 who's excited who's been up since like yesterday so welcome to our talk hackers hiring hackers how to do things better eventually I'll figure out where's the right place to hold the mic so a key component of this talk is audience participation so we're gonna ask you lots of stupid questions so you can raise your hand we want you guys to share your war stories feel free to ask questions at any given point and also if you think we're just like spewing complete bullshit let us know be respectful about it but that's one of the great things about Defconn right is we can call bullshit and then talk about it okay so but not literally not literally so the way that Irish and I came came up with this talk was I was in his area for work and we've met up and we were just drinking eating and we started talking about how bad things were trying to find a job in infosec even for those of us who've been there for a while let alone the noobs right so before we go into the introductions and stuff whose first Defconn is this oh man that's awesome how many hiring managers do we have today all right cool and how many of you are currently looking for people to hire nice and how many noobs do we have like newly graduated looking for your first infosec gig all right that's great how many of you guys are actively looking for the next thing or just kind of curious what's going on the rest of you guys are just here to heckle nothing else better to do okay yeah I know right disclaimer this talk was not done with any consent by our employers past previous or future this is us Mike it's gotta be up oh well all right this talk was not done with any consent by current future past present employers this is just taught in myself expressing our frustrations and how we can do better both as hiring managers as people applying for gigs you can read all the legal ease there this is just us talking okay so who are we I'll let you guess what picture represents which one of us if you're gonna have you're gonna have me wear the bow that's gonna cost extra this is Vegas who here is a human which one yeah we're trying to figure out the mic thing it's okay so yeah we're both currently in the information security industry I'm a security consultant with rapid seven I basically do training and deployment Irish what do you do typically do blue team protection and currently working the director of a research group so why are we talking about this why the hell would we have this conversation at Defconn well you know there's a lot of sexy talks about how to poem this and how to poem that and how to solder these things together but there's very few that address the human element of this this is a social engineering exercise if you want to look at it and put it in that context how do we get people hired how do we get people interested in our roles how do I get that right resume that represents who I am and who I'm about to get in this role and get that next opportunity and both of us both sides have not been doing a very good job of this and we'll have some examples later actually we're doing a poor time in communicating our expectations of the job we're going to interviews without knowing how to showcase our experience and how to posture ourselves in trying to represent who we are and what can we do and how can we reduce that risk for the organization and from a hiring manager perspective sometimes we get those applicants we get those interviews that we're like we just don't get a good feeling that they're interested in that role and from the job seekers perspective right us as hackers either new or experienced we're getting frustrated because we don't we don't know exactly what they're looking for right the descriptions are ambiguous we go in they tell us that there's no hackers to hire and they really want to hacker and then we show up with our experience and our willingness to learn and we feel like we're getting shut down for no good reason and how many of us have heard oh there's no hard it's hard to find people to hire sorry for the technical difficulties folks hard to find people hire we scare the folks that we're trying to interview with or talk with scare folks in HR or recruiters and we keep shooting ourselves in this process and getting retaining talent is that social engineering exercise right how is it a social engineering side well from a hiring manager perspective just finding people interested in the role and getting them to apply getting that upper management approval for the role getting it through HR in a position description that they'll let get posted on the website and not also let's not forget once we get them in that role being able to nurture that candidate so they grow personally and professional and that they want to stay and help other people and yourself grow personally and professional because how else can we be better individuals how can else can we be better hackers without helping each other out from the job hunters perspective hey writing that convincing resume writing that cover letter expresses why I want this job why am I looking for that new role getting through that interview process not just with the hiring manager but with those other team leads that we also have to talk with and get their input and the folks that you're going to be working with in that role getting and negotiating that suitable offer for the environment that you're in and just showing up on day one and getting on board it again apologies for the technical difficulties so expectations this is one of the we broke it down into four different core problems or core opportunities to improve there is nobody to hire oh but hey you want to work in our corporate office in Machita on a six month contract to fire with rotating sock shift cycle because we've never gotten those calls before right there are folks to hire just not in