BsidesLV 2024 - Hire Ground - Tuesday
Show transcript [en]
[Music] a [Music]
n [Music]
[Music] [Music] [Music] n [Music] [Applause] [Music]
[Music]
[Music]
[Music] a [Music] [Music] [Applause] [Music]
[Music]
[Music]
[Music]
[Applause] [Music] hey hey hey hey [Music] [Applause] [Music] [Applause] [Music] he [Music]
he
[Music] [Music]
[Music] TR [Music] hey hey hey hey [Applause] [Music] hey hey hey hey hey [Applause] [Music]
[Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Music] [Music]
[Music]
he [Applause] [Music]
[Music]
[Music] why
[Music] h
[Music]
[Music] oh a [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm just I'm just trying to give you something [Music] I'm just tring to give you something okay I do I'm just tring to give you something [Music] w [Music] [Applause] [Music] [Music]
[Music] [Music] I'm just TR to give you something okay I do for you I'm just trying to give you something [Music] I'm just okay I do I'm just trying to give you something [Music] w
[Music]
[Music]
[Music] [Music]
[Music]
[Music]
[Music] he [Applause]
[Music]
[Music]
[Applause]
he
[Music]
[Music] n [Music] a [Music] n
[Music] [Music] [Music]
[Music]
[Music]
[Music]
[Music] [Music] [Music] a [Music] [Applause] [Music]
[Music]
[Music] oh
[Music] a [Music]
[Music] [Applause] [Music] hey hey hey [Music] [Applause] [Music] a
[Applause] [Music] he
[Music]
[Music]
[Music]
[Music] TR [Music] trck
[Music] hey hey hey [Music]
hey hey hey hey hey hey [Music]
[Music]
[Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Music]
[Music]
[Music] he [Music] w a [Music] you
[Music] h [Music]
a [Music] [Applause] [Music] [Applause] [Music] oh
[Music] I'm just TR to give you something I I'm just try to give you [Music] something I'm just I'm just TR to give you something [Music] oh [Music] w
[Music]
[Music] [Music] I'm just I I'm just TR to give you [Music] something I'm just TR to give you something I I'm just trying to give you something [Music] oh
[Music] m [Music]
[Music]
[Music]
we are technically right on time um very very thrilled to introduce Manish to you he also is uh dedicating himself double duty today he's going to be doing a um Round Table discussion this afternoon we're going to have three different discussions at 3 pm right after the panel at 2 pm in the meantime Welcome to our let's give a warm welcome to our first Speaker unish hi everybody um I like to not stand at the podium can you all hear me okay yes okay in the back though really can you hear me okay all right all right you can give me the wobbly head if not you be like man I can't hear you all
right so very excited to be here I've been thinking about giving this talk for years and you know usually I don't know if you submit talks when you submit talks yeah if you don't speak into the mic ah they can't record ah okay here I am at the podium so boring we're at every other conference now um so I've been thinking about giving this talk for years because uh I I've had some really tough times I've learned some hard lessons and I felt like if I kept those to myself other people are learning those hard lessons on their own I don't say that with you know great pride I say with a lot of humility let me try and save
people some pain every time I experience one of those I think Yep this is going to go in the talk so you are getting the first unvarnished version of this talk which is as much about the title of the talk how to succeed in a role that didn't exist as it is me trying to distill some hard-earned lessons from Mostly failures this is a talk mostly about distillation of failures and it is really about resilience besides is the place I wanted to do it because this conference is about Community is about learning from each other and in effect is very much about this kind of resilience this kind of Storytelling so the first thing is who am I um when I think about it's
such a like existential question who are you what do you do what have you done why are you here those are all like big existential questions but I'm going to try and answer answer those for you I'm going to answer them in reverse order because the I don't know why I'm here really or who I am but I'll tell you what I've done I've worked in a lot of different domains of trying to help people and organizations understand uncertainty that's what I've done done a lot of different domains terrorism fraud geopolitics cyber investigations critical infrastructure supply chain I don't say that with bragado doio I say that like it spans a variety I've worked on nuclear policy a lot of different
areas which means I've been new a lot new to an industry new to a field unproven I'm here because as I said before I really want to share these hard-earned lessons with you in a way that I hope is very actionable for you either today or someday soon so who am I one of you I'm someone who is focused on community uh which is I assume why you all are here too I'm someone who cares about people I'm a relational person thank you and I'm someone who has only succeeded because other people have helped me all those domains I talked about I'm not experts in those domains and I entered into them not as experts the only reason I was able to do
those jobs the only reason I was able to do a role that didn't exist before is because the community of people around me that I kind of joke but not really I'm not smart I know smart
people let's see if I can do this okay all right yes maybe no okay no worries yes haha all right so here's what we're going to cover what does it mean to have a new role I want to Define that very clearly and how do you identify it if you're interviewing for it or you might be in one and not even recognize that it's a new role second what are the likely pitfalls how do you manage those that's where I want to spend the bulk of the time and then what you must do early and how to learn quickly the end of this is unless you want to go through a very painful experience like I have multiple
times that's the dott dot dot that follows this so that is those are some core things and I'm not going to hide this I'm not one of those people that puts all the beautiful stuff and wonderful stuff at the end like all this is going to be pretty much up front so let's talk about what it means to have a new role um this is pretty I think I mean it's always true in technology and perhaps in cyber that there's something new but does it not feel like we're on the cusp of another new moment where there's going to be a bunch of newly minted AI experts right there's going to be a bunch of new roles I don't say that
being glib how many of you have seen those postings how many of you have been tempted to apply for those roles yeah where you're like yeah man I'm an AI security person you bet so the first is you know what does it mean to have a new role and how to identify it so I think the big are you getting a move ahead no okay just my mind all right here we go this is my favorite photo uh so lots of times you know it's like I think about this phrase unicorn unicorn something that puts it all together HR and recruit PE recruiter folks will sometimes call it the purple squirrel you ever heard that term
before this is a a term that HR and recruiter folks use to describe you know all those bullets they know that they can't find somebody that has all those bullets they're not designing for that person they're designing for someone approximate that that's a purple squirrel unicorn so this to me is the like oh no I I understand machine learning and models boom I'm an AI person now and I think this isn't totally inaccurate but there is sometimes a moment where that didn't exist before so how do you genuinely figure out if it didn't exist before versus it's just an evolution of something there's three things I think about first where is that organization in its maturity that
doesn't mean the organization itself has to be mature that means where is the organization in its maturity so it could be a Fortune 500 company but is finally the place where it's recognizing the need for something it very often people think new roles are at new companies I don't think that's necessarily true at a at a startup I've worked at multiple startups at a startup there's a tendency to be like every R is new no one's ever had this before yeah well at that company sure because it's a new company but does anyone have this so the second thing is to figure out what is it at the intersection of almost always guaranteed it's an intersection of at
least two sometimes three things and the third I'll get to this a little bit more is you are going to ask the question need to ask the question and seek the answer why didn't this exist before why is it being created now what prompted that there's a lot of questions underneath that but that question over and over and over so the the other title of this talk but I wasn't sure that it would make it through the review board because it was oh a little too Goofy was becoming a pirate unicorn because that's how I think about new roles uh a pirate unicorn supposes that there's a world of unicorns there are so many unicorns that
there can actually be a pirate unicorn thank you here are all the images of pirate unicorn that I love uh the middle one I think might be my favorite but I also like the be who you are uh so the the idea behind the pirate unicorn which is what I've kind of coined this new role like truly new role is it's fun it's exciting it's also a threat some people will see it the same way they viewed Pirates not cool but like they're here to steal your [ __ ] and they're going to use gorilla tactics to do it uh and shouldn't trust you because you're going to take something from it and so I like the idea
of putting these two images together also at the very end of there's time tell you another kind of funny not really funny not haha funny but like let's drink funny a story about pirate unicorn all right so I don't want to spend too much time on this but let's talk briefly what are the pros and cons of the pirate univers corn I would like this to be a bit interactive if we can even though I'm up here talking at you so I want you to take a minute 30 seconds just think of one thing that you think is great about being the pirate unicorn and one thing that sucks about being the pirate unicorn so just raise your hand I'm
going to call on you yell it out and I'll repeat yes you don't know what you don't know is that a pro or a con someone said yes I agree yes you don't know what you don't know okay yes you're special you're only you're special and you're the only one pro or con only great special is pro you're the only one con there's no one to learn from I'll put a caveat on that there's no one to learn from there's no one to learn from at your organization which is why this matters this matters because there's other pirate unicorns out there all right any others yeah there's wide open in front of you you have no idea any of
yes okay so there's wide open space in front of you but you don't really know where the boundaries are I will cavey out a little bit or add a little bit and say it looks wide open to you but it's claimed by everybody else you're like look at all this open space everyone's like who's who's that King running through our yard you're like it's me the pirate unicorn Galloping beautifully okay one more [Music]
yes okay this person could give this talk um they said you the pros you can lead the way con is you have to explain to everyone why you're there so that's my talk basically there it is yay thank you all right enjoy the rest um so here that thank you yeah it was brief to the point okay so here's sort of distilled what's awesome what's terrible so what's awesome you're Innovative by your very existence oh my gosh you're new how Innovative like this wasn't here before so anything you do is innovative by virtue of the fact that it has not been done before I say that a little bit glib okay very GLI but you get my
point you're ready to partner with everybody everybody's maybe ready to partner with you question mark but you're like yes totally I'll work with you absolutely I'd love to come learn about your team I'd love to tell you what I do as soon as I figure it out like you're just none of those boundaries are really there it's impossible to fail no one knows what failure looks like no one knows what success looks like so what's terrible you know nothing and no one cares I'm being very this comes from a darker place just maybe like two days ago but but the point is that you you don't know what you don't know and even including sometimes your
boss no one really is set up to be like I'm going to help you succeed because it's going to help me succeed like you're lucky if you come in with that but most times people are like okay no one knows who needs you and why this is really important this is really crucial I'll come back to this later but one of your most important tasks is to figure out who are your internal customers that's a very corporate way of saying who needs you and who do you need I would argue that in the first 90 days you should have a very clear map of that you develop hypothesis you test them you talk to people you roll out
different products ideas you float things you see ah yes that person needed it oh no that person it didn't change anything that person is saying things that I know that I'm going to do without me having asked them prompted them they need me and why so the good thing here is that I would argue that the second bullet is really crucial for security and risk folks generally you should generally be doing this but in this role you have to otherwise you're just going to float you're not going to fail it's going to be worse you're going to float and it's impossible to succeed because no one has done it before so class half full half empty
some people are going to be like sky's the limit try anything and other people are going to be like yeah no one succeeded in that before uh can you remind me this talk is being recorded yes okay so uh I want to share some stories but I need to sanitize them appro I worked at a large organization and at that large organization um it had been around for a couple hundred years and the group that I was in had been around for this many it was this many years old when I showed up and my organization within that larger structure was already the pirate unicorn and I was I don't know the pirate unicorn on the pirate unicorn I
don't know the metaphor breaks down it it was really challenging to come in because that was new I was doing cyber risk and cyber defense for a city government this was at a time when people were like huh like what Municipal cyber security why would you why would you be doing that like are we paying for that aren taxes paying for that like shouldn't we be spending more on the fire department or whatever else so there is a lot more in the what's awesome and what's terrible and I don't mean to be I do mean to be why am I even saying that I do mean to be a little glib about the what's awesome
because it's going to be shiny and it's going to draw you to it so here I'm trying to pun intended ground you on the things that you might not realize later okay next piece is in nature generally speaking there are some exceptions I am not a biologist but I did read about this a little bit out of curiosity and then in preparation for this talk about how environments in nature respond to a new species and there's three General ways first is is some kind of threat predatory second is not predatory but displacement and the third is additive in my totally non-scientific review of like you know some of the research around this I didn't read
papers I read like case studies things that I could access with a little bit of gener AI to help a majority were the first two predatory threat or displacement read invasive invasive species so maybe they didn't you know uh take away something on the food chain but they displaced a bunch of space or something else so most environments view new as threats like we kind of valorize the pirate but if you're a shipping person like piracy is a huge huge problem for you they're taking away your hard-earned goods and currency right there's nothing sexy about it and so I say that with the calibration that you might be brought into a new role wait for it right after
that company has done layoffs right when someone was told we don't have a budget for that right after the initiative that they've been trying to put forward as a new evolutionary initiative not even revolutionary new evolutionary initiative they were told yeah we just we don't have the support the real appetite to do something new right now and then the pirate unicorn shows up without knowing or needing to know anything about you or caring about you that person you can understand from a place of empathy is going to view you either as a threat or as an invasive species so personally the way I've dealt with this is two ways the first I call it out and I will talk to you in a little
bit about how to get the information so that you can put it forward in a way that is acceptable because I also tell you from a place of learning that I've tried to be self-effacing and people are like look at this dude thinking he's like the best and thinking that he knows our organization he just showed up so I'll give you kind of that more but the second way always always always with humor always always always for me with humor so I make light of the fact that my title is new and didn't exist or is really long or what is it before uh that no one did this before and I used to make jokes about AI now I can't because
it's actually happening um I would make jokes that I was like half a robot I was like a prototype like I would just stupid stuff but to let people know that I knew that I was new pun intended new um at one of the organizations I was was at not only so here's the the question that you need to keep in mind when you're having conversations meeting people we didn't need you before why do we need you now we didn't need you before why do we need you now by the way that loaded statement is not limited to roles I'm going to digress a little bit here most recently I've worked in software supply chain security software supply chain
security we didn't need that before why do we need it now we just like secure what developers do right like you can take almost anything zero trust like what AI security we didn't need it before like what you could take any relatively new thing that's been there in cyber security and then you're kind of caught on the back foot because you're explaining what is the consequence of not having it which is very difficult place to be counterfactually so I'm queuing something up here which is like all right man what do we say come back around to that but the most important orienting thing even if you get introduced with a bunch of fanfair and a
press release and I have gotten the introduction from the CEO to the executive team check out this new role [Music] Tada there still is most of the time it's going to be one of those two predatory invasive and it's unconscious and oh by the way it does not help if you're an underrepresented group there have been zero out of five times that I've done this where people like cool a person of color in this role to go back to the pirate unicorn like if we somehow figured out that the pirate unicorn was gay someone would be like oh man the gays are everywhere you know like it's like that comes in unconsciously that I got the role because I'm
underrepresented because I'm different or and I've had people intimate this like be explicit about it oh they had to create a role for you and I always respond one way yeah the other ones weren't hard enough that's why they had to create a new one remember I said at the beginning it's going to be the Nexus of two maybe three things so now let's talk about really a new role why new R is created who creates them this is crucial I would argue again that security and RIS F should be doing this thinking about the organization Dynamics politics and organizational Capital so why are new roles created a couple different reasons lots of times somebody's like yeah let's bring that
person in they're creating an around a person which you would think is pretty cool and it is it can be but the challenge is the scaffolding is built around that individual or go when they step away it sort of collapses around them or people don't see the architectural design they just see it as like built around the profile of who that is so who creates them this is important I'm going to jump around a little bit these questions aren't totally linear so what prompted it why now who sponsored has the organization done this before there's a few slides in here I think he's going to be put a few slides in here that if you
either have this role or you think you might be looking at this role this is one of them take this these questions are ones that you need to figure out if you want to go into that role eyes wide open if you want to jump in figure it out as you you go cool good luck pirate unicor but if you try and search some of the answers to these and this can happen in interviews it can happen in uh talking with people who have left the organization talking people at similar organizations so the one question I ask in interview it's kind of like a two-part question and this is early on when I get like the screening call
