por Ayman Elsawah (@coffeewithayman)
Part 1 of 2 - Nick Jeswald has been an external and internal recruiter in security. He shares with us what he looks for in a candidate, common mistakes made by candidates, and the nuances of hackers he's learned over the years.
I've been in infosec for 8 years, and in various IT roles since 1996 (Developer -> Sales Engineer -> BD Specialist -> Security BD -> Security Recruiting -> Dir. Corp Dev). However, I've also been one of the top recruiters for each company I worked at whatever role I've had.
Internal recruiters != external recruiters
Backgrounds are different
External recruiters come from varied backgrounds, virtually zero from infosec
Much like BD people
Internal recruiters are more likely to have a greater understanding of infosec or at least IT
A recruiter that doesn't understand security is more likely to make bad placements with higher turnover
Motivations are far different
I want to choose people to spend a career with
They want to make a commission and meet SLAs
Attention to detail is very different
A tiny detail that could betray a hidden skill set or flaw would likely be overlooked by a 3rd party
I have an interest in understating the person, not just the resume
What is their desired career/life trajectory?
How will our company enrich/hinder that life?
You are in competition with an army of low-skilled counterfeits
You need to be able to demonstrate raw skills, not just list your certs
Have a body of work available for review on GitHub, your own site, etc.
Internships are a nice touch, but they cut both ways
You interned with unnamed-big-4-biz-consulting firm? Don't drag that culture in here. I fear for what you learned.
Can't talk about where you interned because it was a non-DOD three-letter agency? Communicate that point to me in your way. If that is the truth, I'll trace you back and verify.
Always be client-facing
I have seen many recruits passed over for poor hygiene, arrogant treatment of interviewers, disclosure of illegal activity, and just generally obnoxious behavior
You couldn't act like this on a client site and not get sent home; don't do it on the interview
Yes, you are talented...there's always someone cooler than you
Interview your interviewers
You should have a standing list of questions for interviewers
Why do you stay with them?
What is the intended growth path? Organic? IPO? Channel?
Is there any merger/acquisition activity going on? Planned? Intended impact?
Is there any rebranding activity going on? Planned? Intended impact?
What conditions are driving this open role? Turnover? Internal restructuring? Organizational growth?
Will I be supported in my security research? How?
Does your company have a defined mentoring path? Why not?
How does the company support continuing infosec education?
Meet your team
Watch the team interaction closely
Can you see cohesion? Are they supportive or adversarial? Are they authentically happy with their jobs?
Understand the org chart you are stepping into
To whom does security answer? CXX? IT Director? General Counsel?
Understanding this will help mitigate surprises later
Understand the company culture
Big corp? Big corp problems.
Boutique? Founder problems.
Is there a "treehouse" mentality among the senior employees?
Never forget who you are
I know you want a job, but don't take a job that is sure to kill you slowly from the inside
Like doing offensive security? Don't start in the SOC.
Did you walk away from the interview(s) thinking that this company understands the care & feeding of hackers?
If you can already see the point at which you will outgrow the company, is it the right place to start?
Maybe! If you have a goal of entrepreneurship, or of working for a specific team, this first step just needs to support that eventual goal. This may be detected by an astute interviewer, though.
My dad started at the bottom, and worked up to EVP of a Fortune 50 corp. One page.
Focus on your work experiences and extracurricular infosec workrelevant
I'd rather read about 0days and CVEs than certs
I want to know about your community involvement
2600, local DCs, TOOOL, OWASP, etc.
Presentations at cons matter to me, especially if I can watch you deliver information to an audience
Like a free audition, and believe me I watch every one people link in resumes
I don't care about your GPA, fraternity/sorority, who we know in common, what sports you enjoy, or what you look like. At all.
Seriously, don't add a photo.
Code in several languages.
Despite semantic differences, you should have a pretty good working knowledge of the most widespread VMs, coding languages, and compilers
Web apps are your paycheck
Knowing the OWASP Top 10 is like knowing your middle name...not impressive in and of itself, but if you don't know them, there's something wrong.
Many composite "red team" projects will involve some Web app hacking, and even the most specialized consultancies will agree to a Web app assessment for an established client
Think holistically, and make yourself more valuable
If you can't write a report, of what value are your assessment activities?
Seem always to have interpersonal conflict? Time to read up on Empathy and EQ. Be the go-to on your squad.
Get comfortable with an audience. Toastmasters is there for you.
Learn the value of "the Halloween Mask" as Henry Rollins called it
Sure, you're a young security professional. We all expect eccentricity from you. We're all also trying to make money and be taken seriously
Don't forget: in boardrooms of white-haired old men across the nation, we're still the same guys who lost them millions of dollars on ERPs and useless Y2K preparations
I'm not kidding about this.
Don't wield your difference like a blunt object. A little bit goes a long way when you're also scaring the hell out of everyone with pen test reports.
My life is far more complex and wacky than my coworkers know, and I talk a lot. I just know how much to let through the mask
Getting Into Infosec:
Follow Me on Twitter: https://twitter.com/coffeewithayman
Subscribe To YouTube: https://www.youtube.com/channel/UCg6gV_gdfc188HZdN8LUx4A
Checkout My Book: https://amzn.to/2HP2i25
Sign up for updates and commentary: https://mailchi.mp/467573a314e5/gettingintoinfosec
See omnystudio.com/listener for privacy information.