Hiring Good Security People: What Actually Matters
craft·

Hiring Good Security People: What Actually Matters

Certifications and years of experience only tell part of the story. Here's what security leaders should really be looking for when building a team that performs under pressure.
Justin Leapline Justin Leapline

Hiring in security is harder than it looks.

Not because the talent pool is small — though that's a real constraint — but because the signals most hiring processes rely on are poor predictors of the thing that actually matters: how someone performs when the environment is ambiguous, the stakes are high, and the playbook doesn't cover the situation.

Certifications tell you someone studied. Years of experience tell you someone stayed. Neither tells you whether someone thinks well, communicates clearly, or makes good decisions under pressure. And in security, those qualities matter more than almost anything else on a resume.

Here's what to look for instead.

Hire for Thinking, Not Just Knowledge

Security knowledge has a shelf life. The threat landscape changes, frameworks evolve, tools get replaced. Someone who has deep expertise in a specific technology or compliance standard will need to unlearn and relearn continuously throughout their career — and the ability to do that well is far more valuable than the current depth of their knowledge.

The question isn't what does this person know. It's how does this person think.

In interviews, this means asking questions that don't have clean answers. How would you approach a risk assessment for a business unit you've never worked with before? Walk me through how you'd investigate an alert that turned out to be a false positive — and one that turned out to be real. What's a security decision you got wrong, and what did you learn from it?

These questions reveal reasoning, not recall. That's what you're actually hiring.

Communication Is a Security Skill

One of the most underweighted qualities in security hiring is the ability to communicate clearly — to translate technical risk into language that resonates with a business audience, to write findings that are actionable rather than just accurate, to have a difficult conversation with a stakeholder who doesn't want to hear what you have to say.

Security teams that can't communicate well don't just struggle internally. They lose influence over the decisions that matter most. Budgets go to teams that can articulate their value. Risks go unaddressed when the people who understand them can't explain them to the people who can act on them.

When evaluating candidates, pay attention to how they explain things — not just what they explain. Can they make a complex concept accessible without losing accuracy? Can they read the room and adjust their register? Do they write clearly? These skills don't show up on a certification list, but they're often the difference between a security professional who influences outcomes and one who produces reports nobody reads.

Look for People Who Are Comfortable With Uncertainty

Security work is fundamentally probabilistic. Threats are assessed in terms of likelihood, not certainty. Controls reduce risk but don't eliminate it. Decisions have to be made with incomplete information, under time pressure, with real consequences for getting it wrong.

People who are uncomfortable with uncertainty — who need clean answers, who struggle to act without complete information, who treat ambiguity as a problem to be resolved before moving forward — tend to struggle in security roles regardless of their technical ability.

The candidates worth hiring are the ones who can hold uncertainty without being paralyzed by it. Who can say "here's what we know, here's what we don't, and here's the decision I'd recommend given that" — and then be willing to revisit that decision as new information emerges.

Culture Fit Cuts Both Ways

Every organization talks about culture fit. Fewer think carefully about what that means in a security context — or about the ways culture fit can be used to justify hiring people who look and think like everyone already on the team.

In security, cognitive diversity is a genuine asset. Teams that bring different mental models, different professional backgrounds, and different approaches to problem-solving identify threats and solutions that homogeneous teams miss. The instinct to hire people who feel familiar is understandable, but it compounds over time into teams that have the same blind spots.

The right question about culture isn't "will this person fit in." It's "will this person make the team better — and will the team give them a real chance to do that."

Retention Starts at the Interview

Hiring good security people is hard enough. Losing them six months later because the role wasn't what they expected, the team wasn't supported, or the organization didn't take security seriously — that's a failure that starts in the hiring process.

Be honest in interviews about what the role actually involves. The current state of the program, the organizational maturity, the resourcing constraints, the expectations for what someone in this role will be able to accomplish and in what timeframe. Security professionals talk to each other. A culture of overpromising in interviews creates a reputation that makes the next hire harder.

The candidates worth keeping are the ones who ask hard questions about the role before accepting it. That's not a red flag — it's a sign they're taking the decision seriously. Answer those questions honestly, and you'll hire people who stay.

The Team You Build Is the Program You Get

Security programs are only as good as the people running them. Technology matters, processes matter, tooling matters — but none of it functions without people who think well, communicate clearly, and make good decisions when it counts.

Investing in better hiring is one of the highest-leverage things a security leader can do. Not just because it improves individual performance, but because the quality of a security team compounds over time. Good people attract good people. Clear thinking becomes a cultural norm. The program gets better not just because the tools improved, but because the judgment running them did.

Building a security team that can keep up with where your program needs to go?

At Episki, we help security leaders think through the people, structure, and culture questions that determine whether a security program actually performs. Whether you're building a team from scratch or rethinking how you hire, we're here to help.

Let's talk →

The best security investment you'll make is in the people making the decisions.

Custom Statuses & Dark Mode Polish

Customize how you track control status and enjoy a refined dark mode experience.