Opportunity or that's the official pathway unofficial pathway someone's like Hey we're thinking about doing this do you want to like I think you might be right for this I ask two questions join together it's that middle one what prompted this and why now so that reveals a lot it tells you how much they've thought about it it tells you what are the pain points that are coming in in advance and why now what is this moment what has happened because guaranteed how many of you have tried to hire someone before tried to get headcount right try and get headcount to hire someone you got to line everything up right and it's like now now it didn't work now no now and so
at large organizations this is the last one who sponsored it someone likely multiple people have spent organizational and political Capital to get that role to get that role created to create space for it to justify it if there's a job description to put it out there all of that figuring out who that is and why they did it is critical to your early success first go find them and introduce yourself I know that sounds silly because you're like of course I'm going to know them of course I'm going to know you're there no hard Lon I learned here I assumed that everybody that I had interacted with had already had the introduction as to why I'm here or that
senior person had design designed or decided this so in the next role that I did that in I again with humility it's one of the key things I'm going to say humility and humor are going to get you a long way as a pirate unicorn so with humility I went to people and said oh so I I I was talking to and I understood this is why they and sometimes they just say it they needed to build a threat intelligence capability that had this function and that's the experience that I have in one role um it was I didn't have as much cyber experience as I knew that as I assumed that they would need in that particular domain I was
upfront with that all the way across I was like I not done 10 years of cloud security implementation or like managed hundreds of thousands of end points I've not done that and this is one of those times that it reinforced I'm saying this to you with humility that being very open about my experience was crucial because they're like good yeah we're not looking for that I said okay well here's how I would approach this role I'm veering a little bit here into the interview process but it comes back around to this because that's how learned how the role came to be said here's how I had approached this role I was that was basically the interview how would you do
this well I think about it this way and I think I would do this first um these are the Frameworks that I would be drawing from these are the disciplines that I'm coming from and then okay fast forward got the job yay I learned that the person who had really pushed for that role was not in these conversations not in the interview process and had a completely different reason very valid one completely different reason for advocating for this so going to them when I found out who it was and I went to them I was going to be like I'm here like the person you were thinking of it's me thank you so much and they
were like you were not what I was expecting that's what they said uh the pause was a little longer um and I said oh tell me more well I'm here now like tell me why and I basically got the story of why they push for the creation of this role and it was very different than what I was told and sold so a little bit of a orange flag went off not yellow flag not red flag orange flag like under construction and I got to explore that a little bit and then more informed as I went there so what prompted it why now who sponsored it has the organization done this before that's the other thing does the
organization do this a lot do they create roles a lot do they create new roles are they spawning pirate unicorns all the time that's not a good thing or a bad thing but it is a telling thing if they do it a lot they better be good at it helping you succeed helping you figure out out who to talk to giving you some sort of here's what's new here's what's not okay our uh vaunted audience member over here talked about something needing to explain what you do here is a tenant I try and basically live by tell your story or someone else will why are you here remember invasive species that's the default you need to show and explain and
demonstrate probably repeatedly that you are there as an additive part of the ecosystem you're going to help the ecosystem flourish by your existence not threaten it and so telling your story is not actually your story and the other thing I should put in here but it was too many words I thought for this have other people tell your story so hopefully you know some people coming to that organization but if not find some quick allies and give them a story that they can tell it's most impactful not when you tell it but when someone tells it when you're not in the room you're not going to be in a lot of rooms in the beginning oh who's that that's the new
director of XNX that's a new role to do Innovation and this they're going to do this this person hired them just a real quick and easy because what are people trying to do what are you trying to do when someone new comes in where do you fit in what are you whose team are you on are you going to help me should I be working with you are you going to be working for me are we going to competing for the same things those are all the questions people are tilting around in their head so if you give them a quick like you are here dot that's very helpful two other things about telling your story again hard
lessons it's very very difficult to explain from a security perspective why the absence of something is a problem or an intelligence perspective I've worked in organizations in one organization I was there to help thread together strands in geopolitical Risk terrorism fraud cyber investigations and this organization had whole teams dedicated to fraud and whole teams dedicated to investigations of which there were cyber investigations and terrorism was was everywhere in the headlines the board was talking about it Executives were concerned about it and geopolitical risk is very hard for people to get their heads around but people were making decisions based on all of those things so when I say tell a story I don't mean make some [ __ ]
up I mean figure out what you're there to do so in that case adversaries our adversaries were exploiting each of those seams and this organization was dealing with them as they came in and in dealing with those silos there were seams my team's job was to close those find the blind spots because the way you look at analyze mitigate fraud very different than the way you think about cyber crime investigations know large financial institution they shouldn't be all of you were like what yep but they are and terrorism people didn't really care about fraud it's not particularly sexy terrorism oh my goodness okay what yes what do we need to do we have to connect
those two because the adversaries definitely work we using credit card fraud to fund this was really fast and guess what they were doing on the dark web cyber crime like there was the there was the arc and it felt very clear but being able to tell that people are like oh okay got it and it it's not like that popped up immediately I took time to earn towards that so I'm going to talk about two or three other things and then I really want to get some questions and conversation going here in another one of my roles I knew that it didn't exist before and I knew that I was going to be met with
resistance this is another tenant everybody can and will tell you what wrong looks like but nobody can tell you what right looks like everybody's going to like that doesn't work tried that that's not going to work we tried that before that doesn't work here and so then your natural thing would be like oh cool what does work then back I don't know isn't that why you're here pirate unicorn so it took me the fifth time to figure out how to deal with this because I dealt with this like defensively I tried to persuade people um I try to convince them early on but look at my plan look at this beautiful PowerPoint I've built how about I come in and tell you
about what this thing is I started an organization I was working on critical infrastructure most people at the organization did not know what critical infrastructure does was like well I'm GNA go on a like tour I'll come in and talk to you about critical infrastructure here's critical infrastructure and they were like that seems like a waste of time like I don't know what it is why is it important so my sincere advice is when you find yourself in a place where you you think you're going to hear or you start to hear nope that's not going to work can't do that we've tried that before get aggressively curious ask people okay tell me why what
have you tried when did you try it and how did that work what did you learn push them two things are going to happen one a lot of people aren't going to actually have things that they tried it's just a feeling a perception and now you get to press that two you're going to find some people you know this most of the people who are the doers they're not the ones who are naysayers they're like yeah I Tred that didn't work so eventually I find the like doer who actually tried the thing oh yeah we couldn't do it because um this thing this sort of budgetary thing was there this thing we had this technical hang up oh well is
that still here because we moved this I don't know I moved on to other projects wait a minute what it might actually work so you can build on other people's I won't even say failures previous tries that's how I found success and I did y'all I did I found success and I was always very open that it was like oh no I didn't come up with all this this was built on what that person did five years ago before this whole thing was even conceived of this was built on this they tried this two quarters ago but the budget wasn't there or I wasn't here or we just had that incident now we know how that's actually
going to go so when everyone tells you what wrong looks like and no one can tell you what right looks like get aggressively curious ask them what did you try how did you try it what did you learn figure out what assumptions they made see if you can take on those assumptions or test them again like seriously get scientific and then you can figure out if their experience their anecdotes their Insight their case studies their proof of concept can be used again there's a really good chance that it can there's a really good chance that it can so last couple things before I close with you know hopefully giving you something to really really sink into so
find the sponsor identify recruit bles I think I talked about the sponsor before who brought it in in multiparty negotiation um you will hear the term in business stakeholder stakeholder management stakeholder is really generic there lots of different kinds of stakeholders so when you're designing top multiparty negotiation that strategy you map out the players you put them in three categories allies adversaries recres it's funny because in cyber we just think adversaries we don't often think about allies think about our team maybe not like allies allies adversaries recruitable so adversaries I don't need to tell you who those are how do I identify them allies I'm not going to spend time on them so I think you
probably have a sense recruiters so in one of my roles I did my best in all the early listening you got to know this team this team this team who did people whine about on my team and who did I think whin about our team or didn't like our team and who did we need that intersection are the recruitable who can you bring over so this is delicate it's why it's later here I would argue if you aren't like a seasoned Navigator of organizational politics this is a good time to lean on your mentors and advisers but in that new role you're going to need to learn how to do this and then this is to go
talk to the recres and potentially recruit them there is one organization I was at I came up with a stakeholder map and without labeling them recruit bles I just put a question mark in that column I showed it to my boss and like that whole column he had the same reaction he was like they don't like us I like hm do you think they talk to me I don't know you're new cool are you okay if I go talk to them can't hurt so I did and you know what I said hey I'm new here it's the best opener you ever moved to a new town New City new place come to a new conference how many of you is first time
at bsides cool oh my my gosh amazing welcome you're sitting standing next to somebody easy it's my first conference have you been here before what are they going to say yes cool me too no great what should I know I did the same thing I'm new here surprise surprise sometimes people be like me too oh good so you don't have the world organizational [ __ ] and neither do I and if they weren't I would say tell me what I should know about my team most people were surprised by that they thought I was coming over to like prove something I'm part of the new team and the new role too I said no I
have a new role remember I told you was very open about it new role just created and on that team what should I know about it what's the history between our teams woo now it's your turn can you be candid because if you person who I'm talking to don't take this opportunity to try and repair and mend these relationships that is now on you so that you don't know what you don't know I put that back on them I don't know what I should know help me understand it's us against the adversaries so what should I know so this goes back to the customers and stakeholders who's going to gain from this new role you might be
surprised it's not going to be people necessarily in the immediate orbit for example there's one I came in and I was going to be speaking to the media and Industry and whatever else and no one had linked me up with the marketing people but I wanted the marketing people they're like what you're here great awesome can we talk to you can you help us and I was like yes help me understand this and but no one had thought to make that link no indictment of the organization but it just no one knew really what this role was going to be so they didn't know who was going to gain from it and then occasionally and it's a really wonderful
thing you will find people who have been waiting for you and sometimes you might be that person and a new rule comes in and you'll be like we've been waiting for you here's a stack of work and also can you help with this and oh you have that skill set oh great we've been waiting for you and then the last one ask this question and listen with empathy because if you listen with your hackles raised then you will become an invasive species who wants and needs you to fail who needs you to fail in this new role it does not mean they're going to try and get you to fail but understanding that that's a potential
recruitable and as well it will tell you a ton about organizational Dynamics maybe that person used to be a pirate unicorn and they got this has happened I don't know why I'm saying maybe I sensed some part of the environment just like focus on me kind of like this I was like hey hey like that's how I felt like I was greeted all the time or and people would say their name be like this person oh [ __ ] and I learned again aggressive curiosity empathy humility that that person used to be a pirate unicorn and it didn't work so they got put into this box man so they didn't want me to succeed because if I succeeded then what
did that mean about them not about the organization in the existence of pirate unicorns man what a humbling moment that was when I had that realization and it was months and I say months because maybe months isn't a long time but in this case it was a long time before I could talk to them about it because it was disclosed to me not in the best way finally had the opportunity and then that person became such a huge supporter guests who opened up their book of lessons and an does and proof of Concepts and relationships and we became like a great teammate so I asked that question not to say spot the snipers who wants and needs
you to fail but it will tell you a lot about organizational dynamics that had nothing to do with that individual and everything to do about the environment that we were in okay so last thing I've heaped a bunch of things on you some questions thanks Manisha kind of helpful I give you some very tactical advice and I have given this to many many people I take it myself one of the most crucial things in the new rule is figuring out what success is going to look like some organizations are terrible at defining success I don't mean just having kpis I mean measuring progress and again if it hasn't been done before how do we figure that
out so here's the good news there's a lot of pirate unicorns out there awesome if you're just walking this talk and hearing about pirate unicorns come on in there's a lot of pirate unicorns out there and you don't have to reinvent that so there's a book that I recommend to just about everybody I read it myself when I start a new job it's called The First 90 days and the focus of this is there's different models of what kind of role you're coming into startup a turnaround accelerator realignment sustaining success it's about diagnosing what you're coming into and building a learning agenda for your first 90 days now this book one caveat don't read it cover to cover it's
a guide book it's a Choose Your Own Adventure sometimes you're going to come up it's going to be one kind of thing you're going to focus on that another time I have reread reread this book every time I start a new role and if you're a mentor by the way and you have proteges this is a great gift when they get that job here read this book A lot of the things I've talked about are captured in here not everything because it's not all the Nuance of the new role the stuff I was sharing with you but a lot of it is captured in here otherwise I would have had to come up with this
whole rubric but a lot of what I figured out and how to put together when I found this book I was like oh yes I tried that but that's way better oh I did that but that's back by research oh I did that but here's a Pro an example in business not just security so I realize I am right up on time and I didn't leave room for any questions all we have a few minutes right for questions two three great sorry I meant to leave so much more time thank you pirate
unicorns okay cool if you have questions put your hands up I'm going to take a few at a time maybe we can put together yes question say that again what if you're not the rest got it what if you're not new to the role and trying to restart things other question
yeah oh good okay so you're hiring a pirate unicorn all right so so restart and then hiring a pirate unicorn one other question
yeah like a new initiative kind
of yeah I'm going to repeat back the question that's say it again yes got it got it okay okay so trying to create trying to create space for a pirate unicorn you've hired a pirate unicorn now how do you have them succeed and you're trying to restart something it's not necessarily a new role I would say okay I would say treat it like a new role you're going to find some people who are there but that same skepticism is going to be there I mean tilt heavier on the see you as an invasive species and a predator that's what I would say but all the things I put up there in terms of or talked about in terms of
like curiosity and humility I think are really important um I would share the knowledge that you have that this is not new I understood that someone has tried to do this before what do you think are some of the key lessons that they learned or they should have learned or what do you wish they did earlier you know like come to the organization come to people with that in terms of yourself try and get all the materials anything what list were they on whose team were they on what function did they report to cuz as much as you can understand about that previous role you can then calibrate the lessons that you get from them that makes sense um
these two so how do you set up someone for Success when you come in and how do you what are the next steps if you identify that there's a Nexus of those needs so these two are connected figure out what the story is timing timing timing timing is key figure out what the story story is and find people who are going to be there advocating for that person when they come in so it's the sponsor 100% someone's going to need to put down we're in Vegas someone's got to bankroll you someone's got to put down that political capital and that organizational Capital but then you need a bunch of people around who're going to advocate for them get them into rooms be
prepared to partner with them and be ready to to hear the the kind of story so that when they come in they don't have to do a lot of that communication oh yeah I heard about your role you're going to be doing this you're on this team so it sounds weird but minimize as much of the newness as possible because then people are like okay the rule is new but that idea has been here or oh gez the senior person said they they from their standpoint they see a real pain point or we had this incident this thing happened people don't know that people don't know that's what triggered this we had an audit we're under consent decree crowd strike
