Even when skill sets are defined, it can be a challenge to find engineering talent that has the chops to do what it takes to keep your company secure.
When it comes to hiring cybersecurity engineers, it comes down to a specific blend of hard and soft skills and lots of intuitive management and that is not easy to find considering the cybersecurity talent shortage the market is experiencing.
Demand for cybersecurity talent has risen sharply as the technology industry realizes the critical importance of security in organizations. Once limited primarily to the government and the defense industry, cybersecurity has spread across all industries and company sizes. This means an increase in hiring for specialized roles within all types of businesses. In fact, the number of cybersecurity job postings has grown by 94% since 2013.
So what are the skills that the next generation of cybersecurity engineers need in this fast-changing environment? And how can employers most effectively evaluate security engineers in the recruitment process?
We interviewed security engineering expert, Wiktor Kierzek, to get his take on the rise of cybersecurity, what hiring managers should be looking for when hiring for security engineers, and how to address the cybersecurity talent shortage. Wiktor also collaborated with us on a package of cybersecurity tasks designed to evaluate candidates for these roles in the recruitment process – live now in the Codility library.
“I love that security is not only about the code. It’s everything from the physical security of the company’s infrastructure, through network and server security, to employees’ awareness about possible threats.”
Wiktor’s interest in cybersecurity kicked in long before the current security wave resulting in a cybersecurity talent shortage, and as he said, “before HTML5 really kicked in, in the era of Adobe Flash Player.” He learned how to code for Flash and ActionScript 3, and eventually started working as a Java developer. For the next couple of years, he would read security blogs to educate himself, and in 2015 he finally got the chance to work as an Application Security Engineer.
In speaking to Wiktor, we learned not only about his passion for security but also his view on the market demand for cybersecurity skills.
What are the broader goals of the work that you do on a day-to-day basis?
Working as a security engineer in the financial sector means that every day we literally try to save our customers’ money.
“Every once in a while we even help to catch the bad guys. But on a daily basis, our tasks are often less exciting.”
We monitor the security of our users and systems, perform penetration tests or work with development teams to help them apply the best security practices throughout the whole development process. It can sometimes be tedious work but you have to stay focused as even a small security flaw might be potentially exploited.
Is it difficult to become a security engineer?
Becoming a security engineer is not easy. Assimilating the appropriate knowledge can be overwhelming for some at the beginning and it definitely helps to have experience in software development or DevOps.
The recruitment process looks very similar to recruiting software engineers—the most important part is the technical interview and coding assessment which the candidate can complete remotely at home. I think almost anyone with the right amount of curiosity and motivation can be successful in the role.
What are the top skills of a security engineer or an application security engineer?
Two things: a hacker mindset and the ability to think outside the box.
“A good security engineer has to be able to identify the system’s vulnerabilities, estimate risks and then help to address the issues.”
Programming skills are also very handy for creating new custom tools and reading code, especially in new language/technology. Broad knowledge of protocols and standards along with the willingness to understand how they work are very important too.
And last but not least—the soft skills. Security engineers often have to conduct training both for tech and non-tech people so they need to be able to explain even the most complex technical topics to everyone.
How do you evaluate potential candidates vying for a security engineer position?
First things first. We start with a technical interview to determine if the candidate has the knowledge and technical skills required for the role. The next step is always a coding assessment in the form of a few tasks that test the candidate’s skills in application security.
On that note – let me plug the recent package of tasks which Wiktor created with us. Designed for evaluating how your candidates would deal with preventing hostile attacks aimed at web applications. If you’re hiring for security engineers, book a demo with us to learn more on our approach.
What do security engineers expect from their dream jobs?
Primarily security engineers expect—and thrive on—challenges. Most of them have worked as software engineers or network/infrastructure engineers and they still want to create, learn and use new technologies. Of course, they also expect education opportunities, too, such as ongoing training and access to technical conferences.
What would you say is the biggest challenge in this job?
Staying informed and alert every day is critical for security engineers.
“You never know when something new will hit and it can put your entire business in jeopardy.”
Staying up to date with current threats can be very challenging though.
Every few months a new web framework can pop up; every few weeks a severe security bug can break out; and every day many new risks are discovered. It takes specially skilled people to manage the current situation as well as project possibilities that could make their company especially vulnerable both in the short and long term.
What advice would you give hiring teams recruiting security engineers if they experience a talent shortage?
I would tell them to not be so strict about the required experience.
“There may be aspiring developers or admins who have an interest in security and could make great security pros given just a little support and the appropriate training.”
Employee dedication and interest can go a long way when staffing for your cybersecurity team.
What do you think is going to change over the next 5 years for security devs or around app security?
I expect a huge move to the cloud. You can see movement already and in my opinion, it will continue over the next few years. And we’ll have to be prepared for all the completely new risks that come with it. One challenge is many different clients sharing the same physical machines. We all have heard about Intel’s CPU bugs—Meltdown and Spectre—and this might be only the tip of an iceberg.
“The second change that I can see coming is the move from desktop to mobile. We rely so heavily on our smartphones and it just makes sense that we have to take care of mobile security.”
Companies all over the world are facing a cybersecurity talent shortage which puts them in continuous search mode to find potential candidates who are skilled and experienced security professionals. Promoting career mobility, supporting aspiring developers, using coding assessments and providing the right training will go a long way when it comes to successful security engineer hires. In a world with a growing number of cyberattacks, the effectiveness of your recruitment process and onboarding tactics plays a greater role than ever before.
To learn how effective technical interviews and coding assessments can help you fill the cybersecurity talent gap, book a demo with us today.
Hiring for cybersec?
Book a demo with us and we’ll show you how we approach screening and interviewing application security engineers.
Latest news and insights
Why Inclusive Recruitment Practices Start With Skills Based Hiring
Follow these six steps to create job descriptions that promote diversity and inclusion with skills based hiring.Read more