Episode 26
Nick Jeswald - Confessions of a Cybersecurity Recruiter (Part 1)
Part 1 of 2 - Nick Jeswald has been an external and internal recruiter in security. He shares with us what he looks for in a candidate, common mistakes made by candidates, and the nuances of hackers he's learned over the years.
BIO:
I've been in infosec for 8 years, and in various IT roles since 1996 (Developer -> Sales Engineer -> BD Specialist -> Security BD -> Security Recruiting -> Dir. Corp Dev). However, I've also been one of the top recruiters for each company I worked at whatever role I've had.
Show Notes:
- Internal recruiters != external recruiters
- Backgrounds are different
- External recruiters come from varied backgrounds, virtually zero from infosec
- Much like BD people
- Internal recruiters are more likely to have a greater understanding of infosec or at least IT
- A recruiter that doesn't understand security is more likely to make bad placements with higher turnover
- External recruiters come from varied backgrounds, virtually zero from infosec
- Motivations are far different
- I want to choose people to spend a career with
- They want to make a commission and meet SLAs
- Attention to detail is very different
- A tiny detail that could betray a hidden skill set or flaw would likely be overlooked by a 3rd party
- I have an interest in understating the person, not just the resume
- What is their desired career/life trajectory?
- How will our company enrich/hinder that life?
- Backgrounds are different
- You are in competition with an army of low-skilled counterfeits
- You need to be able to demonstrate raw skills, not just list your certs
- Have a body of work available for review on GitHub, your own site, etc.
- Internships are a nice touch, but they cut both ways
- You interned with unnamed-big-4-biz-consulting firm? Don't drag that culture in here. I fear for what you learned.
- Can't talk about where you interned because it was a non-DOD three-letter agency? Communicate that point to me in your way. If that is the truth, I'll trace you back and verify.
- Always be client-facing
- I have seen many recruits passed over for poor hygiene, arrogant treatment of interviewers, disclosure of illegal activity, and just generally obnoxious behavior
- You couldn't act like this on a client site and not get sent home; don't do it on the interview
- Yes, you are talented...there's always someone cooler than you
- I have seen many recruits passed over for poor hygiene, arrogant treatment of interviewers, disclosure of illegal activity, and just generally obnoxious behavior
- Interview your interviewers
- You should have a standing list of questions for interviewers
- Why do you stay with them?
- What is the intended growth path? Organic? IPO? Channel?
- Is there any merger/acquisition activity going on? Planned? Intended impact?
- Is there any rebranding activity going on? Planned? Intended impact?
- What conditions are driving this open role? Turnover? Internal restructuring? Organizational growth?
- Will I be supported in my security research? How?
- Does your company have a defined mentoring path? Why not?
- How does the company support continuing infosec education?
- You should have a standing list of questions for interviewers
- Meet your team
- Watch the team interaction closely
- Can you see cohesion? Are they supportive or adversarial? Are they authentically happy with their jobs?
- Understand the org chart you are stepping into
- To whom does security answer? CXX? IT Director? General Counsel?
- Understanding this will help mitigate surprises later
- To whom does security answer? CXX? IT Director? General Counsel?
- Understand the company culture
- Big corp? Big corp problems.
- Boutique? Founder problems.
- Is there a "treehouse" mentality among the senior employees?
- Never forget who you are
- I know you want a job, but don't take a job that is sure to kill you slowly from the inside
- Like doing offensive security? Don't start in the SOC.
- Did you walk away from the interview(s) thinking that this company understands the care & feeding of hackers?
- If you can already see the point at which you will outgrow the company, is it the right place to start?
- Maybe! If you have a goal of entrepreneurship, or of working for a specific team, this first step just needs to support that eventual goal. This may be detected by an astute interviewer, though.
- I know you want a job, but don't take a job that is sure to kill you slowly from the inside
Resume tips
- One page.
- My dad started at the bottom, and worked up to EVP of a Fortune 50 corp. One page.
- Focus on your work experiences and extracurricular infosec workrelevant
- I'd rather read about 0days and CVEs than certs
- I want to know about your community involvement
- 2600, local DCs, TOOOL, OWASP, etc.
- Presentations at cons matter to me, especially if I can watch you deliver information to an audience
- Like a free audition, and believe me I watch every one people link in resumes
- I don't care about your GPA, fraternity/sorority, who we know in common, what sports you enjoy, or what you look like. At all.
- Seriously, don't add a photo.
General tips
- Code in several languages.
- Despite semantic differences, you should have a pretty good working knowledge of the most widespread VMs, coding languages, and compilers
- Web apps are your paycheck
- Knowing the OWASP Top 10 is like knowing your middle name...not impressive in and of itself, but if you don't know them, there's something wrong.
- Many composite "red team" projects will involve some Web app hacking, and even the most specialized consultancies will agree to a Web app assessment for an established client
- Think holistically, and make yourself more valuable
- If you can't write a report, of what value are your assessment activities?
- Seem always to have interpersonal conflict? Time to read up on Empathy and EQ. Be the go-to on your squad.
- Get comfortable with an audience. Toastmasters is there for you.
- Learn the value of "the Halloween Mask" as Henry Rollins called it
- Sure, you're a young security professional. We all expect eccentricity from you. We're all also trying to make money and be taken seriously
- Don't forget: in boardrooms of white-haired old men across the nation, we're still the same guys who lost them millions of dollars on ERPs and useless Y2K preparations
- I'm not kidding about this.
- Don't wield your difference like a blunt object. A little bit goes a long way when you're also scaring the hell out of everyone with pen test reports.
- My life is far more complex and wacky than my coworkers know, and I talk a lot. I just know how much to let through the mask
- Sure, you're a young security professional. We all expect eccentricity from you. We're all also trying to make money and be taken seriously
Getting Into Infosec:
- Follow Me on Twitter: https://twitter.com/coffeewithayman
- Subscribe To YouTube: https://www.youtube.com/channel/UCg6gV_gdfc188HZdN8LUx4A
- Checkout My Book: https://amzn.to/2HP2i25
- Sign up for updates and commentary: https://mailchi.mp/467573a314e5/gettingintoinfosec
- Website: https://gettingintoinfosec.com
See omnystudio.com/listener for privacy information.
Mentioned in this episode: