With organisations around the globe claiming innovative techniques and low prices for their technical testing, the often-overlooked component is who is actually conducting the test?
While an organisation may make claims about their capabilities, the quality of the outcome is dependent upon the skillset of the person or persons that conduct your test and their ability to communicate the results in a way that helps you mitigate risk.
In this video, David Langlands, Director of SecureWorks Technical Testing covers the qualifications we look for in our technical testers and the rigorous process candidates are put through to not only identify their skillset but their ability to communicate and delight our clients.
What you find with many candidates is that testing might be 10 or 20 percent of their responsibilities. We want somebody with fully dedicated experience, multiple years of experience, and perhaps some certifications. And really, not just any certification but we’re looking for somebody that has a practical certification such as the Offensive Security Certified Professional certification, which takes about 100 to 200 hours of self-study at the very least, and has over a 90 percent fail rate.
Many of the certifications that we see in the industry really don’t have a practical component. They don’t actually test the person’s ability to perform these tests. They only test their book knowledge, and some of them are even open book. So really, there are only a few certifications that we look for. The ones that we do specifically hold in very high regard are from the Offensive Security team — OSCP, OSEE and OSCE would be three of the major certifications that we’re looking for. We’re looking for a practical curriculum, something that requires not only book knowledge, and takes you through some course work, but then has some testing that demonstrates that you can actually perform testing.
How does SecureWorks test their testers?
We have our own internal testing program that we put candidates through as a final step to make sure that if they say that they can perform SQL injection, if they can traverse across a network, we’re going to test that. We have a multistage testing process that we put candidates through, and the first stage is working with somebody on our talent acquisition team to really understand the candidate’s capability to communicate, their consulting background, making sure that they fit the profile that we’re looking for. The second stage is really the peer interviews. They’re going to interview with our top consultants — they’re going to ask difficult questions, and if they have the right answers, they can make it to the final stage, which is really a practical test. And it’s not just a simple push a few buttons and pass/fail. We’re actually expecting the candidate to write up a report, and we review the written report to make sure that it meets our criteria for what we’re looking for in a consultant.
So we’re looking for somebody that can demonstrate that they’ve been dedicated to technical testing, that they have the practical skills that we need. But we’re going beyond that, too. We want people who can communicate with our clients. We want people that have strong communication skills — both verbal and written. And we’re also looking for people that consulting is something that they have in their background.
How does SecureWorks define a successful technical tester?
What makes a successful technical tester for us is somebody that is doing everything they can to delight the client. They have to start out with a passion, that’s something that we screen for, is that, are you really passionate about technical testing? Is this something you would do after hours on your own? Do you have a lab at home that you like to study with? That’s the kind of passion that we’re looking for, but that passion has to translate in performance for the client. The client has to be delighted with the service that we’ve provided, and the consultant has to continue to develop their skills. That’s really what we’re looking for. We offer quite a bit in terms of our training budget, and we expect quite a bit on the consultant’s behalf to sharpen the saw, to really continue to improve their own skill set and not just lay dormant. We’re hoping to stay ahead of our competition by putting a lot into our training programs, and we’re really looking for the consultants to make that personal investment to keep their own skills sharp and help others on the team to bring their skills up as well.