our market not in your salary range not with their crimes you have okay so what do we need to do we need to set and adjust our expectations from both sides of the table and also nurture and grow the team that you have when talks about and as for many years and is now recently started a blog series of blog posts and I want to stick this in here talk about hiring the unhireable there are folks to hire we got to set our expectations appropriate to the organization what you need and also what's available out there so what do you want hey I want to junior level or I need entry level person but hey they need assist five years of experience what bingo because right so now it's again setting that expectations what things can you pay for what what how well did you socially engineer your supervisors your bosses and your financial team they get the funding you needed for that role match the expectations and requirements to that right we've seen those position descriptions that are all over the map you want to jack of all trades and master of none so what do you really really want and I'm not doing the dance sorry guys is too early and I have not drank anything yet I'm not doing the dance hey if you want to log monkey you need somebody to work in a stock say so we've all seen those encrypted sort of job descriptions that make no sense and just have a list of buzzword bingo and if a log monkey is what you're looking for that's okay because there's a lot of broke ass college students who will take anything but if you don't tell them that they're going to be a log monkey and that it's going to be a learning you know something that they can learn and grow into they're not going to apply because they're going to think they're under qualified because something that a lot of us suffer from is that imposter syndrome right we're not good enough we're not qualified enough people don't like me and your job descriptions aren't helping we don't know that what you're looking for is entry level and that's you're going to help us grow with your company right so just save what you want so what really matters to your environment to your team to the business that you're supporting I don't they can't really matters to the environment to the team to the business that you're supporting with that experience don't ask for things just because that's really going to limit your pull of applicants because yes there's going to be folks who are going to go I've never done this with X tool and they're not going to apply and that might be the perfect candidate for you or that could be that perfect candidate within three to six months because you've helped them nurture and grow yes we've seen those job descriptions we seen those job descriptions that oh you have to come from an Ivy League school and you have to have those certifications that none of us could afford on our own and we all know how that testing process is just so awesome so another thing that helps is letting people know if you don't have these certifications if you're willing to get them within like X number of months that's good to have on there too because that shows the job hunter that you actually care so what do we end up doing we end up big borrowing stealing from other companies that we're able to nurture and grow their team we need to help grow our own we need to help nurturing our own so scope hey what's that role for right what are you trying to do get into the specifics of it Mr. hiring manager or Mrs. hiring manager or is this all of the things you want to jack of all trades master of none we understand that that sometimes needs to be the case if you're in a small organization you only have one or two people on your team but where did they fit where are we supposed to fit within that organization does it make sense that we fit underneath it or underneath legal and certainly for a lot of startups hey we need a security person so let's get a security architect and throw them underneath the manager of it because it's a couple of interests. And from the other perspective hey apply and the job is yours for all the money and the trip to hacker summer camp don't we wish there are certainly the conversations I've had with candidates that expected double and triple what the going rate was for that role in that area okay you guys just trying to troll me or you really looking for a new role great question so the question is what is the rate and that's dependent on where that organization is physical location and also what the job is and what it entails and experience there's multiple qualifiers that fit into that yes correct okay so the question is hey would we have some references to figuring out what that rate is and why don't we circle up after and I can give you a couple of those there's a couple of websites specifically for hey if I'm working in X location what do I need to move to Y location what's the equivalent to that there's a couple of different salary surveys as well to read into and figure out what's going on and then figuring out what that is from the differential to the location that you're at yes sir yes so the scenario yes I would like an unpaid intern for my team with experience thank you for the segue because we don't know how to convey to our HR so they just know what they think they want so that's kind of when it becomes a social engineering exercise right so application process right how do we even get this put together and this needs to be done on both sides before we even make the first calls because you know what the candidate could have finished application process hired and started somewhere else before you've even reached out to him via email going hey how would you like to get an introductory phone call with our HR recruiter so how do we even find candidates and that's us hiring managers getting out there and meeting them face