07/17/2024 | Press release | Distributed by Public on 07/17/2024 11:37
Imagine a stack of resumes towering over your office chair and a calendar filled with interviews stretching into next month. Despite the overwhelming number of candidates, discerning who can handle the heat of real-world incident response remains a challenge. We understand that feeling, because we've been there too.
The Cyber Security Incident Response Team (CSIRT) plays a crucial role in maintaining a company's cybersecurity posture. The CSIRT role demands both technical expertise and strong communication skills. Individuals must communicate effectively, think quickly, develop adaptable investigation, containment, eradication and remediation plans, as well as make split-second decisions during cyber crises. In this post, we'll articulate some tactics that have been helpful when searching for the ideal CSIRT candidate to add to a team.
While traditional behavioral questions can be useful in assessing candidates' skills, they often are met with rehearsed responses rather than genuine experiences. To overcome this, we advocate for scenario-based interviews, a method where candidates respond to live challenges. Just like how security requires instant responses to any incident, you can set up your interviews the same way with situational questions.
A day in the life of a CSIRT
How do you start a career in incident response? Explore how one Salesforce CSIRT gets the job done.
Setting up a scenario-based interview
It's important to evaluate a candidate's problem-solving skills under pressure, rather than ask for a retrospective explanation of their actions. Scenario-based interviewing can act as a solution to this conundrum. The Salesforce CSIRT has tested this method with success and we encourage you to try it out in your next interview process. Here's an example of how you can set up the scenario:
The scenario brief
As the interviewer, provide the candidate with a scenario brief, which guides how the scenario works. If the interview were a board game, it would be like reading the rules. The brief covers questions like what to expect from the role playing and what resources are available during the scenario? Encourage each candidate to "think out loud" as this lets you understand how the candidate approaches the scenario.
Once formality is out of the way, dive into the fun stuff! The general order for a scenario looks like this:
1. Introduce the scenario
Immerse candidates in a scenario that reflects potential real life challenges - complete with a backstory, an ongoing attack, an attack timeline, architecture map, business use cases, and contextual elements to advance the scenario.
Lead candidates chat with PoCs, critical individuals who play a part in the incident response plan, who handle communication and coordination after a security incident (e.g. security analysts, leadership, legal, etc). Candidates can also challenge technology teams to dig up information on security evidence directly.
3. Assign roles and tasks
There are various roles and tasks assigned in this scenario. Candidates applying for leadership roles should explain how they distribute tasks to the appropriate team based on the evolving scenario. For individual contributor roles, the candidate should explain how they would carry out the task themselves.
4. Make live decisions
Candidates have to make snap decisions, prioritize tasks, and work with their fictional team. PoCs create decisions and ask questions (e.g. "Do you want me to implement that action on the web-app firewall or in code?") to give real insight into how the candidate can process information.
5. The leadership bridge
Here's where candidates show their mettle. They have to answer burning questions from the leadership team that show they understand the incident and the necessary next steps to take. CSIRTs should demonstrate their understanding of an incident in order to maintain leadership's trust.
Important skills to evaluate
A CSIRT role is varied and challenging. You need to consider the following skills when hiring:
We like to think that this is good for candidates too - they can see what the role entails and make an informed decision on if this is the right job for them. Some top qualities to assess for are:
Since the implementation of this new approach to hiring, many of our candidates (and internal staff) have advised that this was their first time taking an interview like this. One recent hire stated it was the best interview they had ever taken, saying, "I feel like you really understand where I'm at both technically and behaviorally, and I've found some things I can work on for myself too!"
Practice giving your next CSIRT interview
That's a lot of information and it sounds like a lot of work, right? We're here to help! In addition to the first scenario we created-which is also one we've had the most success with-we've provided the complete scenario documentation below. Hopefully it'll be useful to your team in the hiring process!
Use this sample scenario as inspiration for your next interview
Disclaimer: The above scenario is not based on any Salesforce service offering, infrastructure, or incident, and is a complete fabrication created to facilitate this interview process.
Security best practices
Curious about Salesforce's commitment to trust and security? Check out our guide for additional resources.