Nick Jeswald - Confessions of a Cybersecurity Recruiter (Part 1)

Part 1 of 2 - Nick Jeswald has been an external and internal recruiter in security. He shares with us what he looks for in a candidate, common mistakes made by candidates, and the nuances of hackers he's learned over the years.

BIO:

I've been in infosec for 8 years, and in various IT roles since 1996 (Developer -> Sales Engineer -> BD Specialist -> Security BD -> Security Recruiting -> Dir. Corp Dev). However, I've also been one of the top recruiters for each company I worked at whatever role I've had.

Show Notes:

• Internal recruiters != external recruiters
  • Backgrounds are different
    • External recruiters come from varied backgrounds, virtually zero from infosec
      • Much like BD people
      
      
    • Internal recruiters are more likely to have a greater understanding of infosec or at least IT
    • A recruiter that doesn't understand security is more likely to make bad placements with higher turnover
    
    
  • Motivations are far different
    • I want to choose people to spend a career with
    • They want to make a commission and meet SLAs
    
    
  • Attention to detail is very different
    • A tiny detail that could betray a hidden skill set or flaw would likely be overlooked by a 3rd party
    • I have an interest in understating the person, not just the resume
      • What is their desired career/life trajectory?
      • How will our company enrich/hinder that life?
      
      
    
    
  
  
• You are in competition with an army of low-skilled counterfeits
  • You need to be able to demonstrate raw skills, not just list your certs
  • Have a body of work available for review on GitHub, your own site, etc.
  • Internships are a nice touch, but they cut both ways
    • You interned with unnamed-big-4-biz-consulting firm? Don't drag that culture in here. I fear for what you learned.
    
    
  • Can't talk about where you interned because it was a non-DOD three-letter agency? Communicate that point to me in your way. If that is the truth, I'll trace you back and verify.
  
  
• Always be client-facing
  • I have seen many recruits passed over for poor hygiene, arrogant treatment of interviewers, disclosure of illegal activity, and just generally obnoxious behavior
    • You couldn't act like this on a client site and not get sent home; don't do it on the interview
    • Yes, you are talented...there's always someone cooler than you
    
    
  
  
• Interview your interviewers
  • You should have a standing list of questions for interviewers
    • Why do you stay with them?
    • What is the intended growth path? Organic? IPO? Channel?
    • Is there any merger/acquisition activity going on? Planned? Intended impact?
    • Is there any rebranding activity going on? Planned? Intended impact?
    • What conditions are driving this open role? Turnover? Internal restructuring? Organizational growth?
    • Will I be supported in my security research? How?
    • Does your company have a defined mentoring path? Why not?
    • How does the company support continuing infosec education?
    
    
  
  
• Meet your team
  • Watch the team interaction closely
  • Can you see cohesion? Are they supportive or adversarial? Are they authentically happy with their jobs?
  
  
• Understand the org chart you are stepping into
  • To whom does security answer? CXX? IT Director? General Counsel?
    • Understanding this will help mitigate surprises later
    
    
  
  
• Understand the company culture
  • Big corp? Big corp problems.
  • Boutique? Founder problems.
  • Is there a "treehouse" mentality among the senior employees?<