What qualities do you look for when you're hiring information security professionals, and in particular ‘hackers'? I won't pretend to be an expert at this, and certainly would prefer you read material from both Cory Scott and Thomas Ptacek on hiring talent if you haven't already. But I think I have a fairly good radar for identifying people that have the knack for being great hackers. Similar to Parisa's post, I don't think this has anything to do with certifications, and in fact, in many circumstances I don't think university degrees matter much either.
I find that two of the most important indicators are creativity and scrappiness. Two different attributes that aren't the easiest to measure. While creativity is not all that surprising (you think people breaking software aren't leverage tremendous amounts of creativity?), scrappiness is a little bit more obscure. Don't worry though, I'm not talking about scrappy or inconsistent work, I'm talking about getting shit done with limited resources. The idea of scrappiness is not all that unique to security, and has been referred to in a number of different contexts, for instance it's often seen as a critical attribute for successful entrepreneurs as well.
Hacking, both building and breaking, wasn't the first industry to leverage these qualities. In fact, we straight up stole them from all the other arts; painting, sculpting, music, writing and so on. As a drummer I find the parallels between hacking and music most interesting. Ask yourself this: how many of the hackers that you respect and network with are also musicians? Chances are a handful. If you're fortunate, it might be even higher. I'm finding that I'm not even that surprised anymore when late into the evening after a few beers (when security conferences get interesting) I'll find that some hacker I'm chatting with turns out to be a bassist or a DJ or an MC.
I definitely consider my approach to both drumming and hacking as ‘scrappy'. What does that mean? Firstly, after studying jazz for a year I spent a lot of time ad-libbing. This ability to think on your toes, or ‘wing it' is critical for both performing as a musician and hacking. Sure, musicians rehearse, or record to a click-track. But you'll find the good musicians are those that in the face of catastrophe can turn it around. Great musicians can recover from screw ups with no one even noticing. The best musicians don't need rehearsals to simply get on stage and create amazing music. Similarly, the ability to respond quickly to changes in your environment are the only way effective hackers can keep up. You think penetration testers just simply give up if they're thrown in the deep end with new technology to break? Of course not. They'll figure it out.
Secondly is that of ‘equipment'. In both music and hacking having top of the range equipment can help, sure, but great musicians (and hackers) can be amazingly effective with shitty equipment too. You don't need to spend big bucks on AppScan (or equivalent) to be great at finding vulnerabilities. In fact, most of the great hackers I know come in with nothing more than their browser and a bunch of hacked together scripts. Similarly, great musos can pick up any instrument and make it sing. I know the best gigs I ever played were often cobbled together with sub-par PA setups and no foldbacks etc. Thanks to open source software everything you need is freely available.
So what are you doing? Wanna be a better hacker, go pick up a guitar, build some tools and put them on Github, or write a short story. I'm also really interested to know about all the different ways you all keep your creative, scrappy parts of your brain ticking!
Brain from Primus drums on a POS kit h/t to @caseyjohnellis for the vid
subscribe via RSS