Nick Jeswald - Confessions of a Cybersecurity Recruiter (Part 1)

Getting Into Infosec

Inhoud geleverd door Ayman Elsawah. Alle podcastinhoud, inclusief afleveringen, afbeeldingen en podcastbeschrijvingen, wordt rechtstreeks geüpload en geleverd door Ayman Elsawah of hun podcastplatformpartner. Als u denkt dat iemand uw auteursrechtelijk beschermde werk zonder uw toestemming gebruikt, kunt u het hier beschreven proces https://nl.player.fm/legal volgen.

5y ago 36:33

MP3•Thuis aflevering

Part 1 of 2 - Nick Jeswald has been an external and internal recruiter in security. He shares with us what he looks for in a candidate, common mistakes made by candidates, and the nuances of hackers he's learned over the years.

BIO:

I've been in infosec for 8 years, and in various IT roles since 1996 (Developer -> Sales Engineer -> BD Specialist -> Security BD -> Security Recruiting -> Dir. Corp Dev). However, I've also been one of the top recruiters for each company I worked at whatever role I've had.

Show Notes:

Internal recruiters != external recruiters
- Backgrounds are different
  - External recruiters come from varied backgrounds, virtually zero from infosec
    - Much like BD people
  - Internal recruiters are more likely to have a greater understanding of infosec or at least IT
  - A recruiter that doesn't understand security is more likely to make bad placements with higher turnover
- Motivations are far different
  - I want to choose people to spend a career with
  - They want to make a commission and meet SLAs
- Attention to detail is very different
  - A tiny detail that could betray a hidden skill set or flaw would likely be overlooked by a 3rd party
  - I have an interest in understating the person, not just the resume
    - What is their desired career/life trajectory?
    - How will our company enrich/hinder that life?
You are in competition with an army of low-skilled counterfeits
- You need to be able to demonstrate raw skills, not just list your certs
- Have a body of work available for review on GitHub, your own site, etc.
- Internships are a nice touch, but they cut both ways
  - You interned with unnamed-big-4-biz-consulting firm? Don't drag that culture in here. I fear for what you learned.
- Can't talk about where you interned because it was a non-DOD three-letter agency? Communicate that point to me in your way. If that is the truth, I'll trace you back and verify.
Always be client-facing
- I have seen many recruits passed over for poor hygiene, arrogant treatment of interviewers, disclosure of illegal activity, and just generally obnoxious behavior
  - You couldn't act like this on a client site and not get sent home; don't do it on the interview
  - Yes, you are talented...there's always someone cooler than you
Interview your interviewers
- You should have a standing list of questions for interviewers
  - Why do you stay with them?
  - What is the intended growth path? Organic? IPO? Channel?
  - Is there any merger/acquisition activity going on? Planned? Intended impact?
  - Is there any rebranding activity going on? Planned? Intended impact?
  - What conditions are driving this open role? Turnover? Internal restructuring? Organizational growth?
  - Will I be supported in my security research? How?
  - Does your company have a defined mentoring path? Why not?
  - How does the company support continuing infosec education?
Meet your team
- Watch the team interaction closely
- Can you see cohesion? Are they supportive or adversarial? Are they authentically happy with their jobs?
Understand the org chart you are stepping into
- To whom does security answer? CXX? IT Director? General Counsel?
  - Understanding this will help mitigate surprises later
Understand the company culture
- Big corp? Big corp problems.
- Boutique? Founder problems.
- Is there a "treehouse" mentality among the senior employees?
Never forget who you are
- I know you want a job, but don't take a job that is sure to kill you slowly from the inside
  - Like doing offensive security? Don't start in the SOC.
- Did you walk away from the interview(s) thinking that this company understands the care & feeding of hackers?
- If you can already see the point at which you will outgrow the company, is it the right place to start?
  - Maybe! If you have a goal of entrepreneurship, or of working for a specific team, this first step just needs to support that eventual goal. This may be detected by an astute interviewer, though.

Resume tips

One page.
- My dad started at the bottom, and worked up to EVP of a Fortune 50 corp. One page.
Focus on your work experiences and extracurricular infosec workrelevant
I'd rather read about 0days and CVEs than certs
I want to know about your community involvement
- 2600, local DCs, TOOOL, OWASP, etc.
- Presentations at cons matter to me, especially if I can watch you deliver information to an audience
  - Like a free audition, and believe me I watch every one people link in resumes
I don't care about your GPA, fraternity/sorority, who we know in common, what sports you enjoy, or what you look like. At all.
- Seriously, don't add a photo.

General tips

Code in several languages.
- Despite semantic differences, you should have a pretty good working knowledge of the most widespread VMs, coding languages, and compilers
Web apps are your paycheck
- Knowing the OWASP Top 10 is like knowing your middle name...not impressive in and of itself, but if you don't know them, there's something wrong.
- Many composite "red team" projects will involve some Web app hacking, and even the most specialized consultancies will agree to a Web app assessment for an established client
Think holistically, and make yourself more valuable
- If you can't write a report, of what value are your assessment activities?
- Seem always to have interpersonal conflict? Time to read up on Empathy and EQ. Be the go-to on your squad.
- Get comfortable with an audience. Toastmasters is there for you.
Learn the value of "the Halloween Mask" as Henry Rollins called it
- Sure, you're a young security professional. We all expect eccentricity from you. We're all also trying to make money and be taken seriously
  - Don't forget: in boardrooms of white-haired old men across the nation, we're still the same guys who lost them millions of dollars on ERPs and useless Y2K preparations
  - I'm not kidding about this.
- Don't wield your difference like a blunt object. A little bit goes a long way when you're also scaring the hell out of everyone with pen test reports.
- My life is far more complex and wacky than my coworkers know, and I talk a lot. I just know how much to let through the mask

Getting Into Infosec:

Follow Me on Twitter: https://twitter.com/coffeewithayman
Subscribe To YouTube: https://www.youtube.com/channel/UCg6gV_gdfc188HZdN8LUx4A
Checkout My Book: https://amzn.to/2HP2i25
Sign up for updates and commentary: https://mailchi.mp/467573a314e5/gettingintoinfosec
Website: https://gettingintoinfosec.com

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

62 afleveringen