InfoSec Recruiting – Is the Industry Creating its own Drought?

InfoSec Recruiting – Is the Industry Creating its own Drought?:

The InfoSec industry has a crippling skills shortage, or so we’re told. There’s a constant stream of articles, keynotes, research and initiatives all telling us of the difficulty companies have in finding new talent. I’ve been in the industry for over 30 years now and through my role as one of the directors of Security BSides London, I often help companies who are struggling to grow their teams. More recently, my own circumstances have led me to once again join the infosec candidate pool and go through the job hunt and interview process.

I have been in the position of hiring resources in the past and understand that it is not easy and takes time. But having sat through a few interviews of my own now, I am beginning to wonder if we have not brought this situation upon ourselves. Are the expectations of recruiters out of proportion?

Yes

Are they expecting to uncover a hidden gem that ticks every single box?

Yes.

Is it really true that the infosec talent pool is running empty, or is it that the hiring process in the industry is creating its own drought?

Maybe?

Part of this situation may be coming from the way hiring managers are questioning candidates. There is no perfect questioning methodology, but today, focusing purely on technical questions cannot be a good solution because – LMGTFY – even fairly lazy candidates can study and prepare for any technical questions beforehand. It might seem obvious that a hiring manager needs to look at a wider scope, evaluating the candidate’s ability to learn, adapt, and demonstrate their analytic or creative capabilities, but this is the part that seems to be missed.

I’ve always taught and been taught that asking questions is a good thing because it demonstrates logical and analytical thinking and shows that you are trying to better understand the situation and audience and react with the most appropriate response. If a hiring manager simply pursues a vague line of questioning they’ll only ever be able to evaluate a candidate by taking a subjective decision. I’ve even heard reports that hiring managers have rejected a candidate on the basis that they felt the person would outshine them.

In people management, one of the rules that you learn is that you need to evaluate performance based on attainable and measurable indicators. I propose this needs to be the same for the hiring process so that the hiring manager can make a meaningful decision.

Ultimately, interviewing a candidate on the principles of discussion, exchange and analytic capabilities will help the hiring manager identify the right person. It’s important to assess whether the person has a good foundational skill set that allows them to analyse and understand the work that needs to be performed. A good candidate not only needs the technical competencies but also the softer skills that help them adapt, learn and acquire the broader capabilities needed to successfully integrate a team. Onboarding and probationary periods are there to allow a team to conduct a final check of the candidate’s technical and soft skills.

So what needs to change? I believe hiring managers need to ask themselves whether searching for that golden needle in the haystack is the most effective way to identify and recruit talent. By changing the perspective that the interview process should be more of a constructive discussion instead of vague and rigid Q&A, companies will get a better view of how that candidate might actually work on the ground. And by adapting questions to the level of experience in front of them, they are likely to see much more potential from every candidate that they engage with. Sure, the infosec talent pool might not be overflowing, but maybe our skills shortage isn’t quite as terrible as we might think.

(Via Liquidmatrix Security Digest)

A friend and former employee of mine has been in the job hunt. Recently we caught up over lunch. The stories he told of the interviews and the overall process gave me flashbacks in my own job hunt over five years ago.

Our industry likes to not learn easy lessons. And they fail to learn these lessons over and over again.

The approach I continue to advocate is to find the right fit for the position and team. And having some diversity in staff — in skills, abilities, and personalities as well as the traditional factors — makes for a stronger, more resilient team.

Also on:

Performance Reviews are a Waste of Time

I dread linking to anything posted on Medium, but Performance Reviews Are A Waste of Time by Xavier Shay echoes much of my feelings about how useless they are.

I enjoyed Jamie Thingelstad’s article write-up:

Formal feedback mechanisms in companies are hard. I’ve come to think of performance reviews as an organizational insurance policy. The process and mechanism for them insures that a bare minimum of dialog is happening. I really don’t know of anybody that feels that they are an effective way of leading and managing teams. I think that is summarized in the common refrain that there should be nothing new learned in a performance review.

(Via Weekly Thing Newsletter Archive Feed)

Back when I was a manager and my direct reports were local-ish (I rotated weekly between the three cities in two countries where they were) I had to do the annual review and instituted formal quarterly reviews.

