Companies with mature security organizations are building in-house, offensive security teams. With the effectiveness and business value of an expensive and strategically important operating unit hanging in the balance, preparation will pay off.
Plan Far Ahead
Building an in-house Red Team is non-trivial in terms of time, brainwork, and monetary expense. Implementation of a Red Team in an unprepared organization is likely to do more harm than good and will poison a very small talent pool. Expect to spend eighteen months or more preparing the organization and searching for security talent, and another six months before the team is fully effective and performing regular assessments.
Assess Organizational Accountability
Structural changes may be needed to maximize the value of your new Red Team. It is inappropriate for a security team to report to any entity it may perform an assessment against. In publicly traded companies, Red Teams are expected to secure the organization, and by extension shareholder value, and therefore should report directly to both the risk component of the board and company legal counsel.
Without appropriate accountability structures and security policies, assessments are nearly pointless. Red Mesa has seen the fall out of this, when a large client regularly allowed executives to violate policies around personal electronic devices, social media, and other items. While the practice caused several minor security incidents, it continued until most of the security team submitted their notice. Setting off a costly employee churn spiral is easier than one might think when dealing with resources who are eternally being recruited by other firms.
Offer a Career, Not a Job
A role with no upward path will be treated accordingly by all parties. While it may be staffed with enough PTO and money on offer, the Red Teamer will always be looking for their next opportunity, and rightly so.
Commitment to employees is at a premium. Use this to your advantage by developing sincere and realistic career paths within the company which leverage the deep technical and organizational knowledge a senior Red Team engineer will accumulate over time. This will require development of ascending roles for those employees who look forward to dedicating more time to research or those who find their next challenge in leadership.
Prevent Adversarial Relationships
Red Teams are generally met with some level of anxiety by those being assessed, and understandably so. These highly skilled engineers are paid to find vulnerabilities, and they inevitably will. One critical task for any company planning to stand up an offensive security team is to prepare other teams for their arrival. Set expectations far ahead of time, clearly communicating the fact that no personnel will be targeted professionally or politically in the wake of an assessment report. Educate the entire organization on the positive impact and learning opportunities that will be afforded by this new addition to the company.
Develop Appropriate Team Specifications
When developing these roles, consider the function of the greater team and the technologies they will be assessing. Red Teams should include at least one subject matter expert each from the digital, social engineering, and physical security disciplines. While these people should be experts in one discipline area, they should also be cross-trained and able to render project assistance in the other two. The minimum size for a Red Team is four engineers; the maximum that makes sense, even for multi-billion-dollar technology intensive organizations, is seven engineers. The mix of skills on the team can be weighted depending on the threat environment and technology base, adjusting the number of experts per discipline to meet anticipated needs.
Take particular care in your selection of the team leader. This role is critical to both the function and retention of any Red Team. The team leader does not need to be the strongest technically but does need to be able to assist when needed. They need to be the top salesperson for the team, proffering their services across the organization. They must be a shrewd politician, heading off attempts to use assessment results as a cudgel against business rivals and bandaging inter-departmental wounds. Most importantly, they must be unwavering in their support for their team, to the point of being fired for their resolve. This will be covered more in our next blog post “How to Keep a Red Team.”
Define a Skills Assessment Methodology
One can only ascertain a limited amount of information about a candidate’s skills through resume inspection and interviews. Even a long list of professional certifications provides very little insight. Technical skills for highly paid, sensitive security roles should be directly assessed by prospective employers. Third-party services exist for exactly this sort of purpose; but be careful on who is selected for this task as only very few third parties understand the needs of a Red Team. It is best to use top level internal engineers to help develop an organization’s assessment modules for a more tailored interview experience.
Optimize Recruiting and Onboarding Processes
Security resources are limited and will not stay on the market long. We have seen more than one candidate drop out during a particularly inefficient onboarding process at other companies, even though some documents had already been signed, office equipment ordered, etc. All the candidates you are recruiting are being recruited in parallel by other organizations and will be until they retire. They will generally not wait patiently through a long recruiting and onboarding process because they simply don’t have to.
