- Security
- A
How to hunt security professionals
In the life of every HR, sooner or later, HE appears... Security professional! And how to approach hunting people for this position is usually unclear.
The fact is that a security specialist is a rare beast. Usually, they are hired in IT companies at a rate of 1 person per 80-150 employees. In non-IT companies, this ratio is even lower. And security is a very heterogeneous field, with many directions. And specialists in these areas often have near-zero experience in another area of security. In addition, when writing a resume in Russian, some security specialists use the language of Russian state security, while others use international terms, which also adds headaches for recruiters.
As a result, HRs often came to me with a proposal to consider a vacancy that did not belong to my profile, familiar HRs asked for consultations, and at my current job, an HR came to me with questions like "What should I look for when reviewing resumes?" There are no complaints against the guys here - when you first look for a specialist in one direction or another, it is quite reasonable to have a lot of questions. And information security is a very specific field in terms of hiring and has many pitfalls - it is not for nothing that in many large countries, Security Recruiter is already beginning to be perceived as a separate profession.
Therefore, I decided to try to create such a guide for HRs who have not encountered the hiring of security specialists - what areas in information security exist, what to pay attention to when reviewing resumes, what skills and experience are needed for a particular position, the transition from one direction to another will be painless, etc.
Thanks to Mikhail Demidkov for reviewing the article from the recruiters' side
Let me make a few reservations and explanations right away:
Although I asked specialists immersed in the relevant field to review all sections, any corrections and additions are welcome.
This article in no way claims to be the ultimate truth and instructions for recruiters who regularly search for security professionals. Rather, it is a general introduction to security professional hunting for those who are not familiar with this topic at all. Therefore, I do not plan to consider such areas in information security that exist only in information security companies and in regulatory information security bodies. In them, recruiters are usually deeply immersed in the context and are better oriented in the issue, I think, than I am.
Not all areas have established job titles, sometimes the same titles are used for different positions. Therefore, I will try to provide the entire list of resume/job title options. On the other hand, there are many fairly close positions that had to be combined into one group so as not to increase the volume of an already large article.
The first item in the description of each position - "skills/tags" - are such anchor points that HR can cling to when viewing a resume. It is not at all necessary to have a complete list in the candidate's resume, but the more matches, the better.
Not all areas have good certifications. But where they are, I will try to indicate the most relevant for the position. You can find a more complete list at the link - https://pauljerimy.com/security-certification-roadmap/ I will indicate certifications that are common for the field. Both for Junior and Senior level roles. If you decide to create a job posting based on this article, please see which ones are suitable for your role.
Transition between individual information security areas is quite possible, as is the search for employees in non-information security areas with relevant experience. But for this transition to be comfortable for both the employee and the company, it must be done carefully. Therefore, for each specialty, I will also indicate the most comfortable positions for transitioning to it.
The "/" sign in the article is used to show that the listed software, hardware, and job titles can be considered together. These are the names of the same thing adopted in the Russian-speaking and English-speaking environments. These are grades within one direction. These are specialties, the transition between which will be as simple as possible, etc.
Cybersecurity Specialist / Information Security Specialist /Security Administrator
Skills/tags: network administration (firewall, VPN, remote access, IPS / IDS / intrusion detection system / intrusion prevention system), antivirus, DLP / ISPD (Information Security Protection Device from Unauthorized Access), implementation of security measures, operating systems administration - Windows, Linux, MacOS (depending on the company's use), incident response, pentest experience, participation in CTF, hackthebox, tryhackme, SIEM administration (the larger the company, the more critical), knowledge of basic regulations (For Russia - PP 1119, 152-FZ… For the global market - GDPR, ISO 27001, NIST… For fintech companies – PCI DSS).
Certifications: any certifications in information security from other specialties in this article.
Most straightforward transition from roles: technical support specialist, system administrator, DevOps, other information security directions from this article, except AppSec and Web3-security researcher.