to face helping build that rapport helping contribute back to the community even working online with stuff okay I haven't done that in years I don't know what you're talking about so hey she's colorblind leave her alone anyways so the other thing to think about is your role hiring manager in talent more than a lack of a technical staff or the lack of upper management and some of the things that one of the gentlemen here in the audience was talking about is that gap of middle management we're the ones that do the staffing we're the ones actually go out and spend budget and we go out and try to ensure the best optimal practices for using those tool sets in our environment trying to manage and reduce risk when there's a failure at that level then the whole thing falls apart oh yeah let's talk about HR and recruiters you have those paid recruiters those overseas body shops you can tell by the first syllable of the voicemail or by the subject line need I say more I will say that the CEO of e24 has a interesting blog post called dear high headhunters fuck you it's actually quite an interesting read I would highly recommend it so types of questions when you're figuring out what that position description is that match should match up to the types of questions and scenarios you're going to be talking to you during the telephone and in-person interview process and it looks like to look at the job description that you put out there and then you use that to kind of tailor your questions right like the big old month this how do I find out if this person actually has this or if they're joining the past recruiters in that defining those key areas what's those interesting things as one of the gentlemen mentioned earlier hiring a recent college grad with five years experience Olympic medals and superpowers and compensation you have an idea as a hiring manager for your particular area what I would hope have an idea pay them what they're worth and what you're capable of and if you can't then how do we work other ways vacation flexible work schedule maybe work it out in a training budget to help nurture and grow that individual if we can't pay him the compensation there's different ways to work around that from both a hiring manager perspective and someone who's trying to get hired it's not just about the Benjamins least I hope not we want professional development thank you start up Jackson just before in workplace just the stock options and the free lunch isn't going to cut it okay the beer cart in the ping pong table isn't going to cut it either an awesome ux love it especially millennials who are entering the workforce they're gonna have a completely different set of expectations with the majority of us who have been in the scene in the industry for a while right they might be happy with the t-shirt and the cool free lunches and beer off Friday so sometimes you can offer different things to different people that you're looking to hire and that's okay so let's talk about the application tracking systems that we all love and from a hiring manager we have to remember that's the first or second step after looking at that position description you have posted and giving that first impression to the candidates and hiring okay why are you asking for PII in the application process why and do a check so perfect example why are you asking for social security number driver's license number and state for was this a senior manager of information security so another great example of the sexy right is they're asking for data birth and driver's license number by the way this is a CPA auditor company the HR gal that replied back to me saying I didn't get an interview never responded to my emails about can I talk to your information security team about the privacy violation you have on the application website please because notice the nice lovely certificate there too in the consideration of time okay background check that's not whether somebody's qualified or not that's just saying what sort of background does this person have in regards to credit and legal law enforcement issues as hackers some of us make bad decisions others are just caught so background checks yeah that's done after the interview process because that costs some money and that is directly against the line item in my budget so if I'm serious about someone I'm gonna have the conversation with them beforehand of hey this is the HR policy for the organization I need to do this is there anything we need to talk about beforehand and there's a form and a proper way of submitting that form with the PII on it so that it's safeguarded and done appropriately correct a lot of times this information isn't being used and you sir are gonna be my segue person for the rest of this talk oh I can't put special characters in a password guys really all but it's a gaming company known doesn't make sense this one was weird here click on this link and I get this pop-up going you're logging in as username HR but the website does not require authentication fail so this gentleman here was filling out a job application and was frustrated enough with this question which meme do you most identify with and why so this he did not put in any context into what sort of job he's applying to now if this is a online media company or a role that deals with this it might be relevant certainly for info sec it would not be my opinion this might real also depending on the question reflect a little bit on ageism to okay so that's part of that selecting the right questions and at the right time should this be an essay question when I'm not sure you're looking for a humus humorous or serious answer or would this be more appropriate for an in-person interview where you can have an interaction and conversation about it and why it's the fail boat okay hackers hack in the resume no BS