How to Hire for the Best Cyber Security Incident Response Team

Imagine a stack of resumes towering over your office chair and a calendar filled with interviews stretching into next month. Despite the overwhelming number of candidates, discerning who can handle the heat of real-world incident response remains a challenge. We understand that feeling, because we've been there too.

The Cyber Security Incident Response Team (CSIRT) plays a crucial role in maintaining a company's cybersecurity posture. The CSIRT role demands both technical expertise and strong communication skills. Individuals must communicate effectively, think quickly, develop adaptable investigation, containment, eradication and remediation plans, as well as make split-second decisions during cyber crises. In this post, we'll articulate some tactics that have been helpful when searching for the ideal CSIRT candidate to add to a team.

While traditional behavioral questions can be useful in assessing candidates' skills, they often are met with rehearsed responses rather than genuine experiences. To overcome this, we advocate for scenario-based interviews, a method where candidates respond to live challenges. Just like how security requires instant responses to any incident, you can set up your interviews the same way with situational questions.

Setting up a scenario-based interview

It's important to evaluate a candidate's problem-solving skills under pressure, rather than ask for a retrospective explanation of their actions. Scenario-based interviewing can act as a solution to this conundrum. The Salesforce CSIRT has tested this method with success and we encourage you to try it out in your next interview process. Here's an example of how you can set up the scenario:

The scenario brief

As the interviewer, provide the candidate with a scenario brief, which guides how the scenario works. If the interview were a board game, it would be like reading the rules. The brief covers questions like what to expect from the role playing and what resources are available during the scenario? Encourage each candidate to "think out loud" as this lets you understand how the candidate approaches the scenario.

Once formality is out of the way, dive into the fun stuff! The general order for a scenario looks like this:

1. Introduce the scenario

Immerse candidates in a scenario that reflects potential real life challenges - complete with a backstory, an ongoing attack, an attack timeline, architecture map, business use cases, and contextual elements to advance the scenario.

• Create a scenario that feels like a real cyber crisis - The scenario can unfold from starting at the initial inject, to an overview of the environment and architecture, circling back to the same starting point. Do you want to use opaque vs transparent assessments? The choice is yours.

Lead candidates chat with PoCs, critical individuals who play a part in the incident response plan, who handle communication and coordination after a security incident (e.g. security analysts, leadership, legal, etc). Candidates can also challenge technology teams to dig up information on security evidence directly.

• Set up dynamic challenges - Interview candidates can push all parties for more details, but should prepare for varied reactions from the different personas. Remember, PoCs and environments come with their own quirks, so your candidate's mileage may vary.

3. Assign roles and tasks

There are various roles and tasks assigned in this scenario. Candidates applying for leadership roles should explain how they distribute tasks to the appropriate team based on the evolving scenario. For individual contributor roles, the candidate should explain how they would carry out the task themselves.

• Create a GameMaster (GM) role - Assigning a GameMaster to run the show is crucial for ensuring appropriate management of the scenario. GMs serve as a guide to bring structure and order to the scenario, making sure the team reacts appropriately and information makes its way back to the candidate. They control the PoCs, choose which questions to answer, and manage the entire world the candidates play in.
• Create leadership entities - Decision makers represent executive leadership and business unit owners, each with their own persona and questions they need answered. These individuals play a pivotal role in what we call the "leadership bridge" - more on this later.

4. Make live decisions

Candidates have to make snap decisions, prioritize tasks, and work with their fictional team. PoCs create decisions and ask questions (e.g. "Do you want me to implement that action on the web-app firewall or in code?") to give real insight into how the candidate can process information.

• Ask the right questions - Decision-makers should ask customized questions to capture each persona accurately and progress the scenario. They want answers, and candidates have to deliver. Creating personalized questions allows you to see how the candidate answers to different decision-makers.

5. The leadership bridge

Here's where candidates show their mettle. They have to answer burning questions from the leadership team that show they understand the incident and the necessary next steps to take. CSIRTs should demonstrate their understanding of an incident in order to maintain leadership's trust.

Important skills to evaluate

A CSIRT role is varied and challenging. You need to consider the following skills when hiring:

• Real-world assessment: Candidates face challenges that reflect the job they are expected to do. It helps you see if they have what it takes to tackle real-world incidents and strengths.

We like to think that this is good for candidates too - they can see what the role entails and make an informed decision on if this is the right job for them. Some top qualities to assess for are:

• Communication skills: The leadership bridge phase lets you check out candidates' communication skills. Can they handle different personalities, explain arcane technical nuances in basic language, and do they understand the incident they investigated?
• Stress test: Just like in a real incident, the candidate should demonstrate the ability to make smart calls under pressure.
• Personality check: With many personalities in the room during an incident, you can see who adopts and navigates the human side of incident response.
• Customization: Tailor scenarios to your needs, focusing on the challenges that matter most to your organization and the specialization you're hiring for. For example, compromise scenarios should stay technology agnostic. In the sample we've provided, you can change from "AWS infrastructure" to "Azure", if that makes the candidate more comfortable. However, if hiring for a Subject Matter Expert (SME), lock the scenario to their technology.

Since the implementation of this new approach to hiring, many of our candidates (and internal staff) have advised that this was their first time taking an interview like this. One recent hire stated it was the best interview they had ever taken, saying, "I feel like you really understand where I'm at both technically and behaviorally, and I've found some things I can work on for myself too!"

Practice giving your next CSIRT interview

That's a lot of information and it sounds like a lot of work, right? We're here to help! In addition to the first scenario we created-which is also one we've had the most success with-we've provided the complete scenario documentation below. Hopefully it'll be useful to your team in the hiring process!

Use this sample scenario as inspiration for your next interview

Disclaimer: The above scenario is not based on any Salesforce service offering, infrastructure, or incident, and is a complete fabrication created to facilitate this interview process.

Public link

Please use the above public link if you want to share this noodl on another website.