Nick Jeswald - Confessions of a Cybersecurity Recruiter (Part 1)

Part 1 of 2 - Nick Jeswald has been an external and internal recruiter in security. He shares with us what he looks for in a candidate, common mistakes made by candidates, and the nuances of hackers he's learned over the years.

BIO:

I've been in infosec for 8 years, and in various IT roles since 1996 (Developer -> Sales Engineer -> BD Specialist -> Security BD -> Security Recruiting -> Dir. Corp Dev). However, I've also been one of the top recruiters for each company I worked at whatever role I've had.

Show Notes:

Internal recruiters != external recruiters
- Backgrounds are different
  - External recruiters come from varied backgrounds, virtually zero from infosec
    - Much like BD people
  - Internal recruiters are more likely to have a greater understanding of infosec or at least IT
  - A recruiter that doesn't understand security is more likely to make bad placements with higher turnover
- Motivations are far different
  - I want to choose people to spend a career with
  - They want to make a commission and meet SLAs
- Attention to detail is very different
  - A tiny detail that could betray a hidden skill set or flaw would likely be overlooked by a 3rd party
  - I have an interest in understating the person, not just the resume
    - What is their desired career/life trajectory?
    - How will our company enrich/hinder that life?
You are in competition with an army of low-skilled counterfeits
- You need to be able to demonstrate raw skills, not just list your certs
- Have a body of work available for review on GitHub, your own site, etc.
- Internships are a nice touch, but they cut both ways
  - You interned with unnamed-big-4-biz-consulting firm? Don't drag that culture in here. I fear for what you learned.
- Can't talk about where you interned because it was a non-DOD three-letter agency? Communicate that point to me in your way. If that is the truth, I'll trace you back and verify.
Always be client-facing
- I have seen many recruits passed over for poor hygiene, arrogant treatment of interviewers, disclosure of illegal activity, and just generally obnoxious behavior
  - You couldn't act like this on a client site and not get sent home; don't do it on the interview
  - Yes, you are talented...there's always someone cooler than you
Interview your interviewers
- You should have a standing list of questions for interviewers
  - Why do you stay with them?
  - What is the intended growth path? Organic? IPO? Channel?
  - Is there any merger/acquisition activity going on? Planned? Intended impact?
  - Is there any rebranding activity going on? Planned? Intended impact?
  - What conditions are driving this open role? Turnover? Internal restructuring? Organizational growth?
  - Will I be supported in my security research? How?
  - Does your company have a defined mentoring path? Why not?
  - How does the company support continuing infosec education?
Meet your team
- Watch the team interaction closely
- Can you see cohesion? Are they supportive or adversarial? Are they authentically happy with their jobs?
Understand the org chart you are stepping into
- To whom does security answer? CXX? IT Director? General Counsel?
  - Understanding this will help mitigate surprises later
Understand the company culture
- Big corp? Big corp problems.
- Boutique? Founder problems.
- Is there a "treehouse" mentality among the senior employees?
Never forget who you are
- I know you want a job, but don't take a job that is sure to kill you slowly from the inside
  - Like doing offensive security? Don't start in the SOC.
- Did you walk away from the interview(s) thinking that this company understands the care & feeding of hackers?
- If you can already see the point at which you will outgrow the company, is it the right place to start?
  - Maybe! If you have a goal of entrepreneurship, or of working for a specific team, this first step just needs to support that eventual goal. This may be detected by an astute interviewer, though.

Resume tips

One page.
- My dad started at the bottom, and worked up to EVP of a Fortune 50 corp. One page.
Focus on your work experiences and extracurricular infosec workrelevant
I'd rather read about 0days and CVEs than certs
I want to know about your community involvement
- 2600, local DCs, TOOOL, OWASP, etc.
- Presentations at cons matter to me, especially if I can watch you deliver information to an audience
  - Like a free audition, and believe me I watch every one people link in resumes
I don't care about your GPA, fraternity/sorority, who we know in common, what sports you enjoy, or what you look like. At all.
- Seriously, don't add a photo.

General tips

Code in several languages.
- Despite semantic differences, you should have a pretty good working knowledge of the most widespread VMs, coding languages, and compilers
Web apps are your paycheck
- Knowing the OWASP Top 10 is like knowing your middle name...not impressive in and of itself, but if you don't know them, there's something wrong.
- Many composite "red team" projects will involve some Web app hacking, and even the most specialized consultancies will agree to a Web app assessment for an established client
Think holistically, and make yourself more valuable
- If you can't write a report, of what value are your assessment activities?
- Seem always to have interpersonal conflict? Time to read up on Empathy and EQ. Be the go-to on your squad.
- Get comfortable with an audience. Toastmasters is there for you.
Learn the value of "the Halloween Mask" as Henry Rollins called it
- Sure, you're a young security professional. We all expect eccentricity from you. We're all also trying to make money and be taken seriously
  - Don't forget: in boardrooms of white-haired old men across the nation, we're still the same guys who lost them millions of dollars on ERPs and useless Y2K preparations
  - I'm not kidding about this.
- Don't wield your difference like a blunt object. A little bit goes a long way when you're also scaring the hell out of everyone with pen test reports.
- My life is far more complex and wacky than my coworkers know, and I talk a lot. I just know how much to let through the mask