Let's start with the basic role that all companies come to when they overcome the threshold of 100-150 employees. At this point, the first information security specialists appear in the company, and until the team reaches 3-4 people, there is usually no strict differentiation of roles among them – they look for jack-of-all-trades. In this position, a person often implements new security measures, monitors security events, conducts pentests, and checks the company's documentation and information systems for compliance with legislation. On the one hand, the knowledge required is as broad as possible. On the other hand, this knowledge may not be at such a high level as in other positions. Therefore, this position is often an entry point into the profession from other specialties, it is quite easy for specialists from different areas of information security to transition to it, but it is also possible to move from it to a more narrow specialization.
SOC-engineer / SOC L1 / SOC L2 / SOC L3 / Security Operations Engineer / SOC Analyst / SIEM Engineer / Incident Response Specialist / Threat Detection Engineer / Defensive security engineer / Security Monitoring Specialist / Blue team engineer
Skills/tags: knowledge of operating systems - Windows, Linux, MacOS (depending on those used in the company), log reading, incident response, incident investigation, SIEM administration, SOAR, IRP, log collectors and monitoring systems (Syslog, Zabbix, Grafana, etc.), use of playbooks, administration of information security tools (firewalls, Anti-DDoS, IPS/IDS/intrusion detection system/intrusion prevention system, DLP/Unauthorized Access Protection Tool, antiviruses), basic knowledge of programming languages (usually python) and scripting languages (bash, powershell), basic knowledge of networks and network protocols, tryhackme, cyberdefenders, letsdefend.io.
Certifications: for Russia – vendor certificates of SIEM systems. In the global market – SSCP, CompTIA Security+, CCOA, GSEC, GSOC, CCD, CSA, CTIA, ECIH
Most straightforward transition from roles: DevOps, Cybersecurity Specialist, Cybersecurity System Engineer, Monitoring Engineer.
This is the case when under the flag of "Incident Detection and Response" it was necessary to combine everything. In general, specialists in this direction are also quite versatile people, as they have to have an idea of all the information security tools, the logs of which they analyze. And, if the company does not purchase services for the implementation of these tools on outsourcing, then these IS tools are often configured by the security specialists themselves. But, with all this, the main skill for this direction is, of course, analytical thinking, the ability to analyze logs, timely detect incidents and respond to them.
Thanks to Vladislav Tretyakov for reviewing the section
Pentester / Penetration tester / Red team engineer / Offensive security engineer / White hat engineer / Vulnerability Management Engineer / Ethical hacker
Skills/tags: knowledge of server operating systems - Windows, Linux (depending on the ones used in the company), basic knowledge of networks and protocols (not only network ones), Kali Linux, Parrot OS, vulnerability scanners, security control and analysis systems, vulnerability search, vulnerability management, basic knowledge of programming languages (usually python) and scripting languages (bash, powershell), participation in CTF, Bug Bounty, hackthebox, tryhackme, Standoff365, social engineering, OSINT, OWASP Top 10, CVE, BDU FSTEC.
Certifications: for the Russian Federation - none. In the global market - CompTIA PenTest+, CEH, GPENT, GWAPT, GXPN, GCPN, GEVA, OSCP.
The easiest transition from roles: QA, System Administrator / Software Engineer / Cybersecurity Specialist, Cybersecurity Engineer, System Engineer, OSINT Specialist.
Again, specialists with a fairly wide range of skills, because in order to break some systems, see vulnerabilities in them, you need to be familiar with these systems.
The most famous area of information security, about which films, series, and games are made. The popularity of the direction has brought many features to it that recruiters should be aware of.
A large number of online schools have opened courses in this direction over the past couple of years, so a stream of juniors is expected soon, both for QA positions and for programming.
This is the area of information security that has its recognized "hackathons" - CTF. Participation in them is highly valued in the professional environment. However, it should be noted that the ability to solve CTF tasks is similar to the ability to solve programming olympiad tasks - it increases the likelihood that a person will do the job well, but does not guarantee that they will be able to apply "olympiad" skills in a real "combat" situation.