guys and gals we can figure it out rather to the easy with some of the questions we're asking it's about matching that role in the big HR system knowing what the terms mean trying to reflect what you are trying to do or want to do in this role because we're going to throw the bullshit flag please do put it on your resume but let us know how limited or experienced you are with that because if you've been into it in the first place and you can navigate around and you've done like a very likely penetration chest is part of your coursework I want to know about that because that's relevant to my interest so that way I can help you work on your path to become a pentester if that's what you want to do and if that's what I'm hired for yes I have a file of the worst resumes ever yes I will I do read back them to protect the guilty but those I use as examples when I'm mentoring my interns and young staff on what not to do don't give me anymore I have enough examples and it's tailoring that resume to make it relevant to the employer to the hiring manager it needs to be long enough so it reaches where it's supposed to go oh it's only supposed to be one page is only supposed to be two page does it reflect what you can and want to do so it reaches where you want to go honestly for myself I have a two page resume and I have a full cv that's five pages and I submit both yeah that's the next slide though so the one or two page or the full cv I send both because humans want different things different hiring managers want different things different HR folks want different things I've even run into companies where if the resume was not formatted to their company standard you didn't even get a phone call no they didn't you had to know yes file names make a difference and sanitizing the metadata managers make mistakes HR makes mistakes and we lose documents and good labeling helps you out determining if you're qualified or not is not your job yet when you're applying for a gig hackers it's the job of HR and perhaps the audit the tracking system and that hiring major to make that determination keep that in mind when you're applying and looking at the world of those roles so you have the highway application tracking systems the telios ICMS the heavy ones that we just love to hate and then you have the lightweight ones that are just a simple submission keeping track of who's submitted in what not with those especially the heavyweight ones it's recommended to be one of the first to apply and trying to fill out every application box or text box in that application and if you don't feel comfortable filling it out put a dot put a period something else in there on those resumes web safe fonts be sure to spell check and spell check again and have a friend who's an English major read it over for you don't use the graphics or special characters the ATS systems can't digest it and it will spit it out and don't think that HR is going to call you ask you hey your resume got messed up when you applied you need to resubmit I do not want to see text that looks like a 12 year old girl with a gel glitter pin wrote your email use like times you wrote in 12.1 whatever just make it easy for me to read and if you're trolling and using comic sans that could be okay too as long as I can get that that's a troll that email application that's your opportunity for that cover letter and why you want that job why you think you match that job what other things that you can't easily convey in the resume and of course email digital signature a bonus hey you understand how that works and I really quick for the military and government jobs they have their own special snowflake website which is the worst unwieldy from death you've ever experienced and it was breached like they all are be sure the answer the qualifier questions as best you can the hint with that is to look at the description of all those questions write it up first then go in the submission process if you're trying to wordsmith while the application is up you're going to set yourself up for failure so we talked about this customized resumes hey that one or two page resume for the human digestion awesome the full cv submit into those heavy cv systems the ats systems pardon me because they're doing that word matching you need the indicators so go to the next slide and you're not going to be the second person for segways in our talk so yes there are little tricks for when you do applications on us a jobs that's just one of them this is probably not the forum to further discuss that because I'm going to say don't hack with your resume yes I have gotten folks that have applied for my jobs with exploits in the PDF seriously yes I checked for those things come on nor let me put that caveat in there is the application process and opportunity to do a penetration test on the application system that's after you get hired okay and you have to get out of jail free letter since we're talking about government stuff security clearances it does not belong on the resume it does not belong on linkedin you're making yourself a target go read the documentation that you read from dss and opm and no it doesn't matter yes it all got stolen all right and yes I've known folks that have lost opportunities over that and all I can say is if that organization can't handle doing this in the right process in the right way do you want to work for them this is a time to communicate folks professionally looking email professional looking cover letter professional looking email address digital certificate whole nine yards because we're going to be expecting that within the work as well and yeah I'm going to Google that email address and I'm going to Google that username I would also treat every conversation with a recruiter as an interview best behavior best language and selective answering on those