Listen to the full episode here:
RECAST Any part of this episode: https://recast.simplecast.com/7eb82844-74aa-4e1e-9c1b-e7a6653da300
Part 1 of 2 - Nick Jeswald has been an external and internal recruiter in security. He shares with us what he looks for in a candidate, common mistakes made by candidates, and the nuances of hackers he's learned over the years.
I've been in infosec for 8 years, and in various IT roles since 1996. Developer - Sales Engineer - BD Specialist - Security BD - Security Recruiting - Dir. Corp Dev. However, whatever role I've had, I've also been one of the top recruiters for each company I worked at.
• Internal recruiters != external recruiters• Backgrounds are different• External recruiters come from varied backgrounds, virtually zero from infosec• Much like BD people
• Internal recruiters are more likely to have a greater understanding of infosec or at least IT
• A recruiter that doesn't understand security is more likely to make bad placements with higher turnover
• Motivations are far different• I want to choose people to spend a career with
• They want to make a commission and meet SLAs
• Attention to detail is very different• A tiny detail that could betray a hidden skill set or flaw would likely be overlooked by a 3rd party
• I have an interest in understating the person, not just the resume• What is their desired career/life trajectory?
• How will our company enrich/hinder that life?
• You are in competition with an army of low-skilled counterfeits• You need to be able to demonstrate raw skills, not just list your certs
• Have a body of work available for review on GitHub, your own site, etc.
• Internships are a nice touch, but they cut both ways• You interned with unnamed-big-4-biz-consulting firm? Don't drag that culture in here. I fear for what you learned.
• Can't talk about where you interned because it was a non-DOD three letter agency? Communicate that point to me in your way. If that is the truth, I'll trace you back and verify.
• Always be client facing• I have seen many recruits passed over for poor hygiene, arrogant treatment of interviewers, disclosure of illegal activity, and just generally obnoxious behavior• You couldn't act like this on a client site and not get sent home; don't do it on the interview
• Yes, you are talented...there's always someone cooler than you
• Interview your interviewers• You should have a standing list of questions for interviewers• Why do you stay with them?
• What is the intended growth path? Organic? IPO? Channel?
• Is there any merger/acquisition activity going on? Planned? Intended impact?
• Is there any rebranding activity going on? Planned? Intended impact?
• What conditions are driving this open role? Turnover? Internal restructuring? Organizational growth?
• Will I be supported in my security research? How?
• Does your company have a defined mentoring path? Why not?
• How does the company support continuing infosec education?
• Meet your team• Watch the team interaction closely
• Can you see cohesion? Are they supportive or adversarial? Are they authentically happy with their jobs?
• Understand the org chart you are stepping into• To whom does security answer? CXX? IT Director? General Counsel?• Understanding this will help mitigate surprises later
• Understand the company culture• Big corp? Big corp problems.
• Boutique? Founder problems.
• Is there a "tree house" mentality among the senior employees?
• Never forget who you are• I know you want a job, but don't take a job that is sure to kill you slowly from the inside• Like doing offensive security? Don't start in the SOC.
• Did you walk away from the interview(s) thinking that this company understands the care & feeding of hackers?
• If you can already see the point at which you will outgrow the company, is it the right place to start?• Maybe! If you have a goal of entrepreneurship, or of working for a specific team, this first step just needs to support that eventual goal. This may be detected by an astute interviewer, though.
• Resume tips• One page.• My dad started at the bottom, and worked up to EVP of a Fortune 50 corp. One page.
• Focus on your relevantwork experiences and extracurricular infosec work
• I'd rather read about 0days and CVEs than certs
• I want to know about your community involvement• 2600, local DCs, TOOOL, OWASP, etc.
• Presentations at cons matter to me, especially if I can watch you deliver information to an audience• Like a free audition, and believe me I watch every one people link in resumes
• I don't care about your GPA, fraternity/sorority, who we know in common, what sports you enjoy, or what you look like. At all.• Seriously, don't add a photo.
• General tips• Code. Know it. In several languages.• Despite semantic differences, you should have a pretty