There are globally recognized training platforms like hackthebox and tryhackme. On the global market, links to accounts from these platforms are often included in resumes, on their Ln pages, etc. Junior specialists do this especially often. In Russia, local platforms are gaining more and more popularity, but most of them do not provide public account statistics - there is no way to attach a link to it yet. Probably the closest analogy for those who have hunted programmers is LeetCode. Again, this, like CTF, is something close to olympiad tasks.
For specialists in this profile, there are peculiar freelance platforms - Bug Bounty programs, in which various companies offer employees who are not on their staff to find vulnerabilities in the products of these companies. The most famous platforms are HackerOne, Bugcrowd, Synack, Intigriti. In Russia, perhaps the largest at the moment is the platform from Positive Technologies - bugbounty.standoff365.com
System Engineer / Network Security Engineer / Endpoint Security Engineer / Cloud Security Engineer / Implementation Engineer / System Engineer / Network Security Specialist / Endpoint Security Specialist / Cloud Security Specialist / Information Security Implementation Specialist
Skills/tags: administration of operating systems - Windows, Linux, MacOS (depending on the company's use), network knowledge (firewall / VPN, remote access, IPS / IDS / intrusion detection system / intrusion prevention system), antivirus, DLP / ISPD (information security protection system from unauthorized access), implementation of information protection tools, knowledge of specific manufacturers' products - vendors of information protection tools (the list is very extensive, here you will have to clarify with the team which vendor's product knowledge is a priority).
Certifications: for Russia – vendor certificates of ISPD (Most major ISPD manufacturers conduct certification for knowledge of their products. Since there are a lot of products - all certificates will not fit here) and clouds. In the global market – SSCP, CISSP, ISSAP, CompTIA Security+, CompTIA SecurityX (CASP+), CND, CISA, CISM, CCNA, vendor certificates of ISPD and clouds (You can see more about vendor certifications here).
The easiest transition from roles: Cybersecurity Specialist, Cybersecurity Engineer, Implementation Engineer (not necessarily ISPD).
Again, a lot had to be mixed into one pile - the listed specialties, of course, deal with different technologies, but the approach to their hunting is more or less the same. And in companies, all these positions are often called the same without much thought. For example, "System Engineer".
There are two options here:
The person will work in an integrator and will primarily be engaged in the implementation of information protection tools.
The person will work in-house, providing support for information protection tools within the company.
In both cases, the employee usually specializes in a certain type of information protection tools (ISPD for endpoints, networks, or clouds) and often even in a specific vendor. Therefore, the most valued is, of course, the experience with the software/hardware of this vendor and the certificates confirming this experience.
Compliance Specialist / Cybersecurity Manager / Data Protection Officer / Information Security Methodologist / Information Security Manager / Information Security Auditor
Skills/tags: knowledge of regulations (Moreover, the set of necessary regulations depends on the specifics of the company. The full list is huge. Therefore, below I will provide a basic gentleman's set with a link to a more complete list for the Russian Federation (There is also such a regularly updated article on tekkix, you can look into it, but I don't think anyone will specify such a detailed list. Although... who knows?). And I wish you good luck if you are looking for such a specialist in the international market, as each country has its own list).
Regulations: For the Russian Federation - PP No. 1119, 152-FZ, FSTEC Order No. 21, FSTEC Order No. 17, FSTEC Order No. 239, PP No. 127, 187-FZ, GOST 57580, 572-FZ, FSB of Russia Order No. 378... For the global market - GDPR, CSA, DORA, ISO 27001, ISO 27002, ISO 27003, NIST, SOC2... For fintech companies - PCI DSS
Certifications: for the Russian Federation - none. In the global market - SSCP, CGRC, ISSAP, CISA, CISM, GDEIT, CompTIA Security+, CompTIA SecurityX (formerly CASP+).
The easiest transition from roles: lawyer, system administrator, DevOps, other information security areas from this article, except AppSec and Web3-security researcher.