whatever it is cool I want to be respectful of time I'm happy to answer some more questions I'm going to I one more question okay I can take one more question you got a burning one otherwise oh yeah right here not really com I've been consult
thank you I I'll just repeat briefly although it's a compliment I that means a lot uh person here as a consultant and said I do this kind of stuff every six months nine months and it could be used not just in a new role a new initiative just asking those questions and coming to the organization are very fruitful um I'm going to grab a mask and then Christen sh I'll just step right outside over there happy to answer any questions quick plug at 3:00 today I'm going to be doing a workshop on how to read organizational culture from the outside in and I'd love for you to be there thank you so [Applause]
much thanks for thank you the [Music]
[Music]
[Music] [Applause]
oh [Music]
[Music]
[Music]
[Music] Perfect all right well we'll give it another by my clock a couple minutes but if anybody thinks of anything don't be shy you know I'm not shy
it is literally your microphone literally I I uh I have been asked if you need to leave the room if you could use that door it would be less disruptive we're going to have people come in that way and out that way is that right Ops yeah please if you could just exit that way if you need to leave thank you so much yeah ignore the sign we're hackers ignore the [Music] sign trust technology when it works on the first try so but we're going to give it a go hi guys welcome to my talk oh good you're all paying attention awesome my name is Jason Frederickson I am the managing director of solutions development for
Aon Cyber Solutions which is the arm of Aon dedicated to solving our client cyber security needs that's not what I'm here to talk about today what I'm here to talk about today is the fact that I have spent the last 26 years hiring trying to hire sometimes failing to hire software developers and other technical people and that means that I've spent the last 26 years working with a technique that we call behavioral interviewing and as I was thinking it through last year I realized that's kind of unfair somebody needs to come and tell you guys all the secrets that I know so that you know how to act in the same context and so that's what we're going
to talk about today
but before we talk about behavioral interviewing we're just going to talk about interviewing yes sir better better now my voice is going to drop now like the movie announcer first we're going to talk about interviewing and in particular we're going to talk about one really core thing which is that interviewing sucks we all know this why does it suck 94% of all corporations in America pursue an explicit business strategy a primary business strategy of operational efficiency what does that mean it means that their state AED strategic objective is to make it more efficient for dollars to come in and presumably dollars to go out but ideally not so many of those right that's where the profit comes in
if you get a chance to look into the Border where the sausage is made even the companies that we think of as Innovative companies aren't pursuing strategies of innovation they're using innovation in their pursuit of operational excellence what's the number one way to control costs for a technical organization pay less salary guaranteed right because the salary offer you make today is not only a cost you have today it's the cost you have next year and the year after that and the year after that raises are generally calculated as a percentage value and in all snowballs so what do you have to do if you're pursuing operational excellence as a strategic objective you have to pay pay less
salary how do you pay less salary you establish a dramatically Superior bargaining position in the salary negotiation when the applicant comes to you and says yes I got your job offer yes I'm excited to work for you we're all excited about you coming on board they're excited about coming on board and the company the corporation it does not matter what the recruiter says it does not matter how nice of people they want to be their strategic objective is to lowball you and the way they get you to accept a lowball in any negotiation is to have a dramatic power imbalance to have a superior negotiating position now how do you do that in a situation where you're
meeting someone for the very first time it's a short negotiation cycle you've got a defined range of dollar values to operate in how do you establish a superior negotiating position you make them uncomfortable you make them feel lucky to be able to do business with you right a hiring manager might be the most awesome hiring manager in the world but I guarantee you that that recruitment team at its core is operating under a series of principles designed to make the interviewing process uncomfortable for you to put you off guard to make you nervous so that you do not handle the negot iation part well the problem is that would be one thing if we were just limiting that
discomfort to the negotiation part if we could have the interview process be fantastic and then you get into the negotiation process and all of a sudden they're like bam now now now we're getting to it right that'd be great that's really hard to do we're not going to do that as a company so what are we going to do instead we're just going to make the whole thing uncomfortable that's not up to the h H ing manager guys that's not the hiring manager doesn't want to do it they want you to have a great experience because they want you to be excited to come work for their team the people on their team who are interviewing for technical
skills same thing they want you to be excited but strategically at a financial engineering level the comper has incentive to make the interview process suck
so that's the first reason I'm G tell you the second reason here's the second reason what's the other thing companies are really really bad at yeah there's a lot of things training companies are really bad at training right because if they were good at training we wouldn't have fishing but they're bad at training and the reason that they're bad at training is again it's Financial why would they spend time training when they could instead spend that time making money that's what they're designed to do what that means is that the hiring manager who is interviewing you probably doesn't know what they're doing they've gotten a 30-minute course it's a seminar they were one of 100 people on the call
where they got walked through a practice given some questions that they had to ask they walked away saying I don't get any of that I'm just going to go do some interviewing the people on their team that got invited to sit in on the interview didn't even get the 30-minute webinar they got a 14-page PowerPoint attached to an email alongside your resume four pages of that PowerPoint our instructions to make sure you delete the resume after the interview so you don't compromise that poor candidate's pii it's suck at interviewing and that means successful interview successful interviewing from the candidate perspective is to a large degree a game of first impressions
so why did I start there behavioral interviewing in the 1960s and the 1970s we realized something as a society we realized that we as human beings are really really bad at assessing skill uh if you've ever heard of the dun and Krueger effect that's about assessing your own skill it turns out we're just as bad at assessing other people's skill we don't know know how to do it which means that all of these interview techniques that people had up until then were basically just seeing like do we like you do you look like me do you sound like me and we all know that that's wrong that's not a good approach so in the 1970s in the 1980s a
bunch of psychologist got together and basically invented an industry they invented a better mouse trap and that better mouse trap is something we call behavioral interviewing don't scroll okay and here's behavioral interviewing theory in a nutshell the first thing you have to understand about behavioral interviewing in a nutshell is that it assumes that people's core competencies do not change now if you're thinking about core competency I'm really good at python hey I know networking like the bad these are not core competencies these are learned skills all right your core competencies are are you good at analytical problem solving are you good at coping do you influence others particularly well that kind of a thing are you good
at making decisions do you write really well these behavioral core competencies they don't change very fast and when I say they don't change very fast I mean they either don't change at all that's what half the psychologists in the world believe or they change on a time frame of about 10 years that's what the other half of the psychologists in the world believe all right either way it's not something that's going to change in a 3 to 5e period the second thing that we believe with behavioral interviewing is that skills technical skills learned skills can always be taught if you show me somebody who doesn't know a single thing about software development but is really good
at analytical problem solving I will take them away and I will bring them back in three months and we will have a software developer because you can teach them C++ you can teach them python you can teach them web Frameworks but you cannot teach someone how to do analytical problem solving the third thing that we believe in behavioral interviewing is that behavioral skills these these these innate strengths always manifest themselves when I say they always manifest themselves here's what I mean someone who has an analytical problem solving skill in any given conversation when presented with a problem will be itching to solve it in an analytical fashion they'll be the person who's always like hey can I ask a question and
they're asking that question designed to see whether or not the problems on the left side of the right side of the diagram right someone with a leadership core competency is someone who may not be talking a whole lot but I guarantee you every time they go out for a team lunch they're eating at the restaurant that that person wants to eat at because behavioral skills always always manifest the fourth thing is that past Behavior demonstrates likely future Behavior you guys have all heard past performance is no guarantee of future results right this is absolutely true okay it's absolutely true even when it comes to people past performance is no guarantee of future results but you show me someone who got
into a stressful situation and had a total meltdown I'm going to bet real money that you can take to the casino right now that that person in a similar situation in the future will probably also have a very similar meltdown that's not a pretty idea it feels kind of lame feels like you can't get away from your past if you're embarrassed of things in your past right all that means by the way guys is if you are embarrassed about things in your past don't trust yourself to change the next time that situation comes up figure out ways to not be in that situation next time but what does that mean that means that as a behavioral interviewer if I want to
assess someone's analytical problem solving skills what do I need to do I need to find out whether or not they had those skills in the last 10 years right 20 years ago half the psychologists in the world will tell you it's no good so let's ignore that but in the past five let's say five years ago if I can figure out whether or not they had analytical problem solving skills five years ago then all the science tells me that they will have analytical problem solving skills today as someone who hires software developers that's really exciting I like analytical problem solving skills it's the it's the foundation of writing code so what do I need to
do I need to find some way of determining whether or not they had those skills five years ago and so what I'm going to do is I'm going to start asking some questions that are designed to gather evidence of those skills five years ago note that I can't just ask them hey uh Maria do you have analytical problem solving skills and Maria will say analytical problem solving skills are really really important in a software job we all know that and and I have exceptional analytical problem solving skills because they're foundational that's not a useful answer it's also not a useful question so instead we have to ask questions that say Hey can you tell me a time can you
tell me a story about your analytical problem solving skills and this is where the fifth Lynch pin of Behavioral interviewing lies because what's your immediate thought your immediate this is a security conference our immediate thought is that the person is untrustworthy they will lie to us they will make up a story about their amazing analytical problem solving skills the fifth pillar of Behavioral interviewing is the concept that lies require cognitive overhead lies take effort telling the truth is easy so what do you do you want someone to tell a story you want them to tell a story with detail because detail makes the lies multiply
exponentially so we're going to a behavioral interviewing we're going to bring the candidate in and we're going to ask them we're going to figure out what the skills we need first by the way guys right because there are hundreds of skills out there at least dozens okay if I'm hiring a software developer do I need someone who's really good at uh uh adding up numbers for spreadsheets like like bookkeeping that kind of a thing that's arguably a similar sort of skill but do I need somebody who's really really good at making sales really good at making friends much as it pains me to admit it a good software developer does not need to be good at making
friends I like to think of myself as a very good software developer I am not particularly good at making friends so we're going to figure out the skills that we need for this role and we're going to ask questions we're going to ask those irritating questions we've all heard in the interviews and hopefully now you've got the context a little bit of context to understand why they're asking them right because they're asking them to try to figure out whether or not five years ago you had analytical problem Sol 5 years ago whether or not you had team management skills whether or not five years ago you had coping skills did you were you that unfortunate person 5 years
ago who got really mad at their boss we don't want to hire that person right and that's not from a theory perspective that's not because you're being punished for something you did five years ago it's because what you did five years ago is a reflection of what you will do in the future under similar circumstances
you can also directly observe those skills but I recommend against it because how do you ill how do you directly observe somebody's coping skill you throw your drink in their face not good in an interview context that's top tip for you who are going to don't do that okay now let's take those two talks together put them together on the one hand I have the evil corporate Empire of Wall Street which has direct Financial incentive to make the situation high stress and is not training its interviewers on the other hand I have an interviewing technique that requires its interviewers to ask some very specific questions and to drill down in a very controlled way to get to details and to
assess whether or not your story is evidence of a behavioral characteristic can you already see the problems and these are the problems your stories might be amazing but there's all number of ways why it can go wrong maybe you're not a good Storyteller maybe you never tell stories I tell a story to my seven-year-old daughter every night at bedtime all right I got to tell you the stories that I tell now way better than the stories that I started telling when she was three those were not good stories the stories I tell now are great stories they got dragons and spaceships and magic spells and all kinds of adventure and a little squirrel that is
really a blacksmith that runs through the forest and all that kind of thing stories now are great but stories when I first started were not good nobody starts out telling great stories and if this is your first time going into an interview in a while chances are you're not great at telling stories maybe the interviewer is bad at asking the question you didn't realize what you were being asked about maybe you can't think of exactly the right story maybe you're really nervous behavioral interviewing analysis the results of Behavioral interviewing are responsible for more of what we might call the soft rejection instances in applications than anything other part of the process okay those bits where you you come out of the
interview and you follow up and they're like they're still discussing maybe they say well they'd like they already had two more interviews on the on the they want to finish those first right chances are at that moment you didn't get that because you failed something on the technical side of the interview chances are you got that because the assessment of your behavioral responses were
fuzzy now let's fix that shall we I can't fix Wall Street I cannot change the financial incentives that make the recruiters want to force interviewing to suck that is a different talk which we will do next year I cannot fix the training cycle I try I've been trying for 20 years and it's like boiling the ocean what can we fix we can fix you all right let's flip the interview plan on its head our objective is to create moments during the behavioral interview process that makes those interviewers say not oh maybe but to say wow I was looking for this skill and that person's got it all over how are we going to do that we're going
to give them instances where you are describing past behavior that supports that gives evidence of having those skills you're going to be giving details about using those behavioral characteristics that they cannot ignore your stories are going to be memorable a perfect behavioral interview the interviewer walks out of the room and doesn't even look at their notes they say would you believe that Aaron once kept a 747 in the air and you're going to be like what right like like this is the kind of memory you want them to have and it's going to show all that competency because you're going to be the ideal candidate the ideal candidate makes a strong first impression and backs that impression up with hard
evidence of what they're looking
for and the way we're going to do that is we're going to give you some homework I know this is where I just lost you all because homework sucks too but it doesn't suck as much as the interview process so let me walk you through there are three types of homework that I want you guys to do as you start going into your next interview cycle and then there's some tools that I want you to adopt as you're doing it okay let's go over the tools first as you're doing the homework I want you to create an environment in your study area that mimics or mirrors the interview environment I want you to be sitting in
a real chair I want you to be sitting at a desk or a table I want you not to be wearing pajamas I do not want you to have your earphones in listening to music because none of these things are going to be true in the interview and we need to mirror the environment so that the spatial recognition part of your brain helps to stitch the memories together the second thing I want you to do is I want you to get a really good legal pad and I want you to get some really good pins because this is going to suck guys I don't want you taking notes on your computer I need you to take notes long
hand and you're GNA say why Jason why do I need to take notes long hand that just sounds like an an old person idea when you write long hand you activate processing parts of your brain that are not activated when you type we have medical proof of this over the last 20 years we can look at your brain as people they run tests we look at their brains when you write long hand it is forcing your brain to process the knowledge when you type it is not so I want you to write long hand I want you to use a Pomodoro Timer I want you to set it for 10 minutes sometimes I want to set it for five minutes because
every one of your stories needs to be Punchy it needs to be 5 minutes long your interviewer is in the year 2024 they chances are do not have the patience to listen to a 10-minute story you need a 5 minute story you need a Pomodoro Timer I want you when you're working through the exercises when you're doing the leap code problems online I want you to narrate them out loud and in fact I want you to record yourself narrating them out loud and play it back I want you to get used to talking out loud because that is what you will be doing in the interview environment and finally and maybe the most importantly guys