questions right it's you trying to figure out which of those inner recruiters that you're working with that's one of those body shops overseas or is it actually a legit recruiter locally with working with that company trying to match up that skills to what in that environment interview so a lot of us have problems with the interview on both sides from the interviewer side it's pretty difficult because we're building out our questions we're trying to figure out who's bullshitting us and who's not who's qualified who's interested in learning and who's just wasting our time the stump the monkey questions get us nowhere folks and we've all had them avoid rapid hire questions it's important to know if someone's bullshitting or not but you're not there to sit there and you know have them regurgitate their last couple years of college we're talking about that question by us we're talking about not being a dick it's amazing we have to have a date it says let's not be a dick day so what if the candidate does not know how to work with oak or maple or pine or Palo Alto or Cisco can they learn how to work with that can they learn how to use that tool to find the threats in your environment or poem that box or write that policy I don't care what port excuse me what protocol uses port zero I can go look that up we should not be reinforcing the rote memorization answer of questions that our school systems have ingrained in us it's about thinking outside the box thinking out what's going on and figure out how to stop the badness who can't control when their contract ends and they have to get a job as quickly as possible because they need that money so please just keep that in mind and don't automatically discriminate someone because it's like their job topic because if you talk to them and find out what the background is it could just be something simple like the contractor thing family illness I've come across folks who went to school hey the recession is still out there for some environments and places out there it's hard to find a good job okay we hear that excuse that it's not a cultural fit they're not technical enough we need to stop using this as a crutch for not hiring someone we hire for aptitude or learn to do something and do it and protect our environment can they do the job can they learn are we looking for that purple squirrel that's what the recruiters call it when you have something you cannot find or even worse are they looking for the plaid unicorn I had to go to Etsy to get a picture of a plushy plaid unicorn because I couldn't even find an artwork because nobody's drawn it yet how hard is it to find that perfect candidate if I can't even find it we're interested in their job that they're interested enough to protect our environment and our users right we want passion we're not going to we shouldn't use the passion as an excuse to have them work over time and work them out because they're just going to have to recycle it we're new in those type of people and also we want the ability to fail and admit that they failed overall because that's how we learn so hackers time the research find which company you're trying to interview with figure out what's going on use glass door figure out what's going on because that is knowing your target knowing who you're trying to socially engineer to get into that job right have your three bullets and stick to them question everything right please wear pants or at least a kilt okay it's a question of everything timing did the interviewees give you an opportunity to interview them or they'd give you the token three to five minutes at the end that tells me something about that team at the end I've gotten these interviews I've gotten easy emails too we have to find that hiring managers we need to stop leaving people hanging we need to let them know as soon as we can figure it out that we're going on to someone else and we also need to be able to figure out a way even if it's months or years down the road be able to provide some feedback to those folks that we interviewed about why we couldn't hire them we get a follow up from a potential hire and I'm just like or not a potential job and I'm just like I was really, really disappointed and it made me question the people who were doing the hiring and a lot of those people I actually knew and were close to so just keep all of that in mind your actions do matter so hackers follow up as well send a thank you email to everyone you talked and interviewed with even the receptionist because they helped you get that opportunity to have that conversation show some class even send a snail mail thank you card yes ones do exist but best not to send the connection request on social media quite yet that's a little creepy yes I do you got to remember that there's some folks that only add people that they know and trust KMT right no met trust and there are other folks that add everybody in the world so we went through this rather quickly because this is a lot there's a lot of little annoying things those little things that ding us that gets our network compromised and it's those little things that ding us when we don't get the job or don't get the opportunity or don't get that person hired comments concerns no bullshit flags at all try to get that experience because a lot of times we will see those in corporate environments because our budget like that big just don't go all office based on your third employer when you're about to go to the next big thing because you never know if the job's going to fall in the room like later on down the line your previous employer whatever is that a new company that you want to work for again we talked about earlier it's a question of timing right it's a great way to give your experience to being capable and also contribute back to the community thank you everybody thank you folks