They sucked. They were one of the many mistakes I made as a manager.

However, I found more value – and I am told my team did as well – in the concept of “Management by Walking (or Wandering) Around”. This was hugely informal and unintentional. I didn’t want to be holed up in my office all day. My team was doing the kinds of technical work I enjoyed but from which I had to step away. And I valued their input and ideas in an ersatz Socratic Method to help with the bigger picture stuff.

I liked, trusted, and valued my team, so why wouldn’t I want to be closer to them than my offices offered?

Many modern workplaces with remote workers don’t necessarily have that benefit. Tools like Slack can’t really make up the gap, especially if your team is global. The formal performance review still fits poorly.

I should have seen the performance review as a company insurance policy back in the day.

Interestingly, I was contacted not too long ago by a colleague who felt “railroaded” by a sudden bad performance review. I advised challenging it with the formal HR process with plenty of CYA (Cover Your Ass). Turns out the supervisor involved had nothing to back up their position but my colleague had plenty to refute.

The bottom line is as always: protect yourself; document everything; use the HR system to your advantage; and don’t accept the premise.

Reproducible Research for Management | Irreal

Reproducible Research for Management | Irreal:

Derek Feichtinger has an interesting post in which he describes the application of reproducible research and literate programming to management problems. As an example, he considers generating a budget for a pair of related projects. His workflow is to first generate an outline describing his goal and the information he has and to refine that with subheadings as more information becomes available. That provides a history of the project and automatically tracks changes.

(Via irreal.org)

I really like this idea. Something to think about.

Reviews: Hollow, Go On Forever & Full of Stars

When I first managed people, just as I’d taken over a troubled retail sales department and had to do performance evaluations, I got a great piece of advice from my then mentor:

> If all your reviews are a 5 you are doing it wrong. You may have reasons to rationalize such scores, but you do no one – especially yourself – any favors by doing so.

We, my new team, turned the department around quickly. I ignored my mentor’s advice and went ahead with my “All 5” reviews (the best possible) and … they were rejected. I had to do them all over again, this time with supervision.

My mentor rightly chastised me for ignoring his guidance and then gave me the next nugget:

> If your team is all 5s, they’re all 2s.

Meaning if your baseline is so high and everyone gets the highest level, normalize the baseline. And it’s probably still too high.

> If people don’t have a challenge to overcome they will tend toward complacency.

I was lucky to have smart leaders. They saw my naïveté as an advantage. My short sighted management style was converted into a galvanizing experience for the team. Meanwhile, I reassessed.

Fast forward to today. We rank all kinds of things: Amazon purchases and podcasts and Lyft drivers and restaurants and beers and so on. How many of us default to 5 stars or equivalents? What about vapid or useless “me, too” comments? And how about the essay review? My approach is evolving, but in short:

> Am I adding value and what value am I adding?

If I experience something enjoyable but otherwise unremarkable, am I doing anyone any favors by assigning a 5? Better to make 2.5 the baseline.

What about the skew toward high scoring? Am I not making it worse for some things?

I try to add content to the review. A 3 beer, for example, is better than the average mass produced brew. If I give a beer such a score I will add the context to the score. Maybe it’s dry or fruity or hoppy or has some other attribute placing it above the norm.

Until this becomes normal I do not rely on straight up scored reviews for anything substantial. Again with beer or food I will trend toward the high scores with high review counts.

I suggest all embrace circumspection in scoring of things, services & people.

Let me know if you can identify the post’s title reference.

Also on:

Reading Room – Memorial Day ’15 edition

A travel weekend for me, and a long weekend for many of us, so plenty of opportunities to catch up on my reading list.

Surface Pro 3 Field Guide by Paul Thurott & Martin McClean, 0.09 draft version

Not a security book per se, it is helping me get the most out of what is quite possibly the best laptop I’ve ever owned. It is without a doubt the best tablet I’ve ever owned.

Essentialism – The Disciplined Pursuit of Less (Kindle Edition) by Greg McKeown (Hardcover, Audible)

Again, not a security book. The concepts tie into my drive to simplify and declutter my life, professionally and personally.

