23
Hiring Shinobi
In order to defend against enemy plans or shinobi, or should an emergency arise, you may think it more desirable to have a large number of people. However, you should not hire more people into your army without careful consideration.

A shinobi should have three major principles: skillful speech, boldness, and strategy.

—Yoshimori Hyakushu #38

We know many of the jobs that shinobi performed in feudal Japan, such as committing espionage and sabotage, leading raids, gathering information, carrying out assassinations, and—perhaps the most useful of all—defending against enemy shinobi. But to use shinobi for these purposes, lords and commanders first had to do the same thing that executives and managers still do today: recruit and hire staff.

Scattered but large portions of Bansenshūkai and Yoshimori Hyakushu are dedicated to advising lords why they should hire shinobi, how and when to use them, and the qualities that make a successful candidate—and, eventually, an effective shinobi. According to the scrolls, an ideal shinobi should be:¹

1. Intelligent A strong-minded, logical, strategic thinker with a good memory, keen observation skills, and an aptitude for learning quickly
2. Patient A deliberate but decisive operative with exemplary willpower and self-control
3. Capable Resourceful, creative, and courageous in the field, with a demonstrable record of achievement and the vision to see victory even in dire situations
4. Loyal Sincere, honorable, and benevolent to others; someone who takes personal responsibility for their actions
5. Eloquent Able to communicate effectively with lords and persuasively with employees

In addition to those qualities, shinobi sought for leadership positions must be able to prioritize effectively, execute complex tactics successfully, and demonstrate sound judgment under duress.²

The scrolls also flag certain traits that disqualify candidates, including selfishness and stupidity; immorality (for example, using one’s skills for personal gain); and being likely to overindulge in alcohol, lust, or greed.³ Nepotism might have been a problem as well. While one’s chances of becoming a successful shinobi might increase with the early expectations, opportunities, and grooming that came with being born into a shinobi village (most notably Iga and Koka), being born to shinobi parents did not guarantee success. Such children could, in fact, become low-quality candidates who possessed any number of the negative qualities mentioned above.⁴

Importantly, in that lengthy list of desirable and undesirable attributes, there are no mentions of specific required skills, past experiences, educational credentials, social pedigrees, ranks, or titles—or for that matter, ages or genders. It seems that being a shinobi was merit based, dependent on the individual’s character, values, qualifications, and abilities.

While the scrolls don’t offer any specific guidance on recruiting, interviewing, or assessing candidates, Shōninki does provide advice on how to understand a person’s deeper nature—their knowledge, modes of thought, beliefs, desires, flaws, and character. Though typically used for spying and targeting, these methods could be usefully adapted for interviewing recruits.

For instance, Shōninki recommends visiting the target’s frequent hangouts to collect information from locals who know the target well. The best information comes from places where the target seems comfortable or has relationships with the proprietors or clientele and therefore is more likely to reveal secrets.⁵

There is also the skill of hito ni kuruma wo kakeru—“to get people carried away by praising them.” This involves asking the target questions and praising their answers; such flattery makes you seem less intelligent and seems to demonstrate awe in the candidate’s abilities. Done convincingly, this technique loosens up your target, boosts their confidence, and makes them enjoy telling you about themselves, which could lead to all manner of valuable intelligence. For instance, once they’re comfortable, you can change conversational topics and see how they react to unexpected inquiries. Do they have their own opinions, or are they simply parroting other people’s wisdom?⁶

Recruiting allies and sussing out enemies bore the weight of life and death for shinobi. They often had to decide whether to entrust a person with their life or whether that person would let them down during a perilous mission. As a result, shinobi likely internalized these techniques and other rubrics to become expert people readers, able to quickly and unobtrusively size up someone’s capability, knowledge, and character.⁷

In this chapter, we will look at the common hiring practices of modern organizations and identify opportunities to incorporate the wisdom of the shinobi into recruiting and training talent. Many hiring managers and even the historical shinobi seem to believe that they can assess the suitability of a person after a thorough interview. While this may work some of the time, many candidates never get the opportunity to attend such an interview due to the various signaling steps, proxy prerequisites, and human resource checkboxes that may erroneously screen them out. We explore these hiring processes in terms of why they may not achieve the desired outcome.