Perhaps the most non-universal (in terms of geography) area in information security. The experience of a person here is entirely tied to the knowledge of the legislation of a particular country, and in terms of information security legislation, many countries have launched a crazy printer in recent years. Therefore, if you are unlucky to look for specialists in this area simultaneously in the Russian Federation, the EU, and the USA, for example, it will be three completely different stories. Yes, of course, the legislation of most countries in the field of information security is based on similar principles, and if a person is able to work competently with legislation, he will be able to switch from one market to another, but it may take a lot of time to study even the main critical features.
Plus, given the amount of legislation generated on IB, this type of security personnel is additionally divided by the types of information being protected. In the same RF, the list of documentation required for study when protecting personal data, banking and medical systems, state secrets, state information systems, and critical information infrastructure is very different.
At the same time, yes - although technical skills are required in this role, they are not as important here as in other areas. Therefore, in some cases, it may be easier and more useful to consider a person with legal experience, rather than a technical security specialist, especially if he is from abroad. First of all, this, of course, applies to small countries that are not part of the EU with a small number of security specialists in the labor market, although even in the conditional RF this position can be a good entry point into IB for a person with a legal background.
However, the transition from other areas of cyber security to compliance and back is quite real, since no matter how technical a person's role is, working in IB from working with legislation - you can't get away from it.
AppSec / Application Security Engineer / Application Security Analyst / Application Security Specialist
Skills/tags: DevOps, CI/CD, SDL / SDLC, IAST (Interactive application security testing), SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), Single Point of True, knowledge of programming languages (depending on those used in the company) and their main frameworks, code review, OWASP Top 10, OWASP SAMM, BSIMM, design review, code analyzers.
Certifications: for RF - no. In the global market - CSSLP, CASE, WAHS.
Most easy transition from roles: Software Engineer, Security Champion (developer responsible for interacting with the AppSec team), QA, Project Manager, DevOps, DevSecOps, Pentester, Blockchain Security Researcher.
Application Security Engineer is a person who is not responsible for protecting the company's infrastructure as a whole, but is responsible for the security of the products developed by the company.
Despite the extensive list of technical skills and the word Engineer in the English name of the profession, the role of AppSec is largely managerial. When the first AppSec appears in the company, its main goal is to build processes and integrate security into the development process. AppSec always has enough technical tasks, but in addition to finding vulnerabilities in the code, it also trains the team and redesigns the application, for example.
Therefore, good AppSecs are often not only programmers or QA with experience in writing secure code, finding security issues, and conducting code reviews, but also Project Managers with architectural vision who can help redesign the design of applications being developed to reduce the likelihood of vulnerabilities.
There are certifications for AppSec, including from internationally recognized companies that certify information security specialists, but they are not as highly regarded as certifications in other areas of information security (plus, as you may notice, there are far fewer of them than in other specialties).
Thanks to Maxim Mosarov for reviewing the section
DevSecOps / SecDevOps / DevOpsSec
Skills/tags: DevOps, AppSec platforms, vulnerability scanners, GitLab, Docker, Kubernetes, CI/CD, SDL / SDLC, IAST (Interactive application security testing), SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), RASP (Runtime application self-protection), SCA (Software Composition Analysis), Vulnerability Validation, Vulnerability Duplication, OWASP Top 10, knowledge of programming languages (usually python) and scripting languages (bash, powershell).
Certifications: for Russia – none. In the global market – CSSLP, ECDE.
Most easy transition from roles: DevOps, AppSec (Application Security Specialist).
Usually, DevSecOps is defined as AppSec with a technical bias. If AppSec is more of a managerial role, then DevSecOps is mainly technical. It appears in the team, usually after AppSec, and tries to automate the processes implemented by it. However, the duties of DevSecOps often also include training the team on writing secure code.
