Countercastle Cybersecurity

Recruiters: Time For Extreme Recruiting?

Extreme Programming

I started searching for new cybersecurity leadership opportunities 1.5 months ago, and wow — the market has certainly changed since I last looked for a job in 2011.

After posting my résumé to a handful of career sites, I was hardly prepared for the deluge of recruiter emails that began pouring in, and never let up.  I’m now receiving an average of 42 emails per day, with some days spiking as high as 65. (Granted, many offers aren’t matches for what I’m seeking, but that doesn’t lighten the load — I still have to spend time filtering offers for fitness). In the time it takes to customize a résumé and cover letter, a dozen or more offers will sometimes appear in my inbox. Many of my peers are experiencing this same frenzied demand, and news headlines concur: the cybersecurity job market is on fire.

Given the market’s breakneck speed, you’d think that hiring companies would be scurrying to respond to candidates, but this isn’t always the case.

Sure, some companies have been fast: an initial response came right away, with screening interviews lined up within days.

But over half of the companies where I applied took their sweet time, gingerly letting weeks pass before initial contact, or worse, between interview rounds. Spending time and money reeling in candidates — and then doing nothing — isn’t an affordable luxury in this market. (See “42 emails per day” above).

The cyber job market has gone transactional, just like everything else cyber touches.  This means recruiting may need to become transactional as well, since candidates seeking new challenges may only be available on the market for weeks, if not days — and soon, perhaps only hours.

Extreme Recruiting (XR) is one name that some companies have given to this more transactional, self-organizing, and fast-moving recruiting model. Borrowing concepts from Extreme Programming (XP), the idea is to move candidates as quickly as possible through a streamlined interview process in order to arrive at an initial offer pronto.

XR implementations vary wildly, so here’s my interpretation:

  • Treat initial contact with candidates as part of company onboarding, which means painting a clear picture early of what day-to-day life would be like after hiring.  Simply listing skills isn’t enough. Candidates want to know what they will actually be doing (the “user story,” in XP parlance).  Many recruiters I contacted couldn’t summarize daily job activities, so I had to wait to speak with hiring managers, wasting precious time.
  • Mine for candidates who are already in technical or social environments where talent is being proven. For example, if seeking hackers who are great team players under pressure, go recruit at team hacking competitions.
  • Respond to candidates within hours, rather than days. If recruiters are swamped, spread out the screening load to technical team members, who can CC: recruiters on replies to candidates.
  • Ask disqualifying questions ASAP. A job opportunity located 2,000 miles away won’t help a candidate who can’t relocate. Put key details (including job city and state) in the subject line of emails so candidates who aren’t a good fit can delete messages faster without bugging you. And, by all means, cut a candidate loose immediately during an interview if it’s obviously not a good fit; these days, it is far more impolite to string them along.
  • Have hiring managers partner with team members to develop screening strategies (“collective ownership”), and give screening activities high priority daily during hiring periods.
  • Have screeners vote on candidates by ballot across a range of critical categories for speed, rather than spending time discussing candidate qualities endlessly.
  • Hold daily standup meetings to review candidate schedules and progress; rank and re-rank candidates by their interview scores on a whiteboard (“refactor and integrate often”).
  • Screen for technical, soft, and other skills in a single meeting with key hiring managers and team members present. If this isn’t possible, and multiple screenings are needed, try to at least hold them all on the same day, or on consecutive days. But remember: while waiting for the next interview round, candidates may be receiving tens or hundreds of emails from other recruiters. Waiting carries risk.
  • Consider giving candidates actual work problems to solve (“unit tests”), rather than inventing hypothetical interview problems. This way, a candidate gets a real taste of the job, and interviewers better understand how working with the candidate will be. Examples: “How I could I improve the security of this software, system, or process?”  “Our industry faces security challenge X; how would you approach this?”  “Our Python developers lack security awareness; give them an impromptu security awareness talk right now.”  Etc.
  • Be prepared to give an initial offer within a day when a suitable candidate is found so negotiations can begin without delay.  This may also help encourage a candidate to postpone pending interview appointments at other companies.

The old model of front-loading the hiring process with leisurely interviews and weeks of waiting is dead. The new transactional landscape requires speed and simultaneity: do it fast, and do it all at once, or risk losing talent.

Additional Reading:

Tough Love for Russia’s (Alleged) Election Hack

Tough Love for Russia's (Alleged) Election Hack, by Scotch WichmannThe Director of National Intelligence (DNI) released its official report this week on Russia’s alleged hack of the DNC’s email servers and the 2016 election.

I was really hoping for a smoking gun, but the report proves nothing. It doesn’t contain a shred of forensic evidence. Its paltry 14 pages only demonstrate that Putin wanted Trump to win the election. How that passes for “secret intel,” I have no idea. Maybe I should open my own spy agency! Wanna join?

Grab the full article on Lifehacker here.

Security Secrets from a Hacker

Security Secrets from a Hacker by Scotch WichmannUnless you’re knee-deep in security, you might not know that spy and law enforcement agencies won’t hesitate to break the law in order to spy on you.

Or that most companies don’t know where their most valuable data is stored.

Or that the Defense Department has no idea how much it actually spends on top secret programs.

…And these are just the tip of the proverbial iceberg.

Want more security secrets? Check out my new Security Secrets from a Hacker article at Lifehacker.

H3ll0 W0rld

It only happens once: the very first post. (Don’t worry, I scanned it for vulnerabilities).

I’ve worked as a security consultant, researcher, and intelligence nerd (a.k.a. hacker) for nearly a quarter century now. And, while I’ve written about security in popular culture (and in my award-winning novel, which you should totally buy!), this is my attempt at a longer conversation.

. . . And it’ll probably be an idiosyncratic one, because I’m also a longtime performance artist known for crawling around on broken glass and sporting extra appendages.  This right-brained activity serves me well in my security work, since “seeing” the cyber terrain—and imagining what new attacks may come—require nonstop creativity, which is a skill like any other. You’ve gotta work that muscle, which is why my co-workers no longer blink when I show up to meetings limping and covered in band-aids.

Enjoy, and thank you for stopping by!