Cybersecurity Talent

The explosive growth of the cybersecurity sector has led to problems recruiting enough people—and the right people—to perform all the necessary work. While part of this stems from the fact that cybersecurity is a relatively new field with a high technical barrier to entry, current candidate assessment methods are also problematic. Too many private-sector companies place too much value on recruiting candidates who check the right résumé boxes or do well on whiteboard puzzles, but cannot perform the job’s day-to-day functions. Candidates, recruiters, and training programs have noted what it takes to get a job and are positioning themselves accordingly, lessening the effectiveness of traditional methods of candidate evaluation. Universities churn out computer science graduates who cannot solve the FizzBuzz problem, designed to test basic programming skills. Candidates provide potential employers with biased or made-up references. Employees pursue meaningless job titles that look good on a résumé but rarely correlate with their work experience or capabilities. Career climbers attain IT or security certifications by cramming for tests (and often forget that information almost immediately); publish shallow, pointless articles for the visibility; and file for patents by adding their names to projects they had almost nothing to do with.

Measures to combat these hiring loopholes, such as take-home tests, are easily bypassed with online help or outright plagiarism. On-the-spot interview whiteboard puzzles, while once novel, are now routine. Candidates come in having practiced for them and may have even gotten the exact exercises from leaks at the company. Even if they weren’t easily compromised, none of these assessments accurately gauge a candidate’s ability to do the work of cybersecurity.

To be fair, candidates have just as much reason to be suspicious of cybersecurity employers. Even if an organization hires an incredible professional worthy of the title “cyber ninja,” there is no guarantee that the employer will use them effectively. While this risk exists in any industry, it’s compounded for cybersecurity companies for numerous reasons, including the obscurity of the highly technical profession, the evolution of technology, leadership’s lack of awareness or exposure to an employee’s more advanced capabilities, and the importance of nondemarcated creativity to success. To perform well and influence organizational security, employees need leadership buy-in and the green light to exercise their skills without fear of punishment or outright sabotage of their abilities.

One of the biggest recruiters, employers, and trainers of cyber professionals is the US military, who can take nearly computer-illiterate high school dropouts and, over the span of 18 months, train them to become capable cyber warfare specialists. Of course, not every recruit makes it through the training, as multiple layers of requirements filter out poor candidates—a practice that aligns closely with those described for shinobi recruits in Bansenshūkai.⁸

One distinctive tool in military recruiting is the Armed Services Vocational Aptitude Battery test (ASVAB).⁹ Unlike corporate recruiting, which emphasizes past accomplishments and professional credentials, the ASVAB assesses recruits’ learning potential, aptitude, and general technical ability. The scores are used to assign candidates to occupational specialties in which they are likely to thrive if successfully trained. The ASVAB has been highly effective for the military, but it’s worth noting that certain cyber jobs have reported unexpectedly high rates of training failure and poor field performance, likely due to the jobs’ demanding attributes that the ASVAB does not always test for. In the structured world of the military, it can be difficult to identify or train people who want to approach challenges with creative, fearless, independent, problem solving–based thinking—a skill set closely associated with hackers.

Talent Management

Everyone wants to hire cybersecurity professionals for their organization, but the supply is limited. So how does everyone get their hands on some cybersecurity talent? Organizations should first determine whether they intend to develop raw talent themselves or compete against other organizations for the limited supply of experienced cybersecurity experts. Many of the recommendations below are suited for developing talent but may be suitable for a hybrid approach as well. Many cybersecurity professionals may agree that current hiring practices are broken and it’s time to move past all the proxy signals to try something new. As an alternative, consider the below approaches to hiring and maintaining talent.

1. Start using practical interview capability assessments. Instead of interview quizzes, random whiteboard puzzles, live coding exercises, or take-home projects, ask candidates to perform functions of the actual job for which they are being evaluated. Have them audition in the same environment and conditions they will work in if hired. Test and validate assessments by giving the exercises to current employees and reviewing the results, measuring the correlation between performance on the test and actual job performance. Keep the assessments modular and regularly alter them so candidates cannot benefit from obtaining a leaked exercise or coaching. Regularly integrate recent challenges your employees have faced to keep the test current with the demands of the job. Ideally, the assessment should be able to determine an applicant’s competence in 30 minutes or less, with time enough for the candidate to learn through online research and/or rapid trial and error.
2. Implement a black-box aptitude battery. Give the candidate a modular, semirandom pseudo-technology and ask them to discover how it works so they can then attempt to hack and/or secure it. This exercise is similar to the Department of Defense’s DLAB (Defense Language Aptitude Battery) test.¹⁰ Instead of testing a candidate’s proficiency with an existing language, the DLAB uses a fake language to test the ability to learn a new language. This approach is likely even more useful for technology than spoken languages, as new technologies and frameworks appear all the time. Key criteria of the black-box test would measure a candidate’s ability to:
   • Quickly memorize technology specifications, commands, or manuals of the fake technology
   • Use logic and critical thinking to solve problems or navigate scenarios in the fake technology
   • Display resourcefulness to achieve specific outcomes with artificial barriers, such as bypassing the fake technology’s local security

   You may find and hire a promising candidate who has high aptitude but lacks the necessary technical skill to do the job. In this case, know that you must make an expensive long-term investment in teaching the candidate actual technical skills. Otherwise, their high aptitude will not help you.