I want you to turn your phone off having your phone on having your phone on is more than a 20% reduction in your cognitive ability and you're going to say but Jason I put it in the other room and I'm going to tell you that the researchers who have been doing this work tested that and it's better in the other room than it is in your pocket but it's still only like a two or three point drop you know how you really free your mind free that extra 20% you turn the phone off by the way I'm going to tell you when you go in the interview to leave your phone in your car so this is
just like the first speed bump guys okay there's your tools let's talk about the homework you're going to do we're making memorable stories right how do you know what makes you memorable ask your friends I don't mean your college friends don't ask your mom those are not the stories you want to tell ask your coworker friends why do you like working with me write it down where are you going to write it down right write it down go around do that think about the role you're applying for what are the types of Behavioral characteristics what are the strengths they're going to be interviewing for I got a cheat sheet a little later on it is not a
comprehensive cheat sheet but just to give you a springboard okay think about the kinds of things that if you were hiring for that job what kinds of strengths would you like to see is it analytical problem solving is it sort of a focus on the client is it a commitment to task and getting things done is it spoken communication is it verbal communication write all of those down and then put those two lists together brainstorm with your friends think back over the past 10 years find stories I'm not giving you guys a silver bullet that destroys behavioral interviewing here there is no Silver Bullet that destroys behavioral interviewing what I'm doing is trying to get you ready so that when you deliver
that answer it's crisp and conf confident and they love it so you're going to find some stories where you're awesome because the last thing you want to do is you want to be in a situation where somebody says can you give me an example of a time when you had a disagreement with your boss and you don't want to tell them you definitely don't want to tell them the story by the time you threw the Eraser at your boss that's not good but you also don't want to tell them the story about the kind of like the uh uh moment where you disagree with the boss and they're like so what happened next you're like well then then
then I left the room like great good job you didn't blow up right because what do they want to hear they want to hear about the story where you disagree with your boss and then you say well sort of took a deep breath I sat down and I said okay boss what is it that you want and here's what I'm trying to do and we work through the options and that interviewer goes yeah that's awesome let's that check big big check right and it's better if the story is memorable what were you disagreeing about what were the details once you go through all of that process you're going to write them out you're going to write drafts out you're
going to practice telling these stories and finally you're going to write out answers to the dreaded questions we'll get to this I have a slide about this you're going to write out answers to the two worst questions in interview tell me about yourself what is your greatest weakness okay then we're going to do some technical homework you're going to do what you're already doing you're going to be going to the the code websites the technical websites you're going to be researching and boning up on all this stuff but when you're boning up on the latest on the latest uh uh firewalls you're bing up on the latest algorithms or that kind of a thing where
are you writing your notes don't make me do it guys yeah okay good thank you right you're writing it out long hand to engage all of those memories you're going to remember Neil's boore Neil's bore physicist infamous one of the greatest physicists of all time was asked as a graduate student to estimate the height of a building using a barometer what they wanted him to do was to say something like I'll drop it and time it and use D equal 1 12 a^2 to figure out the height of the building the force of gravity or they wanted him to do something like a pendulum drop or that kind of a thing you know what Neil
bour did he said I will walk to the superintendent's office I will knock on the door and I will say Mr superintendent if you tell me the height of this building I will give you this shiny new barometer there are always multiple answers to technical problems don't get hung up on it have a couple in your back pocket okay and you're going to prepare some pivot questions and pivot questions are things where when somebody's asking you technical questions you're ready to Pivot into a conversation you're not trying to change it into a place where they're answering your questions you're just trying to get it into a dialogue right somebody's coming in and saying hey like like explain to me how you
would secure uh a serverless deployment on AWS using ECS fargate etc etc etc and of course you're going to know the answer to that I can tell just looking at you you all know the answer to that but you're not only going to tell them the answer you're not going to tell them the answer to sit back and be like yes how is my answer right because they're not going to tell you you're going to tell them the answer and then you're going to say is that the stack you're using yeah what why did you choose that instant dialogue and you only need a couple minutes of dialogue for them to really Elevate their first impression of
you and then human stuff okay guys I don't mean to be that person I'm going to be that person find your style this one you can ask your mom does this look good on me get a haircut fix your Zoom lighting don't use a digital background I know there's other people saying like use a digital background what they mean is if you have a zoom camera pointing at your pile of unwashed dishes use a digital background what I'm telling you is turn off the digital background and point your zoom camera at your bookcase or a walk all that has one picture on it or something like that it's a job interview you can rearrange your house a little
bit research the interview team when you get the interview scheduled you're going to ask the recruiter who am I going to be meeting with what is the name of the hiring manager do you know what team members they're bringing in do can you give me their job titles chances are the recruiter will tell you you will look them up on link LED in you will take notes about the kinds of things they like to do this is going to feel creepy it's a good idea you can do it anyway and finally you're going to learn one skill that comes to us from the FBI it's called mirroring and mirroring simply means repeating the end of their
question before you answer it you're going to say but Jason why do I have to repeat the end of the question before answering it and I'm going to say why do you have to repeat the end of their question before answering it think of that all right our homework is done go to sleep and now the day has arrived it is time for the interview nothing new on game day don't say it's an interview I'm going to go try that new thing in McDonald's not a good idea don't change your coffee don't change the rote you drive I mean change the root you drive because you're driving to a new place but nothing new on game day guys and it
should be nothing new on game day because you done all the homework so you're going to eat wake up you're going to eat a normal breakfast you're going to pack your bag you know what you're going to put in your bag you're to put in a notepad new notepad don't take the one with all your notes that's not a good idea new note bag two pens two copies of your resume a bottle of water probably a protein bar in case you get stuck on the highway I spend a lot of time in Los Angeles that happens you're going to show up you're going to plan your route to the interview site such that you will arrive at at least 10
minutes early and some of you will say I cannot believe you you are saying that the rest of your talk is junk because you're asking me to show up early because you're the kind of person who shows up on time or late everywhere and I'm saying get over it because in this instance you need to show up early because you need to know all the names in your head you're going to turn your phone off you're going to put it in your car you're going to lock it you're going to walk away from that prized possession the thing that tethers you to the Cloud you will not have your phone and you will now be operating purely from
memory but you're ready for this you've been practicing you're going to walk in you're going to say following magic sentence hi I'm Jason Frederickson and I'm here for an 11 a.m. interview with Maria cardo use your own names please unless it's a really good job in which case yeah okay you're going to know the names you're going to take note of the receptionist name the moment you get the moment the receptionist turns away you're going to be like right because you need to know that name for the end when you meet the hiring manager and the other people you're going to shake their hands you're going to engage them in small talk you're going to use their
names at least once in the small talk this is why we look them up on LinkedIn because not only are we going to use their names we're going to know something about them again it's feeling creepy but it's the best way to make sure that they think you did your homework you're going to go into the interview room you're going to sit down at the table you're going to take your legal pad out of your bag you're going to put it in front of you on the table you're going to take your pins you're going to put them on the table I don't really care where you put the pins you can do sort of the on
the top thing you can do on the side thing don't make a little like abstract sculpture but this is really where you can like like flex your style a little bit it's okay also it doesn't have to be a cool pin like this it can be a long pin it can be anything but you're going to have your pad out you're going to have your pins out top tip when other people sit down if you don't remember their their names scribble their names on the top of your legal pad with arrows pointing to where they are because you're going to want to use their names in conversation and now the interview begins now you are just on fire because
you've done your homework you're going to be getting these questions and you are looking now for signs of the poorly trained interviewer you're looking for these questions where people are saying like hey yeah um um you know it's uh it's always really um so client focus is key
right so client focus is key and what I think you're asking is have I ever had a situation where I had to exhibit real levels of client Focus despite opposition is that what you're asking they're going to be so grateful to you who who saw the mirror there raise your hand did you see the mirror okay it works guys but before you answer it when they say yes you know what you're going to do you're going to write the question down then you're going to answer the question you're going to tell the story you're going to go into details when they ask follow-up questions you're going to Pivot a couple of times over the space of the interview we talked
about pivots a few minutes ago and this is going to start feeling good it's going to start feeling really good for you you know why because it is really good for you it feels really good because you are showing off you're showing off what you actually are inside the skills that you have built over months and years and Decades of professional experience are now shining through and the interviewer is seeing them you're taking away the fuzziness of their interview technique you're taking away their ability to misinterpret a bad answer to a bad question and you're giving them stories stories are the oldest building blocks of human communication you may have heard of someone named Homer the other
Homer the word prehistory means literally the history that came to us before we wrote things down how did history get transmitted before we wrote Things things down stories you're telling stories which you're engaging a part of their brain those poor interviewers didn't know they had and finally you're going to get to the end of the interview and someone's going to say thanks for coming in this has been really great loved your stories love the experience everything's fantastic hope you're excited do you have any questions for us I hope you have some questions for them I'll show you a couple you will not Pitch you will not say what is the definition of success look like for you Mr hiring manager or
Miss hiring manager and the hiring manager say well the definition of success looks for me like like having our uh uh having our ECS farg jobs just like running like clockwork and you do not turn around and say I'm really good at ECS farg you don't do that instead you go that's awesome I feel very confident about that thank you very much you're going to exit quickly and gracefully a couple of notes you're going to say goodbye to the reception us on the way out you're going to use their name because you have it written down you're not going to ask to use the restroom in the office if there is a restroom on the ground floor of the
building you will prefer that one you will go back to your car you'll think I should turn my phone on now don't leave the premises drive away from the building and then you turn on your phone maybe you pull over you pull over into a 7-Eleven you pull over into a Park parking lot you pull it over and you you turn on your phone and that's when you send the triumphant text message the selfie what have you but you don't do it from their parking lot because why would you mess up a good thing at the last moment you can get home you're going to run an email to the recruiter you're going to run an email to the hiring
manager you're going to say thank you very much if there was one question the hiring manager had that you bombed this is your one opportunity to write a one short paragraph update clarifying your answer you should not need to because you should not have bombed any question but you never know they might have gotten you on a wild card and to the recruiter you will say in your email excited to follow up can I propose 11:00 a.m. on Tuesday for a phone
call you do all of that only total incompetence will keep you from getting an offer can't tell beond that one or I mean the reality is it is numers game guys right but you will have dramatically improved your chances you will have left those interviewers with stories and memories of a personable interesting skilled candidate with very very few
weaknesses so we got about uh 10 minutes left and so let's run through some resources for you some questions you might expect I'm not going to read all of these there are a ton of Behavioral skills out there guys uh analytical problem solving is one it's near and dear to my heart I run a software development team we that is our bread and butter Believe It or Not also bread and butter for us is spoken Communications and coping because software developers often disagree about how to build things and you want those disagreements to be very cordial um but there's a lot of stuff here there's there's being focused on task being focused on client being focused on
customer support there's being detail oriented there's being like like um uh there's a there's a flavor of detail orientation around basically Wells down to accountancy like not just being detail oriented in terms of managing details but system detail oriented in terms of making sure the numbers add up there's system reading which is the ability to to look at an organization understand the the guy who is up here in front of me uh before me talked a little he's got a workshop at 2 o'clock apparently about reading organizations from the outside I think I might go sit in on that because that sounds like a really fascinating topic okay um and these are some sample questions that you
might see and what you want to do is you want to internalize these questions enough you want to be thinking about these questions enough that you learn to re recognize again not only the question as it was meant to be asked but the question that was actually asked by the person who just got the Powerpoint deck and skimmed it 15 minutes before the interview they don't know how to ask the question all they know is that one of the three pillars of their firm success this client something so they better interview for it and you want to be able to recognize that you want to know that you're going in with probably into what may be like a
20% client facing role that's probably one of the things they're going to interview you on you want to have a story for it the two worst questions here's your cheat sheet okay this is a beginning cheat sheet you can go all over from here tell me about yourself this one is easy you are going to do your behavioral homework you're going to get all of your stories you're going to get all of your achievements for each achievement you're going to write out a 10w summary make it eight if you can keep it small you're going to map your achievements against your resume so that every significant work experience you have has an achievement or a thing you learned that
was of Earth shattering import you're going to write all that down in
order it's going to look like this yeah uh tell you about myself uh okay well I started out I have a a degree in computational physics from Harvey mik College I was afraid of interviewing so I started a company in the dotcom bubble actually started three companies in a row I'm a Serial entrepreneur I then shut down three companies in a row so you know where that went I moved over to leverman software corporation leverman software corporation I worked on mass management utilities and built the uh built an exception handling tool that reduced our bug rate in the field and our support load by 30% from leverman software I jumped over to run software development
teams for Guidance Software specializing in computer forensics a Guidance Software we launched the I was I was instrumental and led the team that launched the in case analytics project super cool seeing your project on the Marquee in Times Square that's pretty awesome right super cool about that but that was our attempt to take the concepts behind uh anomaly analysis and connect it to uh connected to computer digital forensics data and from there I jumped to dream host I did a couple of years doing web hosting in the WordPress space and finally wound up uh where I am now at a on Cyber Solutions where I run a software team uh and responsible for scq our award-winning uh brokerage
esubmission platform and now I'm sitting here in front of you today hoping to talk about another role that's going to be just as exciting how much better is that than the old way and you've got it already and then you're going to get to the end of the interview and they're going to ask you the other worst question what is your greatest weakness and this one guys you know what they're looking for they look for somebody who's introspective enough to realize that you have a weakness so you better not respond with something that's a strength we all know what that answer looks like my greatest weakness is I care too much I I don't know how to admit this
but I just I make too much money for the company it's not a strength it has to be a real weakness it has to be something that they you recognize and that you are trying to address these are the things they want to see and then it better not be any of the things they're interviewing for so here's what you're going to do you're going to go through your techn remember we spent this all this time on behavioral interviewing you're going to make a list of technical strengths and then you're going to find a weakness which is in between the technical strengths it's going to be a technical weakness I don't have a lot of
experience with rust web Frameworks that's a little niche you want it to be a little bigger you don't want to say I don't know how to code not good somewhere in between right you say I don't have a whole lot of experience with the Google Cloud it's something I've really been interested in I've only done work with one type of AWS serverless capabilities but I've never really gotten any experience with lambas and then you're going to have a twom minute story about a time that that hurt you when you really wished you had experience with AWS lambdas and then you're going to have a couple of bullet points about what you're doing to fix it and that's your answer to your
greatest
weakness and that's it guys that's the whole thing that's why we're here that's what the interviewers are trying to do what they're probably actually doing what they're looking for a cookbook for how you're going to deliver to them what they're looking for an answers to the two worst questions anyone ever thought of asking in interviews ever I hope you enjoyed it we got 10 minutes left and I am at your disposal thank you very very [Applause] much sir so you mention poweram difference right process usually the H position right and like everything you've explained it's how to be a good candidate but you're still kind of coming from a defensive like I'm justifying my value like we sck me kind