As with AppSec, there are certifications for DevSecOps specialists, including from globally recognized companies that certify information security specialists, but they are not as highly regarded as certifications in other areas of information security (plus, as you may notice, there are significantly fewer of them than in other specialties).
It is also worth noting the naming options for this position. As you can guess, the position name is the addition of Sec - Security to DevOps (Development, Operations). I should note that this is far from a 100% rule (sometimes the choice of one option or another is simply a regional peculiarity), but often, the position of this Sec in the job title in a particular company determines the priorities in the specialist's tasks. That is, DevOpsSec is primarily DevOps, SecDevOps is a security specialist, and the most common option, DevSecOps, is a balance between the two.
Thanks to Maxim Mosarov for reviewing the section
Blockchain Security Researcher / Web3 Security Researcher / Blockchain Security Engineer / Web3 Security Engineer / Web3 Security Analyst / Blockchain Security Analyst, Smart Contract Security Engineer / Smart Contract Auditor
Skills/tags: blockchain, smart contracts, smart-contracts, web3, web 3.0, DevOps, CI/CD, SDL / SDLC, IAST (Interactive application security testing), SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), Single Point of True, knowledge of programming languages (depending on those used in the company - both basic ones like Python and those used for smart contracts - for example, Solidity/RUST/GO/Vyper) and their main frameworks, code review, OWASP Top 10, OWASP SAMM, BSIMM, design review, code analyzers, Bug Bounty, CTF, hackathons.
Certifications: none.
Most straightforward transition from roles: Blockchain Engineer, Cybersecurity Specialist, Cryptography Researcher, Cryptographer, AppSec, DevSecOps, Pentester.
Most often, even when the job title says “web3” rather than just “blockchain”, it is actually about the latter - in other areas of web3, security positions are closer to classic ones and do not have such pronounced features (except that, in relation to neural network security in recent years, people have started to think about leaks through their output). Therefore, below we will talk specifically about this area.
There can be several approaches to the position - usually, they depend on the size of the company.
If we are talking about relatively large (for crypto-startups) teams, they usually have a separate "general" security specialist (Cybersecurity Specialist), and the Blockchain Security Engineer acts as a DevSecOps engineer with a focus on web3. For this position (in addition to the standard DevSecOps skills), understanding blockchain technologies in general and smart contracts in particular will be important. In this case, due to the specifics of the profession, a person from the blockchain field with experience in developing smart contracts will be even more suitable than any security specialist from outside web3. Except, perhaps, for AppSec and DevSecOps. And, possibly, in some cases, a Pentester.
If the company grows even more, this role can be further fragmented, and the role of a smart contract Pentester will emerge. Here, the skills will be similar to those of Pentesters from "classic security," but, of course, the need to work with Web3 technologies will also be added. For this pentest direction, there are also their own CTF and BugBounty platforms. But for this role, the transition from "classic" information security (for example, Web2 pentest) will not be as painful. Especially if he already had some experience working with web3 technologies - for example, participating in the same CTFs or BugBounty programs under Web3.
If we are talking about a small company, where the employee, in addition to the responsibilities of ensuring the security of smart contracts, will also take on the role of a classic security specialist (Cybersecurity Specialist), and it will not be possible to find an ideally suitable specialist, then you will have to decide what is more critical for you in his skills and which specialist to hire - a security specialist or a web3 specialist - one way or another, he will have to catch up in some areas at an accelerated pace.
Platforms for finding specialists
We have finished with the directions, now let's go through the resources for hunting (not only HH, so to speak...)
https://t.me/dubaicybersec - a Russian-language channel with cybersecurity vacancies. The resource is not very active, but sometimes it revives
https://cyberr.ai/ - a website with vacancies for cybersecurity specialists
https://startup.jobs/ - vacancies in startups
https://web3.career/ - vacancies for the Web3 sphere
https://www.notion.so/aleksei-pyrinov/Remote-and-relocation-job-TG-channels-59920fdbb6a64a8f9ea3789103fcb951 - a large selection of TG channels and bots with remote work and relocation
Write comment