3. Be able to spot disqualifiers. Go beyond the typical drug tests, reference checks, background and criminal histories, and credit reports that most organizations perform, as these do not always paint an accurate picture of someone’s character—for better or worse. Devote serious effort to identifying candidates who constantly make poor decisions that harm themselves and others. These “harmful-stupid” people can have degrees, certifications, good credit scores, clean drug tests, and solid work history by virtue of other qualities such as fortitude, ambition, diligence, raw talent, and luck. During the interview, probe their desires and motivations to disqualify the wrong type of people. (Of course, past harmful-stupid decisions may not represent the candidate’s current mindset and character, so give the candidate opportunities to demonstrate whether they’re likely to make harmful-stupid decisions in the future.)
4. Train staff and establish a culture of excellence. Technical skills can be taught, but other character attributes take outsized effort to hone. Identify staff who want to become “cyber ninjas” and help them improve the personal qualities described in Bansenshūkai by constantly challenging, conditioning, and training them. Instruct your staff to take the following steps:
   • Strive to solve progressively harder cyber problems every day.
   • Hone their mind with memory drills, self-discipline challenges, and exercises in patience centered on technology.
   • Learn ingenuity by creating limited cyber operational situations governed by self-imposed rules, then trying to accomplish goals while following those rules.

   ---

   Castle Theory Thought Exercise

   Consider the scenario in which you are the ruler of a medieval castle with valuable assets inside. You post public notice of your intention to hire and train shinobi to defend against enemy ninja. You receive a huge number of applications. You know of no academies, guilds, or other organizations that can attest to a candidate’s credentials, and given the covert nature of the trade, you cannot verify candidates’ experience with previous employers. You don’t understand a shinobi’s skills fully enough to test or quantify them yourself, and when you request that an applicant demonstrate the shinobi arts, the candidate either refuses or asks for payment.

   How could you determine whether a self-proclaimed shinobi will ably defend your castle? How might you identify and hire a high-aptitude candidate with no shinobi experience if you don’t know exactly what a shinobi does? How would you train those high-aptitude candidates without access to real shinobi?

   ---

Recommended Security Controls and Mitigations

These recommendations are presented with the NIST 800-53 standard and NIST 800-16 Cyber Workforce Framework in mind.¹¹ Consider these recommendations when evaluating potential hires who will implement security controls.

1. Define the knowledge, skills, and abilities needed to perform cybersecurity duties at your organization. Address these needs—along with competency benchmarks, workforce skills, and mission requirements—during talent recruitment, hiring, and training. [PM-13 Security and Privacy Workforce]
2. Define hiring requirements for “cyber ninja” positions by reviewing and documenting required knowledge units, such as:
   • Advanced network technology and protocols
   • Digital forensics
   • Software development
   • Compliance
   • Computer network defense
   • Configuration management
   • Cryptography and encryption
   • Data security
   • Databases
   • Identity management/privacy
   • Incident management
   • Industrial control systems
   • Information assurance
   • Information systems
   • IT systems and operations
   • Network and telecommunications security
   • Personnel security
   • Physical and environmental security
   • Architecture, systems, and application security
   • Security risk management
   • Web security
3. Consider the following training, certifications, and protocols: OV-6, ANTP-*, ARCH-*, COMP-1/5/9/10, CND-*, CM-*, CR-*, DS-*, DB-*, DF-*, IM-*, IR-*, ICS-*, IA-*, WT-*, SI-*, ITOS-*, NTS-*, PS-*, PES-1, RM-*, SW-*, SAS-*.

Debrief

In this chapter, we reviewed the qualities that the shinobi believed were necessary to be successful in their tradecraft. In addition, we described some of the back-channel interview methods used by shinobi. We also explored many of the current hiring processes used by modern organizations and why they not are as effective as desired. We listed some novel approaches to identifying suitable candidates. The thought exercise in this chapter is as relevant today as it was for the medieval commanders who needed to hire shinobi to protect themselves from enemy shinobi. Hiring hacker-like people who may not have a good GPA or a solid work history, or who may not wear professional attire, will likely be more effective in countering cybercriminals than hiring the typical person who colors between the lines.

Once you have hired these talented and/or skilled defenders, it is important to establish standards and processes so they can defend your organization in a disciplined manner. Without leadership that sets clear expectations, the defenders may become lax and thus less than worthless. In the next chapter, we will discuss guardhouse behavior.