Recruiting cyber talent: the candidate you really should have on your team
If you’re not prepared to answer difficult questions about your organisation’s recent challenges, then you probably shouldn’t be interviewing new hires. A good candidate is interviewing you at the same time you’re interviewing them. If you come across as evasive, dismissive, or hostile, you’ll drive away top talent.
How much influence do you think denial has on your corporate hiring process? Not much, perhaps? Or none at all? Without casting aspersions on your organisation or brand, please consider that denial might play a much larger role than you’d like to admit. Companies are run by humans, after all, and we humans are … complicated. We don’t like hearing negative feedback. When another person – even one we know or like – makes us uncomfortable, we reflexively push them away to avoid feeling bad about ourselves. This is natural. It’s also counterproductive if we let this instinctive reaction interfere with hiring new talent.
This came to mind thanks to a social media post that crossed my Twitter feed late last year. A colleague-of-a-colleague using the handle @InfoSec_Elijah asked this question of our community:
“Today I was disqualified from a job during an interview because I questioned them [on] their low retentions and high turnover rates, along with topics I read in reviews on Glassdoor[.com]. Disqualification is due to them being ‘offended.’ Did I dodge a bullet today guys?”
InfoSec_Elijah’s tweet had received over 250 replies in the eighteen hours between when they posted it and when I read it. Community reaction ranged from “maybe” to a hearty “YES!” I didn’t see a single reply arguing that InfoSec_Elijah was wrong to ask those questions. Most everyone agreed that the interviewers’ reaction was a strong indicator that their company culture was dysfunctional (and, therefore, one to be avoided at all costs).
To their credit, InfoSec_Elijah didn’t name the company or any provide any information that might help readers identify it. Their post and subsequent comments in the broader discussion focused on whether the act of asking about indicators of the hiring company’s culture itself should be considered impertinent or offensive.
I agree with Twitter user @FalconDarkstar who opined: “Yes. A company that is a good place to work for and where management is accountable would have answers to these things prepared already and would own their mistakes.” That last clause is, for me, the most important element in the paragraph: leaders representing a company must own their organisation’s past mistakes and be prepared to discuss potentially uncomfortable subjects.
Another commenter, @megan1996, wrote: “Sometimes when you ask about past issues, you get a great answer about improvements happening now.” Megan was spot-on. I’ve interviewed a lot of candidates over the years. I’ve always been impressed with those job seekers who researched our organisation before their interview. One downside to all that research was that candidates heard stories about us. Some were true-but-outdated. Some were fabricated by terminated employees. Most lacked critical details that put the issues into context.
That’s where I came in. As the temporary personification of the company, I had an opportunity to build trust and credibility with the potential new hire. I might be limited in what I was allowed to divulge, however I could demonstrate transparency, accountability, and personal insight into how our organisation was continually improving. Whenever possible, I’d have true stories ready to share that not only answered the candidate’s questions, but also spoke to our department’s core values. This willingness to engage in good faith helped to cement a strong relationship with the candidate before they’d agreed to come work for us.
You might argue “That’s all good in the abstract, Keil, but how often does this really happen?” To that, I refer you to @InfoSec_Elijah’s Twitter bio, which reads: “Novice Malware Analyst | Threat Researcher | Malware Reverse Engineer | Network Administrator | BotNet Tracker | #DFIR | #BlueTeam | #YARA.” I have no idea what that last term means; all the rest of their credentials are the sort of things that CSO’s look for in a highly-qualified applicant to the security department.
This is something that we face in the cybersecurity world nearly every time we interview a seasoned professional. Setting aside the historically low overall unemployment rate in the USA, cybersecurity is a highly competitive field. Someone with @InfoSec_Elijah’s qualifications probably isn’t desperate for work; their qualifications make them highly attractive to enterprise IT organisations. For them, an interview is more of a peer-to-peer negotiation than a one-sided interrogation. They expect to be shown candour and respect.
Additionally, security professionals learn about Open Source Intelligence gathering (or OSINT) as part of the job. They know how criminals leverage Google skills and social engineering to dig up dirt on a potential target; they use those same skills to research the companies they apply to work with. We know this. They know that we know this. It’s never a surprise when a candidate asks an obvious (if disquieting) question about a negative story about us that exists somewhere online. We’re ready for it.
This isn’t unique to cybersecurity alone. Many highly specialised fields find themselves in the same position. That’s why there are excellent leadership training programs available that explain why it’s essential for managers and supervisors to listen to negative feedback dispassionately. If someone is aware of an embarrassing story, address it as forthrightly as possible. It’s possible that the person making you uncomfortable knows more than they’re letting on; any attempt to evade the issue or obfuscate the facts will be perceived as evidence of untrustworthiness. I can vouch for this, as I’ve been on that side of the interviewing table.
Train your leaders to establish credibility through transparency immediately in the hiring process. Be prepared to address tough questions head on. The candidate who does their research and demonstrates the moral courage to challenge your operation is usually the exact sort of perceptive go-getter that you want on your team … especially if you’re running a security department or organisation.
*The views, thoughts, and opinions expressed in this column belong solely to the author and do not necessarily reflect those of the author’s employer.