Cyber Security Blog

What is the most important trait or skill you look for when hiring?

Written by Aditi Uberoi | 25 March 2020

Good security practices and skills are just non-negotiable and because nobody seems to be talking about it, we simply had to.

Almost all books on business leadership and entrepreneurship are replete with quotable quotes on hiring the right people, about how ‘make or break’ this decision can be and about how it’s the people that truly drive business growth. 

Seldom, however, do these books talk of how it’s the people that don’t just guarantee growth but also ensure, and in many cases, affect business continuity. These books also often overlook the fact that it’s the people you hire, albeit the smartest with the fanciest of degrees, who could go and click on a malicious email tomorrow and maybe bring your business down in the bargain. These books talk of how hiring the right people from an HR perspective is important but not about how hiring them from a security point of view is even more critical today. 

Good security practices and skills are just non-negotiable and because nobody seems to be talking about it, we simply had to. 

At the recent Bengaluru Wisdom of Crowds event, organised by Cyber Management Alliance, we got together India’s best and brightest minds from IT and security at the Sheraton Grand Brigade on October 16, 2019. We didn’t lose the opportunity to ask these doyens of India’s cybersecurity world what their take is on hiring the right people and that one trait they look for when they are recruiting. 

 

“Vulnerability assessment and analytics of how the vulnerability will impact your business,” is the foremost skill for Phani Krishna Sunkaranam, Infosec & Data Privacy, Trianz Holdings. He said that cybersecurity experts today are expected to be Jack of All Trades, but this is truly one area that he focusses on. 

“Troubleshooting skills, understanding the environment or business impact and sensitivity to security, these are the things that are most critical,” said Nikunj Desai, Director, Cybersecurity, Microland Ltd and Ravi Kumar Srivastava, CISO, Manipal Health Enterprises, further build on this view. He said that the person whom you’re hiring should have a “security bent of mind.”

Srivastava touched upon the subject of ethical hacking and added that, “the person should be able to outsmart the criminals in that type of thinking. Right now, there is only a reactive approach to security. Instead, there has to be proactive thinking and such a bent of mind will help prevent many security attacks and breaches.”    

Nisha Kesavan, Vice President, Group IT Strategy & Transformation, Deutsche Bank, expressed her belief that the most critical trait today is being dynamic and being able to keep up with changes in technology that are simply inevitable. “If you don’t have the ability to upgrade yourself and your skill set, you’re not going to be a good business leader,” said Kesavan. 

And she’s not alone in thinking this way. Sachin Jain, VP Global Technology, JP Morgan Services corroborated this view. He said that a proactive mindset is absolutely essential today and it’s the first thing he looks for when hiring. Elaborating further, Jain said, “The second thing is seeing whether the person is acquainted with the latest technologies and the third thing is practical experience. Has he/she actually successfully mitigated any incident?”

An interesting dilemma  

Talking of experience, Satyavathi Divadar, Director of Cybersecurity, News Corp brought up a really interesting point and took the discussion in a very thought-provoking direction. She highlighted the fact that availability of skills is a major challenge, not just in India but across the world. “We always need a balance between knowledge and application,” said Divadar. However, she was quick to add that this is a huge issue as people go and get certified, but they have little to no application experience. This scheme of things further limits the number of people you’d like to hire. 

The only way to deal with this shortage, elucidated Divadar, is to start from the college level and add cybersecurity as a skill at the graduate level. 

But then comes another interesting challenge – can these students be taken on as interns and given some practical training? Is any organisation willing to experiment with undergraduate students and risk something as critical as cybersecurity? But if they aren’t given this exposure, how will they get experience of application? It is really a tricky cycle and the industry and education system must evolve to deal with this situation. 

Something to chew on, isn’t it?