of thing right so like would it make sense to kind of go maybe more like an offens and like ask the tons of questions kind of really more like 5050 guy communication like criticize like their process in communication because then maybe the attitud should be why should you why should I for you the other way around uh we talked a lot about the power imbalance and everything I've talked about has been from the sort of this this you know concept of I'm coming to prove my worth to the company as a candidate and should I go on the offensive should I Instead try to come in and say uh let me let me ask a lot of
questions instead of pivoting two or three times maybe I'm I'm asking a ton of question questions why are you doing that wouldn't this be better and and demonstrating that in effect you know better and so you're a more desirable candidate um no and and I'll tell you why and I'll tell you why I there are two reasons there's the good reason and the bad reason okay the the bad reason is that you have an ego but so does the hiring manager the hiring manager is actually probably pretty proud of their team they like their team they know their team and when you come in if you start going on the offensive one question two questions
that's sort of like okay we cut you a little bit of slack if you start going on the offensive heavy-handedly you're going to trigger all the ego defense on the hiring manager the hiring manager is going to shut you down cold they might not shut you down in the call in the in the actual interview you walk out the door you're going to be like I showed them the H's like well they showed us what they were made of right and Bam you are out the good reason is also you're wrong and the reason you're wrong is that you're thinking that you know better about how to solve a problem domain that you've had 30 minutes of
experience to like yes you might have a greater knowledge of AWS lambas but you do not know their business problems you do not know their environment you do not know their security controls you do not know the actual usage loads you don't and the people in that room know it and have been living it for years and so instead of coming off as a very desirable candidate what you actually will come off as is someone who is incapable of learning from others
yes so I suspect I know the answer to this but I want to follow up that question um from your expertise is it better to come in and be seen as maybe not the Rockstar candidate but as somebody who will be accepted and welcomed into the team environment uh easier than to be the Rockstar candidate that the hiring manager May question and say you know what this one's super talented but I just don't know if this person's a fit for my team is it better to be a rockar technical candidate who might not be the perfect fit or is it better to dial back the Rockstar nness and fit a little better into the interview like a lawyer I will tell you
the answer is that it depends but I I would say the majority of the time you will be better served dialing back the Rockstar nness a little bit to achieve a better fit a little bit guys you don't want to you don't want to subsume yourself into it you don't want to be a Wallflower you don't want to be a pushover but if there's a situation where you're sitting there saying like I could make a point that would show how smart and how much I know or I could not make that point and I could let the the interviewers keep going and I would say if you haven't made any of those points during the
interview yeah find a good place to get one in but if you've already made it once don't do it again um you know if you have the opportunity to trade 5% of your technical rep with that firm for like 20% on on the the team Dynam iic that is always a good one more question one more question I saw this gentleman back here with the hand up so it took me 20 years of long painful experience to learn which you just stated today and many botched interviews so I'm a gs15 with the government and I am now a hiring manager I've actually elevated to my level of incompetence and all this is correct and I will also offer that technical skills
can be taught you got to be hungry and curious that can't be taught and that's what I look for and I've come in in interviews thinking I was really hot stuff and I was not selected it's to come in confident but not cocky and that is the fine balance so kudos to you sir this was absolutely brilliant Maria he's a rockar to your team for sure so thank you very much well thank you guys thank you guys for the opportunity to talk to you today uh you've been a great audience thank you to my company for letting me do this and for my teammates for showing up thank you all and I will be uh out there if you
got questions look me up happy to help thank you everyone come back at 1:00 the one and only Ricky Burke is going to deliver some amazing content and we have a great recruiter panel not all recruiters are evil and we'll be here at 2 o' [Music]
[Music] [Music] [Music]
[Music]
[Music]
[Music]
[Music] [Music] a [Music] [Applause] [Music]
[Music] oh [Music]
[Music]
[Music] [Applause] [Music] hey hey hey hey he [Music] [Applause] [Music] [Applause] [Music]
[Music]
he the [Music]
[Music]
[Music] TR [Music] hey hey hey [Music]
he hey hey hey hey hey [Music]
[Music]
[Music] he [Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Music]
[Music] [Applause] [Music] he [Music]
[Music]
is
he
[Music] h
[Music]
[Music] oh [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music]
I you I'm just try to give you [Music] something I'm just I'm just give get something [Music] [Applause] [Music] [Music]
[Music] [Music] I'm just I'm just [Music] in I'm just dring I for you I'm just trying to give you something [Music] w
[Music]
[Music] a
[Music]
[Music]
[Music]
[Music] [Applause] oh
[Music]
[Music] a [Music] d
[Music]
[Music]
[Music] [Music]
[Music] a [Music] [Applause] [Music]
[Music]
a [Music]
[Music]
[Music] [Music]
[Music] [Applause] [Music]
[Music]
[Music]
[Music] o [Music]
[Applause] [Music] he [Applause] [Music] [Applause] [Music] [Music] n [Music] he
[Music] [Music]
[Music] TR [Music] hey hey hey hey [Applause]
hey hey hey [Music]
[Music]
[Music]
[Music] [Applause] [Music]
[Music] [Applause] needs no introduction and let's thank Him in Advance because he is doing this and then one second later he's sitting on our panel which you should not miss and uh because I've heard a lot of talk today about recruiters and how evil they are so it'd be great for you to just talk to a bunch of recruiters or hear from a bunch of recruiters so you can get some different perspectives on things and uh and then he's going to do his uh his third session we are going to do for the first time ever this year uh Roundtable discussions we're going to have three of them going on at once at 3 pm. so without further Ado this is brute
force your job application with Ricky Burke [Applause] I was to they're very cool okay everyone hear me okay cool um well thank you for being here during I think lunchtime so really appreciate that so really hope you get some value out of this this talk um so I'm Ricky Burke and we're here to talk about brute force your job application so just to sort of kick things off I'm from Australia uh at least the last 10 years living in Australia um yesterday I was outside um doing my presentation document and some sort of bides t-shirt that I was wearing and said oh which bide is that from and I said bides Brisbane and then they looked at me like
I said Mars so Brisbane it's Australia it's a far place um with famous for sharks famous for winning medals in the swimming at Olympics surfing kangaroos Bluey which I believe is pretty popular over here and I saw gets over a billion uh minutes played per week in the us alone which is amazing uh drop bears we're famous for bin chickens also known as Ibis and we're a pretty big country um so we're about 78% the size of the US in terms of land mass but we're a tiny country in terms of population so we're about 78% the size of the us but we love cyber security we've got a very vibrant cyber security community so I'm very proud to be here today
because I've been here for three years in a row uh doing resumé reviews I love doing community stuff and um honestly very happy to to participate hopefully again offer some value and again this is b as Las Vegas the original um in Australia we've got six this year um one of which I think competes size-wise we've got one at 3,000 people so if you ever w a technical conference in Australia bsid CRA is a pretty good one to go to although outside of that there's maybe not much to do in CRA so I'm Ricky burck um I run a cyber security recruitment company um yes as kirston said recruiters can be evil um I try not to be one of those um so I've
been running a cyber security cyber security recruitment business for over seven years uh recently soft launched a cyber security careers platform to try and help help people get into this space because quite frankly a lot of people need help and I love to do the community stuff so I'm very lucky and fortunate to run career Villages back in Australia um so besides CRA Melbourne and a bunch of other things this year I'm speaking here I'm speaking at black hat tomorrow and as a recruit I can't help every person find a job directly but we can help in other ways and that's what we're about so today is about empowering you with information with tactics with strategies
with information not just hear some resume tips and do these three things and you'll get a job because it's way beyond that um but if we can help you with the tools the strategies techniques not just today but for the rest of your career hope y that will help you stand out whenever you're applying for a job and hopefully jobs will come to you as well so talking of jobs because it's a pretty important topic um job hunting can we raise a hand if job hunting sucks okay I think nearly everyone so that's we're on the same page so the agenda today we're going to go through a few different things first is what I call the foundational building
so we'll talk about essentially identifying what you want to do in your career what's the next step and having a deeper think about really what you bring to the table for employers building a brand I hate hate hate that term um if anybody has a better term please let me know CU it sucks it sounds really cheesy but essentially I want to talk about building brand resumés also suck but they are important because realistically without them you won't get most jobs proactive job hunting is something I'm very passionate about again this goes to you can't we I can't help every single person apply to for a job but if I can teach you how to apply in different
techniques then you can help yourself interview interview preparation is really important and then navigating job offers so we'll go through this life cycle of basically job well looking for a job to in a job and hopefully jobs coming to you in the future so identifying career goals is important um just to out of Interest i' curious I guess our audience stage in your career who is either looking for their first job or near looking for their first job or at the early stage of their career in cyber security okay and who's already in the industry and may be looking for progression in the near future okay that's that's really helpful so that helps me narrow what I talk
about and expand what I talk about so for some of you folks you're already in the industry you know what you're doing and maybe you you know what you want to do next for those early in their career I tend to find there's a very similar conversation people coming to me with I want to get into cyber they don't realize that cyber security is made up of lots of different jobs that it requires lots of different skill sets so it's really important that if you know the job you want to work in then you can work backwards in terms of what skills you need to acquire to basically be useful in a job also understand the job market so again
I can reflect on my experience in Australia but I'm sure there'll be similarities here as well is as an example I'll speak to someone and I've had this conversation last few months they want to be a malware analyst it's their passion they love going deep diving into malware but then there's no jobs for a malware analyst unless you want to work in government Australia is a really low maturity level for certain types of Niche roles out there and this is one of those and the same goes wherever you may live in your town city or state that you may want a certain type of role but if that job isn't out there then you have
to be realistic of what else is out there as well um so there might be jobs but maybe not the jobs that you actually want to work in and then we'll go through developing the skills to help you stand out so this goes that first question is what do you want to do that's really for the people trying to break into this industry of understanding do you want to be a pent tester do you want to be an application security engineer do you want to be an architect all different skill sets that essentially require different type of skills you can't just I just want to get my foot in the door and make that work you need to bring
something to the table ultimately it's about solving problems and the quicker you can identify the ability to solve certain types of problems because you bring experience or skills to the table the more chance you have of actually Landing a job so this is the big thing again I know we've got some experienced folks here but just for the more Junior people out there is you can't rely on I just want to get into cyber because it is is a Big Field Big Industry lots of jobs we don't help ourselves with job titles either um because you can work in a consultancy in Professional Services as a security consultant but there'll be people that are pentesters and GRC Consultants they
couldn't be further from the truth or further from each other but they're working in s different jobs the same job title and security engineer as well you need to look at a job title that says security engineer but really understand what are they trying to achieve it because is it a cloud security engineer role is it application security is it network security in some of the tech companies some of the red teamers or pentesters have security engineer as their title as well so we're really bad in this industry with job titles so I think really important is to understand the underlying context of that now question and I appreciate um kon's going to be a runner here
um it might sound really simple and basic but why do companies hire people in the first place if anyone has an answer please raise your hand if you're not shy yeah like you said earlier to solve a problem I gave it away didn't I um spot on um is to solve a problem and we give get caught up I think when applying for jobs of we'll cover resumés later on because most people's rums are garbage um but essentially companies don't if we just focus on cyber security they're not spending millions of dollars in cyber because they want to but no no business spends money because they want to they spend it because they either have to or there's rules and regulations
in place and essentially is to solve certain types of problems and if you understand the underlying context of the problem you're trying to solve because even if we look at say an application security engineer the role isn't just to do certain types of activities in terms of securing the sdlc pipelines and um threat modeling and things like that but if you take a step back and understand what what are we trying to achieve here it's about essentially helping developers do secure code and there's lots of different activities then to work towards that but there's different skill sets that you need and this is this is the issue with cyber people look at it I know it's more mature now but
it's still and Niche industry I know for us folk here in there's thousands here and there's going to be even more at Defcon and black hat um it's still Niche industry by other standards but then within that there's so many niches in this space that ultimately it's about what you bring to the table what problems can you solve and then during this application process when you're applying for jobs it's your ability to communicate how can you solve certain types of problems this is the issue for a lot of people is you'll be one side the job is the other side and often there is a skills knowledge or experience Gap the sooner you can identify to an employer
or potential employer what you bring to the table so what skills what knowledge what experience what problems you can solve you stand out so easy and when we talk about solving problems for me it's it's understanding business context and coming to the table with again understanding the underlying foundations of why the role exists and then demonstrating to them what outcomes you can do and when you can convert that into metrics numbers outcomes you show that you're thinking on a very different wavelength to a lot of other people out there um so where possible is you try and convert things into metrics into numbers into percentages saving money saving time the two biggest assets out there but also it helps you identify so
you might be here today the job that you want is over here do you know what the skills Gap is so as an example let's pretend you could be someone who's early in your career or you're looking to go from one level to another so it doesn't really matter whether you're looking for your first job in cyber or whether you're a seeso looking for the next executive leadership role there might be a gap there and your job is to understand what is that Gap and what do you need to do to bridge that Gap so if I simplify things a bit more let's pretend I'm an application security engineer and I want to be the engineering manager now that's
my next step you don't have the experience yet so that's your Gap but what can you bring to the table that helps validate that you can do that so if you don't know that the easiest thing you can do is then having a network having relationships having people out there that you can talk to so LinkedIn is a very powerful thing to use and I think people admittedly LinkedIn is just a glorified recruitment platform and then it masquerades as social uh business networking but it is just a recruitment platform but you can network with people out there so if you basically reach out to a whole bunch of people that work in the job that you want to work in connect
with them start ask them questions there are so many amazing people in this industry that will help you so if you reach out to 20 people not maybe not every single one of them but the vast majority of them will respond to you and will offer you help because essentially people love helping each other in this space so if you're asking someone what skills do you use how did you get in that position you'll find common themes in terms of the skill sets the experiences what that person did and now you know what you need to work towards to bridge that Gap and make your job a lot easier Landing that that next job again I hate this word brand um does
anyone have a better phrase no profile profile I did have profile on there but I deleted it rep oh I like that okay I might use that next time thank you so this is what I think of when I think about brand it's like Tik Tok influencers and just just [ __ ] to be honest with you um this is how I feel inside every time I hear the word brand um so I will start using reputation so building a reputation I love it why okay so here's an example I I got a really nice intro so thank you for that earlier um I'm here from Australia why the hell is someone from Australia traveling 30 hours door too to come and
speak to folks in the US um I'm pretty lucky that I've managed to build a reputation um that sounds wanky um so on on LinkedIn I'm pretty active I've got 40,000 followers which is okay there's plenty more people out people out there with bigger following than me um but ultimately I think I do pretty well on LinkedIn I'm very lucky where I've built a business that essentially know we generate seven figure revenues every year and we're not a traditional recruitment company we're not doing the usual Sal crap that a lot of recruiters do we're not we're not doing those same tactics a lot of things come to us because of reputation so in terms of the things we
give back to the industry in terms of the help that we give people in terms of just consistently delivering those things matter and again just reflecting back on the original slide here is all of this stuff is because seven eight years ago I just and if I'm honest if you I never intended to build a brand or reputation I just wanted to get involved in the industry because it seemed fun and I'm very lucky that I got to speak at something then got to speak at another thing and things keep growing now I'm running career Villages at conferences and doing different stuff so these these things do take time and I wouldn't be here today if it wasn't for all the
