There are vital considerations to keep in mind when hiring personnel to lead the charge with cybersecurity. Finding the right DevSecOps people can be a challenge, but it’s not impossible.
You can purchase DevSecOps tools, but you can’t buy a DevSecOps culture. For that, you need a skilled team to build the culture and give it life. Your team members are the ones who will drive a continual improvement mindset as much as the day-to-day operations. Here are 20 tips for federal organizations that are ready to prioritize cybersecurity and build out a team.
1. Know your needs. Hone in on your team’s specific needs before posting a job or recruiting. If you don’t know – ask current staff. Prioritize the skills that will be the most impactful and give thought to the kind of person who would succeed in your environment.
2. Don’t get caught up on the DevOps buzzword. There are different interpretations of what DevOps is, and DevSecOps is a relatively new term, so you’ll need to sleuth out skills and qualities instead of looking at titles or specific mentions of DevSecOps.
3. Be flexible. DevSecOps requires broad technical skills and an understanding of a nimble approach to software development and security. You may want to seek out a generalist with a passion for development and customize your approach to fill the gaps in your team’s skillset.
4. A word about requirements. You may miss out on seeing great candidates if your position requires a technical degree in engineering or computer science. Some of the best engineers didn’t go to college, finish their degree or major in computer science. The quality of work experience matters more here than formal education, and I encourage hiring managers to consider this during recruitment.
5. Look for industry certifications. Certifications like AWS, Kubernetes, Cisco, CompTIA and Microsoft may say more about a candidate’s training and a degree. It shows a desire for continuous learning and indicates that this person has specialized training.
6. That being said, focus on relevant certifications. Accreditations by AWS, Google and Microsoft provide basic understanding of cloud computing, DevOps and basic security methods. This is something to look for during the process. Pro tip: be sure to validate their expertise through good technical conversation and scenario-based questions.
7. Trust but verify. Check references and certifications to ensure your candidate really can do all that they claim on their resume. Confirm that their knowledge is current and use this time together to determine if they have a personality that suits your team’s needs.
8. Sometimes the right fit is someone who disrupts the status quo. Don’t shy away from those who have a vision, especially if change management is part of what your organization needs.
9. Look for soft skills. DevSecOps requires creative thinkers who get along well with others. Look for a willingness to learn, as well as problem-solving and the ability to work independently.
10. Prioritize communication skills. Having excellent communication skills is critical to building a DevSecOps culture and will benefit your organization in the long run.
11. A word about tech challenges. If your goal is to hire someone who will help build a DevSecOps program, consider a cultural challenge that tests how the candidate responds and solves problems. A tech challenge is great, but these are often time-constrained scenarios in a stress-induced environment, so don’t put 100% of your weight on that. Some of our best engineers struggled with the tech challenge portion of the interview.
12. Veterans get it. Veteran candidates often have the clearance and cybersecurity experience needed, even if they don’t have the degree or certifications. Just as importantly, they have a mission-focused mindset that attacks a problem head-on.
13. Look beyond typical recruiting sites. DevSecOps hiring may require delving into interest-focused sites, like GitHub, rather than hiring focused ones like LinkedIn. Another great place to source talent is to attend meetups or simply network at the big industry conventions, albeit virtually. See #14!
14. Work your network. Attend industry networking events and meet-ups, they are a ripe opportunity to discuss your vision for a DevSecOps team and identify the skills you need.
15. Go beyond salary and benefits. Since government agencies can’t compete with industry salary numbers, it’s better to acknowledge limits and focus on other benefits like the opportunity to grow technical skills and work on projects of significance.
16. To understand your candidates, understand DevSecOps. DevSecOps recruiting and hiring is different from other positions — the people involved need to understand the DevSecOps mindset and skillset. Always stay in touch with your organization’s technical challenges to identify if additional team members are needed to meet the challenges you and your team see along the horizon.
17. Don’t just hire new personnel, invest in their long-term success. Commit to teaching your new hires the skills they’ll need for the next position. Give them a mentor or guide to help them get acclimated to your culture and the work. Check in and ask what they need to be their best.
18. Provide opportunities. Give new hires a shot on juicy projects where they can contribute their knowledge and learn from others or try out developing skills.
Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected] And to read more from our summer/fall 2021 Cohort, here is a full list of every Featured Contributor during this cohort and a link to their stories.
Hayden Smith is a senior engineer with Anchore, a software container security company. Currently, Smith leads developer projects across the Defense Department (DoD) and numerous federal agencies to help government organizations adopt DevSecOps best practices. His work includes building and automating Platform One, a collection of hardened and approved containers for use across agencies.
Smith’s dedication to advancing safe cloud-native development practices has been able to guide, empower, equip and accelerate DoD programs through their DevSecOps journeys. Prior to joining Anchore, Smith was a DevOps and infosecurity technologist with Booz Allen Hamilton, where he worked extensively on FedRAMP compliance. You can connect with Anchore on Twitter and LinkedIn.