As a leadership book, the concept of reducing your field of vision to what is truly important helps focus precious resources to the things that hold real value.

Also on:

Should employees be punished for sloppy cyber security? [POLL] | Naked Security

Assume that it’s time for Bob’s performance review.

Bob’s boss says he’s a great addition to the team. Easy to work with!

And the sales numbers? Hot mama, Bob’s smokin’! Mr. Bob surely has worked himself toward a big, fat raise!

Or not. Bob would have gotten a raise, that is, but he got fooled by a phishing email and unwittingly invited the bad guys in through the front door, torpedoing Widget Industries Ltd’s multimillion-dollar investment in security systems.

Fiction! But can you imagine if this were really the way employees were assessed? They answer a phishing scam email, they trigger a major security breach, and then they’re held accountable?

via Should employees be punished for sloppy cyber security? [POLL] | Naked Security.

A thought experiment, sure, but one that leads in some interesting directions.

Should You Bring Mom and Dad to Your Office? – WSJ.com

This is mind blowing:

A 2012 survey of more than 500 college graduates by Adecco, a human-resources organization, found that 8% of them had a parent accompany them to a job interview, and 3% had the parent sit in on the interview.

via Should You Bring Mom and Dad to Your Office? – WSJ.com.

That’s 15 applicants bringing Mom & Dad along for the interview. I was a hiring manager in some of my past professional lives. I never encountered a parent hovering over an interview. I don’t think I would care if the parent tagged along, but I would not let the parent into the actual interview. If pushed I would either say no or rank the applicant lower regardless.

… parental involvement in the U.S. doesn’t begin to match countries in Asia and South America, according to a 2013 study from the global accountancy firm PricewaterhouseCoopers LLP.

The study, which surveyed 44,000 people from more than 20 countries, found that just 6% of recent college graduates surveyed in the U.S. wanted their parents to receive a copy of their offer letters. That’s well below the global average of 13% and much less than some other countries, where it was as high as 30%. The study also found that just 2% of young employees in the U.S. want their parents to receive a copy of their performance review, compared with the global average of 8%.

Having recently gone through a job hunt I shared details with my folks and other trusted advisers but never the actual correspondence. Again as a hiring manager I don’t think I would agree to sending a copy to anyone other than the applicant.

This could be a generational thing, but as a parent I would never consider intruding into my kids’ lives to this degree.

What do you think? If you’re a manager, would you hire an applicant who brings parents along? If you’re a parent, would you want to tag along on your child’s job interview?

Timing is an influential risk-factor for cyber attacks – Help Net Security

There are several dates throughout the year that are notorious for wreaking havoc on businesses via DDoS attacks, data breaches and even malware or botnet assaults.

According to Radware, there are two types of dates that hackers target: ideological and business-relevant dates. Ideological dates refer to holidays and anniversaries that have a cultural, religious or secular tie to the adversary. High-risks times for the United States include September 11th, Memorial Day, Election Day and Independence Day. Business-relevant dates involve a period of time that companies are particularly vulnerable to attacks, such as Black Friday, Cyber Monday, or even regular business hours.

Additionally, hackers commonly use important dates and holidays to disrupt specific industries. For example, retail and credit card companies see a significant rise in cyber attacks between Thanksgiving and Christmas, whereas government websites may be targeted during Election or Independence Days.

via Timing is an influential risk-factor for cyber attacks.

Good but generic advice in the article. If you work for a multinational you’ll need to keep in mind dates and events beyond the US – the football (soccer) World Cup, for example. User education is important but the returns diminish over time, especially if you cause fatigue in your users. Pen testing is good as well as a commitment in time and money to a security infrastructure life cycle management.

Why Marissa Mayer’s ban on remote working at Yahoo could backfire badly — Tech News and Analysis

Mathew Ingram at GigaOm wrote an article on Yahoo’s new policy on remote workers:

Not long after her arrival at Yahoo, new CEO Marissa Mayer started handing out carrots to her new employees, including new smartphones, free food and other Google-style amenities. Now she has brought out the stick: namely, a directive that employees are no longer allowed to work from home, something that is expected to affect as many as 500 Yahoos. Mayer’s move has its supporters, who argue that she is trying to repair Yahoo’s culture — but in doing so, she could be sending exactly the wrong message for a company that is trying to spur innovation after a decade of spinning its wheels.

