The Black Hat and DEFCON security conferences wrapped up last week in Las Vegas. Most of the media attention was (naturally) focused on the content of the presentations – including talks on the security of consumer electronics, automobiles and, of course, on the privacy implications of the recently revealed NSA surveillance program PRISM.
But for the companies that pay money to send staff to these shows, the content of the talks is only one draw. Black Hat and DEFCON also serve a lesser known, but equally important role as magnets for some of the world’s top talent in obscure disciplines like reverse engineering, vulnerability research, application security analysis and more. Come August, any organization with a dog in the cyber security fight (and these days, that’s a lot of organizations) is in Las Vegas for a chance of meeting and hiring that top cyber security talent.
What do companies that are in the business of employing talented hackers and IT security pros look for when they hire hackers? I had the chance to sit down at Black Hat with three executives who have lots of experience doing just that: the three Chris-es (Wysopal (@WeldPond), Rioux and Eng (@ChrisEng) ) of Veracode Inc. Contrary to accepted wisdom, the three agreed that hiring security “rock stars” was often not the best move. “The last three or four people I hired have just been solid individuals, but they are not high-profile, “out there” people,” Eng told me. “They come from a development background and got into security through that, so they have a good perspective, and then they have some experience with static analysis, which otherwise they’d have to ramp up on,” he said. “A lot of time those kind of people fly under the radar and you can find a lot of diamonds in the rough,” he said.
Of course, hiring talented hackers is just the beginning. Once you have them on staff, you face the even more daunting challenge of integrating them into your staff. It goes without saying that the qualities that make someone great at breaking stuff don’t often live happily alongside qualities like “team player,” “takes direction well” and “works well with others.”
“It’s tricky, because companies in the security industry are generally filled with really creative people. Understanding and defining success in a security company is pretty different – personal success as opposed to business success. So getting them to understand how to bridge that and how managers can help achieve both goals is really important,” Rioux told me.
Check out our conversation by clicking on the podcast link below to listen on Soundcloud.com:
|Or to listen to the podcast streamed from The Security Ledger:|