Security breaches occur so often now that it’s a rare week when one doesn’t make the headlines. Companies that hope to have a chance against these constantly evolving threats need to be hiring a new type of security professional, said a panel of security experts and practitioners at the recent MassTLC Security Conference in Boston.
For instance, at online marketplace Care.com, which collects sensitive customer information, the security officer role requires security and business expertise, said panel member Dave Krupinski, the company’s co-founder and CTO. The head of security has deep understanding of technology and security practices and a deep knowledge of the business’ digital and physical assets.
“[The security officer] is aware of our asset landscape, where all these assets are, and also aware of the threat landscape, where threats may be coming in,” said Krupinski.
Gerry Beuchelt, CSO at Demandware, a software technology company, agreed that companies need to hire security experts who have a deep technical understanding of the type of assets they are charged with protecting. “Do you want them to go down the application security path? [Then, they] need to know how to code,” he said.
Companies that are looking for candidates with both broad and deep functional expertise, however, are going to have to be more “creative” in their hiring processes, according to panelist Josh Feinblum, vice president of information security at cybersecurity firm Rapid 7.
“I’d say focus less on the ‘I’ve had four years of experience being a security engineer,’ and more on the ‘I’ve scripted things; I’ve automated things,'” he said, adding that he is probably the exception when it comes to security certifications: “If I see a CISSP on a resume, I almost disqualify the person.”
Care.com’s Krupinski agreed that someone who has had hands-on experience in the technology, particularly DevOps, a discipline which tends to be “more proactive about security,” is a more attractive candidate.
“You do want people who are very, very hands-on, familiar with the technology stack you’re working in, and also familiar with automation and [developing] tools and technologies that can simulate threats and that are running on a continuous basis against your systems,” he said.