Optimize these processes for speed and accuracy. Five interviews is too many. Twenty hours spent on a skills assessment is too much. Two weeks to get equipment and login credentials is too long. Candidates who make it to the meet the team and skills assessment should appear to be a ninety-nine percent probability, or they should be released from the process to pursue a better fit for both sides.
When candidates are considering a role with Red Mesa, we follow this basic approach:
Initial Phone Interview
Do not attempt skills assessment or small talk, both are a waste of time at this stage. If appropriate preparation has been undertaken by the recruiting team, the candidate is already assumed to have the right technical background and skill set. The interviewer should work within thirty minutes to discover:
- Desired career trajectory
- Desired net new skills training
- Favored work environment
- Ability to carry on a conversation with a total stranger
A skilled interviewer should also be ready to share granular details about the organization and role including:
- Compensation package
- Stage of company lifecycle
- M&A activity
- Technology base
- Accountability structures and reporting chain
- Turnover history for the role
With this minimal set of information exchanged, both parties can make an educated decision on whether to move to the next stage.
Meet the Team
To the extent that it is medically safe and geographically feasible, candidates need the chance to directly interact with the existing team. Ideally this would involve lunch or coffee, as the attendees should be allowed to relax in a more natural setting. Red Mesa has used outdoor spaces, gun ranges, restaurant patios, in the past. Do not use a conference room or other such “business” spaces. We have found that even popular chain coffee shops are more akin to workspaces currently, so make your selection out of desire for a positive outcome rather than desire for convenience.
Allow the participants unstructured interaction and give the candidate plenty of room to speak. Security engineers will get a good idea of each other’s strengths and quirks quickly. If the existing team reaches consensus on a candidate, the organization can move on to the last stage.
This is the time to test the strength of the candidate’s declared skill set, not its mere existence. The chosen mode of skills assessment should be directly applicable to the likely technical work and should be staged to allow progressively more difficult tasks. It is appropriate to ask candidates for a short assessment report as long as the requirements are well defined and designed to sharply limit the length and complexity of the deliverable.
If the results from the skills assessment phase are in line with expectations, background checks are performed, formal reference calls are scheduled, and offer letters are drafted.
Focus Your Search
The best referrals will always come from existing resources. Circulate the new role specs internally in parallel with other recruiting activities and give priority to candidates identified by their potential future coworkers.
If you elect to partner with an external recruiting agency, only accept candidates that fit your criteria. Remember, recruiting agencies’ interest is to place candidates at all cost. Be wary of non-conforming “what if” candidates, they are rarely worth interview time.
Protect Your Reputation
Every candidate you touch can be your ambassador or your loudest critic in the small security talent pool depending on how they are treated. Mutual respect will buy a lot of good will. A good way to show a candidate that you are serious is to be personal in your outreach. Before making contact, review their LinkedIn profile and any portfolio work they present online via personal websites or developer exchanges. Explain why you think they are likely a good fit in specific terms.
Be transparent about the likely nature of day-to-day tasks. Nothing gets around faster than a bait-and-switch scheme that results in a hacker being stuck doing work that is outside their expertise or far beneath their skill level.
Do not attempt to play poker with compensation. Not only do these candidates have other offers lined up, they are often smarter than the people with whom they are negotiating. Be transparent with compensation and career path on the first call. We have seen gamesmanship from hiring managers at other companies lose several great candidates. Worse still, tales of these failed negotiations came back to Red Mesa via other completely disconnected channels.
Treat each candidate like a person. Even if they don’t fit, they probably know someone who will. Make a human connection, establish your positivity as an organization, and never conclude a first interview without asking for candidate referrals.
Take a More Holistic View
A functioning offensive security team often exposes much more than technical vulnerabilities. By the nature of its work and reporting chain, it will reveal cultural attitudes toward security and organizational readiness for secure operations.
Author: Nick Jeswald, Director of Corporate Development, Red Mesa