stuff that I done for seven plus years in the industry but ultimately it's about building trust building awareness there's a lot of charlatans out there and there'll be people out there that essentially do things for the wrong reasons I think what is good the majority of the time this community is really good at calling [ __ ] and people that are very um self- serving get found out not all the time but they do get found out but this is why I think building a reputation is helpful because if people trust you if they have that awareness first of all jobs come to you and let's be honest we've said job hunting sucks applying for a job online
sucks um when you go online you see a job that you like you go through the process you fill in the details of just either submitting or you fill in these horrible platforms like workday um and it just disappears into a black hole and sometimes you never hear back from the the company and it's and it's demoralizing it's not a fun process and what's a lot nicer is if jobs come to you if you're being approached for jobs and essentially you don't have to look for jobs because your brand your reputation is working for you in the world and essentially again people trust you they like you I want to work with that person and jobs will come
to you so that's really helpful opportunities like presenting at conferences the more you do things and if it goes well when people get value out of it the more you get and again the more you give the more you get but you don't do it to get back you just give and hopefully people like it and hopefully it works but essentially it's not a bad thing at all if you give back and people get value out of that that's a nice win-win scenario for everybody when you're a manager it's a lot easier to hire people if they know you um so there'll be hiring managers out there that essentially they have a job they post it on LinkedIn and people
come to them because they know this person and they want to work for that person there'll be other hiring managers out there that have no brand no reputation no awareness and they might post a job but no one sees it because they don't have the network they don't have the credibility they don't have the trust so not just from that perspective of about jobs in the future but also potentially as a hiring manager if you have people coming to you when it's a very challenging environment to hire good people then that's a lot easier as well the bigger the network the more things come to you so there's the old saying that it's not what you know it's who you
know but it's also who knows you and it's just again things are a lot easier if more people know you and then again the opportunity to give back it sounds cheesy but honestly it feels good um if you know that people get value out of essentially advice and insights that you that you basically offer it feels weird or or cheesy but honestly it feels really good to make a difference um I I've done a ton of stuff over the years and things that I even forget sometimes and I I get people reach out to me and say hey that thing you did three years ago I followed your advice and got a job it's like cool I
never knew that like I you never know how many people that you actually are impacting but to get those bit of feedback every now and again like you know that it's working and you know that people are getting value and that's that's really important also it's fun um um I'm very fortunate where I can go to a conference in Australia now most conferences and I don't even need to talk to anyone because fortunately they'll come to me because LinkedIn and it helps honestly I in my job and my capacity I meant to be an extrovert I'm not I feel so bloody uncomfortable walking around a room even worse with masks and you can't recognize each other
it's really awkward I don't feel super comfortable walking around the room and just going hey I'm Ricky what do you do um some some people do and fair play to them and that in itself if you can build that tolerance that skill um CU it is like anything it's like a muscle um it's a very powerful thing because you'll see people out there and there'll be someone sitting on their laptop sitting on their phone it looks like they're busy basically they're lonely because maybe they're in the same position as you and just a really quick tip that I use myself CU I went to a conference in Switzerland recently did not know a single person and I I felt super
uncomfortable so so I set myself some just small goals so in the morning speak to three people and the way I would do that is I would look for other people on their own as well it wouldn't always go to plan but essentially look for someone else on their own because maybe they're like me and they don't know anyone else as well and the ideal thing is when you're in a queue for food because essentially no one's going anywhere you're you're behind each other and you say oh hey like what do you do or how's the conference just open questions how's the conference or what have you seen today who who did you see um and then oh what
do you do and it just flows from there but open questions are really really important so if if you don't know open questions who what when why how um if you ask a closed question you're Ted to get a closed answer did you have a good conference today yes cool or how was the conference it was really good now you can expand the conversation and honestly you just never know where these things land I know people that have met their partner at a conference there are a ton of people that that get jobs from conferences and maybe the goal isn't I have to land a job that's too much pressure but it's just starting small
but if you can again set a small goal a few questions then you go cool I achieved that goal then in the afternoon I'm going to try for five people and then every person you speak to say hey are you on LinkedIn yes I am or are you on Twitter or X um oh do you mind if I send you a connection yeah no problem if you do that every time you go to an event a Meetup a conference that compounded over a period of time really really helps because this industry is such a small place and you just never know where these things are going to take you and you may bump into someone
that may be able to refer you to a a job in the future or you just might meet some friends or you just may never speak to them again but ultimately the more people that know you the easier life is so building a reputation so I'm going to be really honest you know what I'm very lucky that I've you know got this thing on LinkedIn but I never did it with any intentions and I didn't follow these steps it's now that I look at what I've done or what other people do reflect on that and go right this if I was going to start from zero this is how I would do it today so
Define your target audience so I had a really good conversation with a ciso last week we were talking about the same sort of thing and his agenda or his target audience would look very different from someone who's maybe looking for their first job in cyber now from his perspective he he's not looking right now but he's thinking 6 months 12 months 24 months he's thinking about his next uh next role in the future ultimately the more people he has at the level that essentially would hire him the better it is for him so for him he needs more people like CTO CEOs um C- level people he needs to be connected with those because if
he connects with all these people he then shares content that is valuable for these people and they get insights and they like what he puts out there then when they have a job at that level who are they going to go to if this person's front of mind because they keep posting good stuff they go I like this person and they're sharing good info I I would like to work with them he's going to get reached out to by potentially that company as opposed to apply for a job and trust me leadership roles are really hard to attain as well so even though these folks at the top and their csos and they're the top of the tree in terms
of cyber security roles it so challenging for the C Level people either to get that first job or even to get the next job because competition is so high a huge percentage of the industry want those jobs um so again it doesn't matter what level you are but if jobs come to you it's so much easier but then you've got the content type so you've got well some people like writing things some people like sharing photos some people like doing different things honestly it doesn't really matter what I think just work to whatever you're comfortable and then go from there um and it gets really tricky of like what do I post and we'll touch on
that as well but essentially work to a medium that you're comfortable you don't have to do something you don't want to like I do videos sometimes but then I go through phases where I do not want to put myself through it um you know sometimes in the flow and I'll do a video one take sometimes it takes me 20 and that's stressful in itself but the interesting thing is the algorithms change all the time with LinkedIn and platforms like that where if I'm honest with you I think written content with no pictures works really well at the moment so at other times you'll get recommendations of a picture and other stuff and whatever but if you just speak
to what's true to you then you're more I think mindful that it will come through as more natural rather than just trying to force something as well and then the consistency um I I'll hold my hand up I don't have a Content calendar I just make [ __ ] up and just do it on the fly but I'm so in a rhythm that I tend to post I looked at my stats recently and I've posted 365 Post in the last 12 months so unintentionally I posted a post a day but sometimes it was three or four four posts one day and then nothing for four or five days um but if the average person starting out
was at zero and you want to get somewhere two three posts a week would be really good and then you think well how the hell do I do that many posts what do I post about we can talk about that as well um but if you for example set time aside where it's just to take some pressure off an hour a week and you think well I'm going to do a few posts this week um and then spend some time figuring out what those posts may be you can schedule posts on LinkedIn as well so you can then go right for this hour I'm just going to work out what I'm going to do for the week schedule the post and then
you don't have to worry about anything so just set and forget and then you're good um and then the engagement is really important as well so it's not just about posting it's about connecting it's about commenting on other people's posts if you see something and don't just comment for the sake of it because you'll just sound like an idiot but if you actually see something where oh that's really interesting and just comment oh you know good post or good research or offer insights or offer more you know content apparently and this is a thing I picked up recently if you comment over I think I think it's 12 words on a comment then you're more likely to get more
interactions and that's an algorithm thing on LinkedIn so again being mindful of playing the game as well of LinkedIn so the rules change but if you get an idea of how they work that's pretty helpful as well and then collaboration so if you see people that like things that you like and share ideas you can do podcasts you can do posts um Kirsten tagged me into a photo earlier collaboration I will take that I will then take that to LinkedIn I will then do the do likewise and then we're helping each other unintentionally but that's what happens so your network grows through other people as well you of course have to be mindful that you don't want to do that
with the wrong people so did your research um but essentially you can help each other build your brand um and again that sucks saying that but it helps um but also going back to that first thing of um connections basically be very intentional about the community or the the the type of people you'll be connecting to with so it could be just people you know let's pretend I'm a pentester and I just want to connect with other pentesters because why not I can learn from other people I can connect to other people we can share ideas that's really cool if your intention is I want to land a job well you probably need to know more people at
the next level or level higher that hire for the role that you do so send connection requests uh what works really well and apparently you get a higher hit rate if you send my message but if I talk about my experience I've got thousands of connection requests most of them have no uh message but if you if someone to send a message to me and say hey Ricky enjoyed your presentation at bsid Las Vegas or I saw you over there or I enjoyed this thing and' be great to connect I'm so much more likely to connect with someone because there are people out there that won't connect with someone they've never met before but if you offer to say hey I
read your book I saw your news article or uh I've read some research that you did 3 years ago like that's personal the more personal you make it the more likely you'll be in terms of getting those connections which helps and this is really really important is is not try not to make it about you um a good example is let's use recruiters um if you look at look at most Recruiters on LinkedIn or Twitter Twitter's the worst when you see it it's when they just post jobs that's it like there's no advice there's no insights there's there's nothing all it is is just posting jobs all they're looking for is people to respond basically
they're just asking rather than giving so if you can share insights if you can share advice if you can share opinions people get to know you the human behind the job title and that's really really important and people may think well I'm 16 years old um we have sorry to point you out I met a you still 16 I met I won't say your name just in case you don't like public stuff 16-year-old at bsides Barcelona a few months ago and like one it's unusual to meet teenagers no offense at a conference and then to him talk about the research that he was doing I was like [ __ ] this this kid kid I'm sorry
but technically you still are um it's impressive genuinely impressive and then he said he was going to Defcon and bsid Las Vegas I was like who does that and that's just amazing and then you I gave you advice about building your LinkedIn sharing insights like sharing photos and sharing things and ultimately it helps build your network so again you don't make it about you but you make it about sharing giving back because there might be other people that that you're going through the same sort of things but again the point I'm getting at is you might be no offense 16 or you might be 30 or 50 or whatever and think I don't know what value I offer um
I've never worked in this job before how the hell can I provide value to other people the thing is you can document your journey you can talk about going through things like starting out in bug bounties you could start talk about going through hack the box you can talk about different things just document your journey because other people will be at a different point and might find it interesting or they might learn from you or you might get other people go oh I respect that that person's trying and they might come and then give you advice as well but essentially you never make it about you you try and just offer things for other people that hopefully
again they get value out of and this can work really well like if you have no ideas what to post just use what's out there you don't have to be original you don't have to create things and be uh I'm going to be a thought leader um basically first of all just Google news I'm just going to Google some hacking stories or this company got breached last week um or you might find some interesting research topics or a blog or something like that a good well I like to think a good example is this so um so I'm showing my whole screen here um so if honest with this is what I did many years ago cuz I'll be honest I was
I felt very intimidated um I went to my first security Meetup as a recruiter I went to a really technical Meetup with just a bunch of hackers and I was thinking to myself what the hell am I doing here like everyone else is like Elite hacker and then there's me I don't know [ __ ] but what's really weird is people can be really nice I went and spoke to the the organizer 3 years later I'm going to his wedding like this industry is weird in a good way but then in terms of posting content again I just went looking for interesting things that I thought oh that's cool and what's really cool is I know a friend of mine did a
red team engagement using a tool that I found on Reddit so I posted something on LinkedIn because I just went looking for just they've changed this from from a few years ago but essentially I just went looking for something interesting I would look for the amount of comments or UPS or whatever they phrase it just to validate is it actually interesting for other people I check the comments out because in case someone's calling [ __ ] on something I don't want to then post something that then people then say is [ __ ] for me but if people like this thing then hopefully other people find it helpful as well so grab some links share it on LinkedIn
I talk about collaboration so tagging in the person who actually authored the post the research as well because it will help hopefully help them as well because more people that know them it might help and again you never know and it was really weird that my friend messaged me at the blue to say that that post you shared I used that tool and I used it on an engagement so it's really cool but essentially you can just do that Google hacking news there's just the stuff is out there you just need to use it and then things like a conference is a really good opportunity so I spoke about a SEO that I mentioned earlier so
I feel like his LinkedIn profile didn't do him justice so he had about 1,700 followers this guy is really good at what he does he work he's worked for respected businesses he does a lot of stuff in the community he doesn't put himself out there enough and essentially he wants to have more things come to him so he spoke at an AWS event in I can't remember somewhere in in Asia recently and he only had one post about it but I said to him you can do three four posts on that one thing because you could have like leading up to it you could have a post uh really looking forward to speaking at this conference in two weeks
time then a week before the conference can't wait to attend this conference and watch this presenter speak at the conference you could take a photo doesn't have to be a selfie it could be literally a photo of a room or the signage or whatever just to say basically I was at this conference and then another post after of basically sharing insights of what you learned from the conference as well so just that one event you could do three or four posts and if you go to a few conferences a year then that's suddenly a number of your posts without even thinking about it um and blogs as well some people I find don't do themselves Justice they'll have research
blogs they're doing really interesting stuff but not enough people see it so it's one thing for you to create your blog have it out there and your research blog could literally be your your journey of um doing hack the box or pentest the lab or could be whatever it may be but you could then take those posts and then put it on LinkedIn as well or put it on Twitter so again hopefully more people see essentially the core stuff you're up to and might get some value out of it as well so in essence if you post three to five times a week which sounds a lot if you don't post at all it can feel a lot but
if you go through the sort of advice that I said it's not hard literally dedicate an hour to Googling some news on cyber security there's two two three posts add connections so if you're consistent with building applications sorry applications building your connections and just again dedicating even half an hour or something a week to go right I want to build my I want to say target market but essentially your target audience or your connections you just search LinkedIn for this type of person in your area even better because hopefully you may even be able to meet up with some people and a really good example of that is a friend of mine who I don't think he's here today but he's
he's somewhere in Vegas he's over from Australia he's pretty senior at the company he works at about 5 six years ago he was told by a recruiter it's going to take him five years to become a pentester and he he said well [ __ ] I'm going to get there quicker than that so where he lived he basically went to the local meetups connected with many as many pentesters as he could and then basically started taking him for coffees for beers I'm not recommending that cuz I don't want to give you advice and then you meet the wrong person and then life goes wrong but I'll just say this is what he did um he met lots of pentesters
