Oct. 25, 2019

Nick Jeswald - Confessions of a Cybersecurity Recruiter (Part 1)

Part 1 of 2 - Nick Jeswald has been an external and internal recruiter in security. He shares with us what he looks for in a candidate, common mistakes made by candidates, and the nuances of hackers he's learned over the years.

Part 1 of 2 - Nick Jeswald has been an external and internal recruiter in security. He shares with us what he looks for in a candidate, common mistakes made by candidates, and the nuances of hackers he's learned over the years.


I've been in infosec for 8 years, and in various IT roles since 1996 (Developer -> Sales Engineer -> BD Specialist -> Security BD -> Security Recruiting -> Dir. Corp Dev). However, I've also been one of the top recruiters for each company I worked at whatever role I've had.

Show Notes:

  • Internal recruiters != external recruiters
    • Backgrounds are different
      • External recruiters come from varied backgrounds, virtually zero from infosec
        • Much like BD people
      • Internal recruiters are more likely to have a greater understanding of infosec or at least IT
      • A recruiter that doesn't understand security is more likely to make bad placements with higher turnover
    • Motivations are far different
      • I want to choose people to spend a career with
      • They want to make a commission and meet SLAs
    • Attention to detail is very different
      • A tiny detail that could betray a hidden skill set or flaw would likely be overlooked by a 3rd party
      • I have an interest in understating the person, not just the resume
        • What is their desired career/life trajectory?
        • How will our company enrich/hinder that life?
  • You are in competition with an army of low-skilled counterfeits
    • You need to be able to demonstrate raw skills, not just list your certs
    • Have a body of work available for review on GitHub, your own site, etc.
    • Internships are a nice touch, but they cut both ways
      • You interned with unnamed-big-4-biz-consulting firm? Don't drag that culture in here. I fear for what you learned.
    • Can't talk about where you interned because it was a non-DOD three-letter agency? Communicate that point to me in your way. If that is the truth, I'll trace you back and verify.
  • Always be client-facing
    • I have seen many recruits passed over for poor hygiene, arrogant treatment of interviewers, disclosure of illegal activity, and just generally obnoxious behavior
      • You couldn't act like this on a client site and not get sent home; don't do it on the interview
      • Yes, you are talented...there's always someone cooler than you
  • Interview your interviewers
    • You should have a standing list of questions for interviewers
      • Why do you stay with them?
      • What is the intended growth path? Organic? IPO? Channel?
      • Is there any merger/acquisition activity going on? Planned? Intended impact?
      • Is there any rebranding activity going on? Planned? Intended impact?
      • What conditions are driving this open role? Turnover? Internal restructuring? Organizational growth?
      • Will I be supported in my security research? How?
      • Does your company have a defined mentoring path? Why not?
      • How does the company support continuing infosec education?
  • Meet your team
    • Watch the team interaction closely
    • Can you see cohesion? Are they supportive or adversarial? Are they authentically happy with their jobs?
  • Understand the org chart you are stepping into
    • To whom does security answer? CXX? IT Director? General Counsel?
      • Understanding this will help mitigate surprises later
  • Understand the company culture
    • Big corp? Big corp problems.
    • Boutique? Founder problems.
    • Is there a "treehouse" mentality among the senior employees?
  • Never forget who you are
    • I know you want a job, but don't take a job that is sure to kill you slowly from the inside
      • Like doing offensive security? Don't start in the SOC.
    • Did you walk away from the interview(s) thinking that this company understands the care & feeding of hackers?
    • If you can already see the point at which you will outgrow the company, is it the right place to start?
      • Maybe! If you have a goal of entrepreneurship, or of working for a specific team, this first step just needs to support that eventual goal. This may be detected by an astute interviewer, though.

Resume tips

  • One page.
    • My dad started at the bottom, and worked up to EVP of a Fortune 50 corp. One page.
  • Focus on your work experiences and extracurricular infosec workrelevant
  • I'd rather read about 0days and CVEs than certs
  • I want to know about your community involvement
    • 2600, local DCs, TOOOL, OWASP, etc.
    • Presentations at cons matter to me, especially if I can watch you deliver information to an audience
      • Like a free audition, and believe me I watch every one people link in resumes
  • I don't care about your GPA, fraternity/sorority, who we know in common, what sports you enjoy, or what you look like. At all.
    • Seriously, don't add a photo.

General tips

  • Code in several languages.
    • Despite semantic differences, you should have a pretty good working knowledge of the most widespread VMs, coding languages, and compilers
  • Web apps are your paycheck
    • Knowing the OWASP Top 10 is like knowing your middle name...not impressive in and of itself, but if you don't know them, there's something wrong.
    • Many composite "red team" projects will involve some Web app hacking, and even the most specialized consultancies will agree to a Web app assessment for an established client
  • Think holistically, and make yourself more valuable
    • If you can't write a report, of what value are your assessment activities?
    • Seem always to have interpersonal conflict? Time to read up on Empathy and EQ. Be the go-to on your squad.
    • Get comfortable with an audience. Toastmasters is there for you.
  • Learn the value of "the Halloween Mask" as Henry Rollins called it
    • Sure, you're a young security professional. We all expect eccentricity from you. We're all also trying to make money and be taken seriously
      • Don't forget: in boardrooms of white-haired old men across the nation, we're still the same guys who lost them millions of dollars on ERPs and useless Y2K preparations
      • I'm not kidding about this.
    • Don't wield your difference like a blunt object. A little bit goes a long way when you're also scaring the hell out of everyone with pen test reports.
    • My life is far more complex and wacky than my coworkers know, and I talk a lot. I just know how much to let through the mask

Getting Into Infosec:

Follow Ayman on Twitter

Breaking IN: A Practical Guide to Starting a Career in Information Security