The moment I first heard Yahoo proclaimed this policy I became angry. It does not impact me directly, but as a highly skilled and experienced IT Security and Networking professional now on the market I can say that Yahoo is no longer on my list of companies I’d care to work for. Here’s why.

About 15 years ago while I worked for EDS as a Network Security Administrator my marriage fell apart. Up until then I rarely if ever worked from home. With divorce looming I had sole custody of my two young kids. I had to work from home when they were sick or were off of school. At the same time my role at EDS changed to include firewall administration, demanding more of my time to cover on-call and odd support hours.

I was fortunate to report to managers that understood my situation and worked to help me. I worked with a great group of professionals who didn’t complain about my flexible work schedule. In fact we all worked together so everyone could have the same flexibility I had. How did I handle things? I became infamous for keeping sleeping bags, pillows, snacks, and toys for my kids in my cube. I don’t know how many nights I carried the two of them into the data center in the middle of the night, each slumped over a shoulder while I badged through the security doors. They slept on the floor swaddled in their sleeping bags and little heads resting on Disney-themed pillows, lullabied by the white noise.

When I interviewed with Magna I was very upfront about what I needed to do to take care of my kids and what I would to do in return. They took me on without hesitation, and I always appreciated and respected the trust they placed in me. Similar to my days at EDS, the team at Magna embraced me and the flexibility I needed. I repaid my boss’ and team’s trust in many of the same ways I did for EDS, but there was one case that was  above and beyond.

For reasons that escape my memory the IT staff in Europe all quit on the same day. The organization I worked for was very lean. There were no extra people around to help fill in while they hired new staff. I stepped up, waking between 03:00 and 04:00 Eastern time to support Europe until I had to get my kids ready for school. I’d drop them off (no bus service) and return to cover the rest of the European day and my normal work. I was caretaker of servers and services in addition to the network and security. I did this for almost 6 months from my basement, buying the European IT director time to hire some great team members.

When I moved into management my team earned with me the same opportunities and respect that I earned. With instant messaging and email, IP telephony and video conferencing, and cheap Internet-based VPNs back to the company they could do everything they needed to do from home that they could do from work. Yes, you cannot replace face-to-face interaction. But by the same token how much hallway and water cooler talk is mere friendly trivia?

I’ll leave how companies chose to handle working from home to what makes sense for them and their business. But I want the conversation rephrased to talk about working from home as a tool and not a benefit. It can help both the employer and the employee, and that can’t be taken lightly.

I sincerely hope Marissa Mayer reconsiders her decision. She’s closing a door on quality hard-working talent that will go elsewhere just at the time when she needs them in Yahoo.

via Why Marissa Mayer’s ban on remote working at Yahoo could backfire badly — Tech News and Analysis.

New Adventures in Life, the Universe, and Everything

NOTE: For those of you who came here because of my running Ubuntu 12.04 on T430s series, that is at an end. The laptop was my work machine. I’ll try to help point people to more information but I can’t provide configs or verify settings any more.

This past Tuesday I was “let go” from Magna, the company where I worked for well over a decade. Upper management’s move came out of nowhere, and a number of my now former colleagues did not see the change coming either. It was really hard to experience, it’s not something I’ve ever been through before, and I’ve no interest in experiencing it again.

I’ve got good things to say about my time at Magna. I value my time and work there. I will miss the people. I will especially miss my team.

After Tuesday’s kick in the gut I took Wednesday off to let things settle emotionally. Thursday I kicked off the job hunt.

My plan as of now on prjorgensen.com is to write about the job hunt, what I’m doing for it, and what kinds of things I should have planned for while I was gainfully employed. Looking at this change as an opportunity I will also catch up on my InfoSec and IT reading backlog, so you’ll likely see write-ups. I’ll dig into privacy issues, politics and IT, and other topics as I’m moved to write.

My personal plans and journey you will find over on Harmony Pirate.