and he basically found out what do you do in your job what skills do you use he went basically understood what was that skills Gap then he realized that not just the skills Gap but he also realized what value he could bring as well so there is a a typical thing um unfortunately for maybe a lot of technical roles that sometimes the communication skills or customer facing or salside sort of balances the other way and he realized that from his experience working as a developer working as an architect he had lots of customer facing experience he could talk to customers engage customers he could do scoping he could do things that a lot of pentesters basically just didn't want
to do so when he landed his first job it wasn't entry level he got a first job as as a senior consultant because essentially he could demonstrate to the organization the value he could bring and this is really important for everyone to try bear in mind especially for those early in their career often you're not starting at zero you have something to offer you just need to work out what it is so where is what is the thing this goes back to problem solving he identified that in his capacity as a pentester the other pentesters couldn't scope couldn't manage the customer couldn't manage the engagement they just wanted to hack [ __ ] but he could do that
and because he could offer that the company saw value so he got the senior role he got decent salary now he's put in a position where he's moved on from that business working for a billion dooll tech company uh managed over 50 people and is on a really decent career trajectory and it was only five six years ago he was told by a recruiter it taking five years to become a pentester so one don't believe recruiters which negates this whole topic um because most recruits don't know [ __ ] but there's a lot of things you can do so please remember that you have something to offer you just need to work out what it is and this goes for folks
that have never worked in it before so things to bear in mind is in cyber security yes it's basically a technical industry but you don't things don't happen if you can't communicate if you can't influence and it doesn't matter if you're a pentester who's basically hacking [ __ ] because if your report is garbage and that doesn't influence change in your customer or your company then you could be the best hacker in the world but if you're if you can't write a report that influen this change that has actually impacted the business then you're no good you could be an average pentester but fantastic at writing reports you actually make a difference so there's lots of things out there
where there's people that come from Hospitality backgrounds working in retail your customer facing skills working under pressure like there are some really good people out there for example that have worked in the kitchens working as a chef working as a cook like if you work in a sock you know that's very transferable there yes it's not technical but you can work Under Pressure so again it's knowing how to extract this role here and the similarities um so again I've gone off topic a little bit here but I think it's really important that you for most people you have something to offer you just need to work out what it is but essentially you need to build out those
connections in the first place to understand what is what is the skills Gap what is the experience Gap but also what you can bring to the table as well and then repeat so I'm just going to show you an example I'm desperate to try and get that to 41337 so if anyone wants to follow me you're very welcome to um so just like resumés this is an this is an opinion so what I say is not fact it's just my opinion that works for me and works for some other people too first of all is LinkedIn recommends that you complete these I think seven steps or nine steps whatever is for an Allstar profile follow the advice don't follow
the advice about giving your passport details to verify your profile like no I'm not giving that company that information but essentially just fill in the gaps of the other stuff so here I've got a a headline they call it so when someone searches something on LinkedIn um essentially they'll see like my profile they'll see the headline so straight away people hopefully understand that I recruit in cyber security and I'm involved in the community like that's I'm happy people knowing that and if they're interested they'll look at my profile then you've got the about section this is think of LinkedIn as your online CV I know people that P put more effort into their resume than their
LinkedIn profile the reality is there are way more people that are going to see your LinkedIn profile that will ever see your resume so either transport transfer the information over or just put more effort into your LinkedIn profile so quickly if someone just looks at my profile they'll see that I run cyberset people we're a recruitment business um they'll see that I've done a bunch of IND stuff and that I'm passionate about neurodiversity those are the key highlights so if they like it they'll they'll continue then you've got your posts um I said recently like again I'm a bit sporadic with my posts I've posted think three times in the last week but here's a post on this conference I'd
like to mix it up I love memes and just creating them sometimes they work sometimes they don't but um I just try and add a bit of humor um no offense to students out there I'm sorry um and then I post the odd job post as well um but I'm not a recruiter that's just posting job post job post job posts I'm trying to offer value you might recognize that um so there's my sort of two three posts about the conference and then upcoming stuff but again I'm a recruiter we we're working jobs of customers but hardly any of my posts or one in five one in seven are at about jobs so again I like to share
insights I like to share advice um because if I'm honest with you people get more value out of that stuff than the OD job placement and then you've got your job stuff so I'll call my hand up here I haven't done a great job of it mine's pretty nothing like that is literally the description of my my job I've been running business for over seven years now but it's quite self-explanatory but you can do this in your job again think of it like your CV you would write what you do in your job um because ultimately the more information you have the more people going to find you and just to sort of reiterate what I said earlier
about connection requests I can't accept any more connections I've nearly tapped out because Link in I think it's 30,000 connections they allow you to have um and I'm sorry for any people here that I'm sort of sharing names and stuff but if I just scan through this they'll see one thing here here but the rest like it's I'd say less than 5% of people actually write anything and normally when I could accept LinkedIn requests I was a lot more inclined to accept the ones with messages um so again if I were you I'd be adding a just a simple message um essentially to connect with people and why you'd like to connect and talking of connecting I'd
like this to connect there we go so resumés um like honestly resumés no one likes them no one likes to read them um we're in this this holding pattern until something changes if I'm honest this where I think linkedin's pretty helpful because ultimately I I actually don't disagree with this stat and it's a really horrible thing to say out loud um but I don't read CVS um I no offense but I'm not interested um what I am interested in is scanning your CV for certain data points so I want to see your job titles I want to see where you've worked I want to see the how long you've worked in organizations hopefully you've got some
stuff in there on what you actually did not the activities but what problems you solved what what difference you made to a business and then maybe some sort of technical stuff if you have technical skills in the profile that's enough ultimately most people are not very good at selling themselves we're not taught how to sell ourselves but this can be really helpful where again I'm just scanning something because I'm more interested in getting to know the human behind the resume so no hiring manager if a com if a company advertises a job and someone showed me yesterday they had 3 approximately 370 applications for a job no one's reading that like if it takes Let's Pretend two three minutes to
go through that like you're talking close to 1,000 minutes 7 800,000 minutes to go through the resumés then get back to every single person like it's challenging and recruiters get a bad rep and if I'm honest I think that's right most of the time um you can still respond to people say they're not successful because at least it gives people closure But ultimately looking at LinkedIn looking at a resume I'm just scanning for data points so again it's about the right information um so I talk about this then I'll talk about the importance of what information to actually put on there but essentially we don't like writing them people don't like reading them and it's it sucks um
the truth is keywords do matter um there's certain things on a resume and again this is just opinions because I I shared and I'll share with you as well an example resume um how we doing for time by the way how we doing for time I'm laugh I'm sorry that's okay um so keywords do matter and it's about the right information so I'm just realizing I got 13 minutes and a bit more to get through so I'll I'll rush but essentially there's no excus excuses for certain things poor formatting on a CV in terms of like grammar and stuff like that there's just no excuse with the tools that we have out there spell check and grammar and
whatever like what really makes me laugh is when you see attention to detail on as a skill on someone's CV and then they've not spelled certain words correct um interesting um being too vague generic um people don't this is a tough one tailoring your application to a job but essentially if you can see what they're hiring for then you can tailor it but you tailor only small parts like you only need to do a few little bits um you don't have the important information inform in there and too many pages is a real bug there so some people say one page some people two pages I won't pretend there's like a magic number I only say there's
there's just too much is the wrong thing so what happens with most people is they don't start from scratch they'll have a resume they've had for years then they either need a new job or they want to get a new job so then they update their resume so they've already got this four or five page resum now they add their new or their latest job on there and they just keep adding adding adding and now now we've got six seven eight page resumés and the truth is no one's reading that so resumé writing is a skill personally I don't think you need to pay someone to do it I know I know there are people out there that do it
and if there's anyone in this room no offense but maybe you are good at what you do but there's too many times where I've seen resumés from people that have paid a lot of money and it's [ __ ] um they could have saved money and just done it themselves with just advice in my opinion um these are some of the most nauseous creating words I see on CVS like it's different if you can back up things but if you just put um you know terms of your soft skills or skills that you're a team player you are passionate you're innovative we validate that back it up with examples but essentially they're just they're just words and you need to be
really careful again resumé writing is a skill and if you can demonstrate the ability to articulate very concisely you're showing another skill set as well again which is really important in an industry where you're trying to communicate you're trying to influence other people to make decisions so if possible I'd say like take some of this stuff off because it just it's just words it mean it means nothing in my opinion some of the most important things you can do is outcomes so a lot of people their resume will look like they've just copied and pasted a job description of just list of responsibilities the reality is a job jobs in different businesses look the same if you're a level two sock analyst
in one company Chan is I level two socker analyst bar a couple of things is very similar same as pentest over here p test over here but if you talk about the actual outcomes you delivered the difference that you made it's a weird analogy but if you imagine you have a twin you both go through the same education you then go and work at different places but you're both working the same job you have different experiences depending on where you work and it's the difference that you personally made the impact that you made and when you can convert that into metric again you're showing yourself up here to compare to most people so obiously on a CV for someone who like
who was working in a stop managed to respond to security incidents well yeah no [ __ ] that's the job but what did you actually do and when you can basically break it down to something like this where you reduced downtime or you reduced different things or you showed saving money you're shown that you have a real impact on the business itself this is what most pentesters rums look like is it will say pentester company the time they work there and they will just list web apps mobile apps and code review or something like that and again no [ __ ] that's the job you you hacked stuff well done but what did you actually do what difference did you make
for your for your customer or or other organizations and again if you can show Saving Time saving money reducing things again you're showing real impact to the organization itself a takeaway really about resumés if going through all of that for me trying to condense it down if you can demonstrate these things then you're doing a better job than most people in my opinion you focus on the like if your resume is three four pages it doesn't matter it's fine um but if you can just again demonstrate outcomes achievements making a difference that you made that's it that's that's you honestly above 95% of most people because most people don't do that here's an example CV some people might
not like this and that's perfectly okay but in this scenario I'm a level two sock analyst and I want to step into more of a level three type role I'll try and zoom in so a bit like LinkedIn I've got my sort of headline where I'm doing basically that's the role different scenario here but I'm putting I'm an Australian citizen what that does do that basically basically says to a potential employer you don't have to worry about working rights I can work here obviously that needs to be validated but essentially that stops a lot of applications because a lot of applicants don't have working rights and essentially unfortunately a lot of organizations may not be able to hire
someone that needs sponsorship um location I don't put my address I put basically the city or state that I'm in a company does not need to know your address if you think about your resume chances are at some point it's going to get leaked somewhere so think about what information you want leaked from your resume um real scary thing is I've had resumés from people from overseas and they've had their passport details they've had their their parents passport details I don't know what the thinking behind that is um but that person apparently works in security um sorry go figure um I'm very conscious of time so I'll try and uh get through this without over overdoing it essentially I've got
my profile here I talk about who I am what I do and what I'm looking to do next um I talk I have skills on there so this is I did actually share this on LinkedIn and some people gave different feedback and again that's okay but I'm thinking about my perspective as a recruiter I'm searching for keywords I'm searching for certain data points and if I see certain information in terms of the key skills um you know certain Technologies I'm interested for example if I see a level two stock analyst with good python skills and instant response I want to talk to that person it's as simple as that um again some some companies will hire very sort of um hyp
because of their certain vendor skills um the reality is and I forget the the recent headlines but a lot of companies will look for people with crowd strike skills because they're already using environment and they might not need to then train that person up so that can be helpful in this job here I'm not listing my my responsibilities because ultimately I'm expecting this person this job to to be reviewed by someone who knows what they're doing it's not always the case but I'm hoping they know what they're doing they know what level two sock analyst does so I've just got a high overview there but then I'm talking about the key achievements where I've made a
difference same again I'm not list all the stuff that I do in my job because ultimately that's just the job itself that's just the activities but again we're are making a difference um I like to put this on here what was interesting is some people didn't didn't think this makes sense in terms of conferences and meetups personally if I see someone's resume and they're going to Black uh Biz Las Vegas they've gone to Defcon I'm thinking okay well you're you're my sort of people um you invest potentially you're investing your own time and your own money for yourself that tells me you give a [ __ ] about your job your career and you're actually interested there'll be certain
conferences that happen that are that are more corporate and that I know this is during the week I'm on Australian time zone I forget what day is um but there'll be some conferences that are on a Tuesday and Wednesday and it's more formal it's all suits and it's basically people are there because they have to be there a lot of community conferences tend to happen weekends and that's where essentially people demonstrate they're there because they want to be there um you know when people give out their own time and their own money that's that tells you they care and again if you put on a resume certain people will resonate a lot with that so that is that part
and the question is are we going to get to finish this presentation in time well here's the good news since you're the next presenter also I was thinking uh we could 120 more seconds and then if you have questions this panel includes him and you can ask him questions during the panel because it's going to be interactive does that work for everybody all right no choice it works anyway this is okay I'm going to try and do this quickly this is one of the most important things I think in this presentation basically live job hunting um can someone give me a job title and a location anyone direct detection engineer Texas okay so let's pretend I want this
job I'm going to go on I don't know the best job board in the US but if we I know indeed let's just go indeed so
let's just go Texas okay yes I'm a human at least it's doing its thing all right so let's just pretend this role here this first one so uh threat detection engineer quiry group in Houston so I'm going to take the company name I'm going to go on LinkedIn if I can go on LinkedIn I'm going to search the company name so go mcari actually an Australian business um I'm going to all the employees and let's just put in threat detection
four people are any of these the manager maybe not the job title might so the job might say who it reports into sometimes they do so our Global threat an instant Response Team uh okay so let's just go cyber threat
then right six people
okay I'm going to say it's not any of these I don't have the time to go deeper but let's just pretend it's uh Samuel that's a joke because he's a graduate let's just pretend it's Samuel I would then I'd go through the process I would apply online for the job but I would then send Samuel a message and say hey Samuel I'm not being demanding or anything like that I'm just saying hey Samuel um I saw the RO for threat detection engineer um looks awesome I feel like I could add some value I did apply for the role 11 if you've got any questions right just really simple all you're doing is flagging that I'm
interested in the job now if you've got a good LinkedIn profile this why you build your profile in the first place is then they look at your profile and go oh this person's really interesting they might be what we're looking for then they tell HR or tan acquisition reach out to them and organize an interview basically trying to bypass HR you could do the same thing with tan acquisition but essentially you want to go to the person with the problem because they know more what they're looking for than T acquisition or or HR um I don't have time to go deeper but um hopefully that helps and if you want any any questions or reach out after then please do so um
in the meantime thank you for being
here and again bonus thank you
[Music] [Music] [Music]
[Music] [Applause] [Music]
[Music] w [Music]
