ability, preferably with a niche area of expertise in networking or crypto or web application development. Real stars in the field!”
Having received applications from people who knew what the “nmap” networking auditing tool is, the department brought candidates in and asked them “unassuming” questions about information gathering in a penetration test.
The blog said, “With each subsequent candidate starting their answer with “Nessus”, my heart sank.” (Nessus is a popular vulnerability scanner)
The blog then explained how the department decided to change its approach to advertising its vacancies.
“Apart from advertising on the usual places , we took to our intended audience; Hacker News, the International Association for Cryptologic Resource, IRC and forums, conferences, you know, where redditers, academics and technical people hang out. Did it work? Sort of.
“We got a couple of fantastic CVs from Morocco and Sweden but the candidates weren't able to relocate.
“Not all was lost, though. We found some solid mid-level folk, with experience and understanding, who could’ve easily progressed to the senior role in a few months. But industry stepped in and scooped them all up because we all know how much more rewarding it is to secure an investment bank over the justice system (not!).”
The blog suggests there are both ‘easy’ and ‘hard’ lessons to learn from the hiring exercise.
The easy lessons, it says, are:
- Do not lower your standards, even if you must lower your expectations.
- Design technical tests that are geared to show understanding over knowledge.
- Look for enthusiasm and logical ability above experience. Experience can be built, tunnel vision remains just that.
- Show interest in training your candidates and talk about opportunities to participate in conferences and meet-ups.
- Introducing telephone sifts as part of the process would save time at the interview stage.
- Civil service recruitment is a challenging operational process, especially when recruiting for specialists in high demand.
The harder lessons learnt, the blog says, are that “security-minded folk who can think originally still don’t think working for government (which is not all about intelligence agencies) is cool.
“And for good reason; some see government IT to be a massive legacy monolithic monster (partially true) where they will forever be in a dank corner, trying to troubleshoot memory issues in a some mid-90s middleware, and be valued by how many colour-coordinated reports they can churn out (not true).”
The blog suggests that it is “up to us to give them the freedom to use their creativity, and put to use what they’ve traditionally done purely for the kicks. We need to incentivise these talented people with (nearly) free reign, explain the stakes to them, let them shape security practices in a department along the lines they feel comfortable.”
It argues that government should go out of its way to make security workers as attractive as possible.
“Let them work flexible hours, let them work from (nearly) wherever they want. They already have the expertise to know what goes in a good policy and what broken guidance looks like. Let us show them how their efforts can make a difference.
“If not, they can just win MoJ’s Capture the Flag event at this year’s 44con , and I’ll offer them a job, or failing that, a small prize." (though normal recruitment processes will apply.)