h you already met a moment ago so let's start over here with Mr Chris rides tell us about yourself bud I'm the other British recruiter um there's quite a lot of us I don't know what that is that's their running joke yeah there's a lot a lot Brits in recruitment I actually live here in Las Vegas so it was 123 weeks ago this is a breeze I have to wrap up in in this sort of weather um I've been in recruitment for yeah I've been in recruitment for 25 years alog together started uh Tyro Security in 2012 cyber security Staffing and Professional Services firm with my best friend who's a pentester and so we have a pen testing and risk assessment
arm as well very involved in the community uh founded one of the founding directors of the cloud security Alliance uh SoCal chapter uh speak at a lot of conferences and have been involved with uh bsides for uh I think nine years now uh speaking at pretty much every conference for the last nine years I think so lovely to be part of the community bsides are amazing uh Kathleen does an amazing job and you're doing an amazing job of course that's because she's directing me from from far away um and the the beautiful and wonderful Sylvia tell us about yourself um so I have been recruiting on and off for about 10 years now started off as an operations manager went into
sales and then kind of found my way into recruitment um speak four languages working on my fifth I definitely value communication I think that's like the most important thing to being able to find top talent and I think that digging deep is like truly the only way to do that um that's a little bit about myself I'm currently working for Toyota sushia systems if anyone's looking for opportunities I got like 40 open positions by all means let come find me later I would love to see if I could help anyone out that's looking and for anyone who wasn't just here for the talk tell us a little bit about yourself Ricky hi I'm Ricky um I speak
just about one language um so I'm also a British recruiter um very fortunate just spoke at in this last session uh I've been in this security space for nearly eight oh no nearly nine years and from Australia do a whole bunch of stuff in the industry that it' be too long to list um so very fortunate to be here and and hopefully help some people out and give some advice and give very honest advice or honest feedback anyway wonderful thank you I can say cuss words in a couple other languages but that's yeah yeah me too mostly Italian all right so I wanted to ask one question uh before I know we you just got introduced to everybody so I think
we all recruit a little bit different there's different types of recruiters so throughout this day and throughout a lot of talks and a lot of things that I that I hear and read you know recruiters get a bad rep uh probably for a good reason right uh so it's uh some of us try to rise above but you hear a lot of things about you know they're trying to trick you or the hiring managers are tricking you or here's the skills you need to learn because they're trying to trip you up or whatever um I want you to talk to the audience a little bit about the different types of recruiters that we are and why I am uh myself and drco
introduced you to you earlier we're in the govx space so we are recruiting for one company that is provide uh providing Services by fulfilling positions for multiple government agencies which is a little bit of different than what you do Chris tell us about the type of recruiter that you are uh yeah sure so uh obviously I mentioned in the the intro uh we're a cyber security specialist so we covered cyber security and GRC uh we started off mainly commercial um and focused on sort of engineering uh up to sort of ceso level roles and then probably more recently over the last 5 years we started developing more relationships in the cleared area uh and so we've got some
relationships with companies that are hiring cleared people and then over the last couple of years we've moved into go to market uh for cyber security product companies so you know we now look at customer success uh bdrs um you know marketing those type of roles but specifically for cyber security companies so we cover a few different areas we're based in the US we do a little bit of work in in Europe um but but but a far majority is is here in the US we're Las Vegas registered company so you hear about a direct recruiter and then would you do you call yourself Staffing or agency or firm what uh so you are you are hiring the people
but you are providing services to your clients who will then actually hire them find them you represent them did I say that right yeah no that's right yeah so third party so we work in a few different ways uh so we might be retained by a client to search for a certain role that can be generally a lot of the ceso and exec roles tend to be retained but uh we found over the last few years a lot of the really tough to find engineering roles senior engineering roles will be retained for as well uh we'll do contract work so you if somebody wants to bring somebody in with a certain skill set for a project but again um we
be the third party in that and we'll often work then with internal recruiters and hiring managers and and work on on the ways that we can make sure that we hit hit the things that they need uh in terms of the process he helps me they're awesome uh Sylvia tell me about the type of recruiter that you are so we can help people understand the different types of recruiters they might interact with yeah for sure um so Toyota susho system specifically is a very interesting animal and I I say animal for for a reason we are a subsidiary of Toyota so there's hundreds of different subsidiaries I was very naive into thinking there was only like two
companies um but the one thing I'll say is that for every Toyota client the need is going to be different there's different different initiatives going on at every single um Division if you will so I think that the most important thing for me because we have contractor positions contract to hire we have full-time opportunities all these other things and I think the the biggest aspect for me is trying to put my hands into like every Honeypot so to speak to figure out what they're really looking for um which can be some sometimes very very tough because you know the client doesn't necess you know client Toyota client doesn't necessarily want to tell us everything there's a lot
of and I and I know you know I'm where I'm going with this but like there's things that I will never know because essentially it is the client it is you know essentially private information that I'm not even able to have and it's like okay so you want me to hire for this position but you don't really want to tell me what you really need because it could leak out something right so at the end of the day it's really trying to better understand and having those conversations open conversations with the team as much as I can to basically get that understanding and I'll be honest it's it's not a um doesn't always work you you always have different managers
that you know don't have the time or just don't care to deal with recruitment in general so it makes it sometimes a little tough and sometimes trial by fire is the only way to succeed and and because you're gaining more and more information after every interview that happens it's not ideal but it is the way that it goes but again going into communication transpar transparency and honesty um that is like my Baseline for everything it doesn't necessarily mean that I may know everything but I'll be very transparent with you like what I do know what I don't know how I can help you get to the next step if I can help you do that and I think that's literally
my Baseline as far as everything so I really want to highlight what I just what I just heard you say because I think it's important it doesn't necessarily match some of the other messages that you have heard so it's great to have different perspectives nobody's right or wrong nothing's true or not true but a different perspective that you may have heard would be you know that the recruiters are tricking you were lying to you she just she just described the whole basis of the type of work that she's doing trying to find out as much as she can to tell you and to be as transparent with you as possible right so I just want you to know that
you're going to you're going to you're going to have to find those right recruiters are going to do right by you um so I'm really glad that you described it that way that wasn't planned can I add to that about so so you're describing a really consultative approach and that's what a good recruiter does um I got a couple of examp examples of that but what I will say is we went over uh all of our job descriptions from 2018 to 2023 went through all the placements that we made and we looked at the job descriptions we had on file which is what we get sent and then I looked at the separate job description which is the one we take so
we will not take a position on uh without speaking to the hiring manager without doing a consultative approach and going through the job description over 90% of the job descriptions that we took that we placed were markably different from the actual one we were sent and so a lot of the issues that that are happening out there are because the job descriptions don't match the actual people they're after and often you know people like us good recruiters our job is to get that information out it's not always that easy it's not always that they they don't so often they don't even realize that they that they don't what they need right so it's a it's a it's a tough job and it can be
Progressive um bit by bit absolutely that makes me want to just ask you a follow-up question Ricky before you answer that first question like bonus question uh we we we will review in this conversation the the expectations on the candidate side but uh Chris just peeled back a little layer and told us about you know doing intakes and understanding what your client wants which is exactly what you know Sylvia was talking about can you expand on that a little bit as well yeah so the process I'd say for most decent recruiters is at least the way for us is a company will say hey we want to hire this person we need your help um so then you organize a
conversation with the hiring manager to take a full brief that might take 30 to 45 minutes to understand their specific needs culturally technically the ins and outs of the job how to sell the job the culture of the team and and lots of Dynamics stuff that you don't always get from a job description is this is this recorded by the way I believe so yeah it's definitely live streaming right now so watch what you say that's I'm trying try to be mindful of between the lines um okay I don't always read the job descriptions um because as Chris was attaining to they I I prefer to take my own um often most organizations just basically regurgitate old job
descriptions and go oh we're hiring for this role again let's get that um job out the folder and basically use the same thing for a brand new role that they've never hired for before so um a good recruiter does that there's some really I think good questions if you're applying for a job basically you should interview the recruit that you're talking to so you could ask them have you taken a brief from the manager or who did you take a brief from cuz maybe they took it from T acquisition the thing is the closer you get to this like the source of Truth the more information you'll get um we've had it before where some companies don't allow us to talk to
the hiring manager because they're too busy although it would save them time in interviewing if they're not interviewing people that are not right for their role if they interview the right people but essentially we have to like do it via T acquisition which is they're doing their best but they can only work with what you're given um so basically who did you get the who did you qualify the job with another question you can be asking the recruiter is um how many agencies are working this role if it's like a third party recruitment company um is it do you have it exclusive um are you retained cuz every business is different we don't take on jobs that are not
exclusive our time is valuable and if there's multiple agencies then we can't be bothered to basically do it because essentially we're going to invest in our time where we're most likely going to have success and if the hiring or the company hiring essentially is just farming out to number of agencies then for me the quality isn't there either so we' rather have a good relationship with the company who we know how many people are in process we know what they're looking for we've got interview questions from the company um we know what they're looking for as opposed to oh we've only got 20% chance of filling this role someone of us might might get lucky we'll spend our time where we've
got a much likely um higher likelihood but there'll be there'll be agencies out there that just take on any job they feel less than 5% because basically they don't put the time into head hunt to qualify all they do is AD no offense but they'll just advertise a job basically take the best of who applied as opposed to the best of who's out there and that's that's a very different mindset so I think just understanding is the agency if it's a thirdparty agency how many agencies are on it have they actually qualified the role in the first place or did they literally just receive the job description via email and that's what they're working from so the more
information you can get from them but it it helps you then tailor your application as well because again the job title could be X but let's say they've got a certain outcome or project that they're working towards that's the the next 3 6 12 months the certain deliverables that the company's working against maybe you've done those things before so you can then essentially cherry pick the information from your last 10 years and go that's the stuff that I need to share with that company so you just heard that there's direct recruiters when they call you they're hiring for the company that they work for I work for ABC I'm hiring you to become an ABC company we have an someone
that I describe as uh providing integrator Services maybe product maybe Services they're hiring for their clients you have I consider when when you think of an agency take away the bad connotation to agencies or firms right think of them as your agent that's the key word in agency if they're your agent they're like your Jerry Maguire right they will show you the money they're taking care of you they're finding out about you they're understanding what their clients are looking for so there's there's pluses and minuses there's uh it's a different experience and I also want to remind everybody that we have a mic Runner you didn't get to ask Rick questions before so let's please
interact raise your hand all throughout this whole thing if at any point something that you're hearing uh makes you think of a question just raise your hand and uh and we'll take your question okay we want this to be to feel like a conversation any questions so far oh all right let's go come on let's get into them give you all the we'll give you all the Gory stories we'll pretend it's not really being live stream um it's not that exciting of a question now I got to think of one but um going back to Ricky's presentation earlier one question I had that I've been kind of struggling with is when you're writing your resume and you want to highlight
your metrics how do you come up with those numbers do you just throw a random number out there does it have to be divisible by five or zero or something or you know like you know the metrics they was achieved this by 45% blah blah blah blah like how do you come up what's a good way to come up with that number that is a really good questions basically it's it's how to how to show the measurable results right and so I want to start with you Ricky I'm I'm just giving the advice I'm not I'm joking sure so but but you're looking at my resume right now what what evidence that I provide to this is the
tricky thing you could just make stuff up um I don't recommend it um because essentially someone could then look at that and then ask you questions and then call [ __ ] on that so it's a really good question how how do you get then the percentages or whatever like essentially you need the data to start with so you need to understand well what was the before State and what was the after State and then when you can convert that into a time frame or dollars that's how you do it but you need to understand what it looked like before to then your involvement and then the after State you need you need to be able to show the
working out right that's the the thing with it because people will see that and certainly I would see that and i' be like oh how did you get to that so what it was what exactly was it before and and so you end up twisting and turning and and probably in the middle of a bunch of questions you didn't really want to be discussing I would always say like take the job description that you're applying for look what they're specifically asking for and if you're going to put metric in make sure their metrics that are the truth and that you can talk about and discuss and make sure they match the things they're looking for cuz you know random metrics aren't
going to help you uh generally get a role right so Target the exact things that they're that they're looking for and then anything else hopefully will come out in the interview so remember one of the slides that we saw earlier um and then we'll do this question and then this question but remember one of the slides we saw earlier that said don't you don't you say um all these descriptive words about yourself you know I'm a I'm enthusiastic I'm a go-getter I'm a blah blah blah think read through your own read through the story of your own resume and remember what you accomplished there might be there may be some jobs where you're going to skip it but did did you
help solve a problem like that's not going to be a measurable thing that you can add a number to right but you can say that you participated in the solution design for the thing right think about all of the interactions and all the things you're doing in your day-to-day in the end result of those of those you participated you were part of the solution so you can say that you helped solve this problem right people want to see that you did something that resulted in something else there's um there's a thing called the star method I'm not going to go through it now but if you just research star method then you'll get more advice um it's a really good
thing to follow especially not just on a resume but when interviewing as well because there are managers that specifically look for that and in my career I've dealt with lots of people and my whole thought process changed a few years ago when I dealt with this one hireing manager who's to date the smartest most impressive person I've ever dealt with and all he cares about is not years of experience but what impact did you make what difference did you make and when you can demonstrate impact in an organization that's when you again you understand that you actually made a difference what contribution did you make cuz you could be in a team of five five people but you you're still doing
other things from your colleagues um but essentially if you just look review style method you'll find some good info there and if I if I may add um so metrics doesn't always need to be just kpis slas numbers like again I think we've all kind of said it in a different way or another but essentially it's just showing instead of saying all these adjectives to describe yourself explain what you've actually done explain you know this was supposed to be a six-month project I got it completed in 2 months or you know I led the this and this and that initiative and this is what my part was like you know like she was saying so
again there's ways to show things about yourself and to sell yourself without being like I'm amazing just talk to me just talk to me you know what I'm saying so it doesn't have to be that like intense putting it in your work like putting your resume like in format to where this is what I've achieved this is what I've done these are the things that I've helped to you know create that impact that shows a lot more the other thing I'll say too is that if I see a lot of people that omit their side projects stop doing that like you're only shooting yourself in the foot like to be honest because if you're working
and then having those c those positions as well like or those uh projects as well add them in there so we can see that not only are you working full-time but you are doing those initiatives as well again the these are how those are like ways that I would do it without necessarily metrics and it helps you like this side projects massively yeah like you know you got your research blog or again T attending conferences or training and stuff there's so people that um don't do themselves Justice because they're not adding that information to their profile so if you imagine two two people side by side same experience but then this other person has the side projects they can go on
their GitHub you can see the things they're involved in you can see the events and the training they've done well suddenly this person's up here because look at all this extracurricular stuff that's really interesting as opposed to a nice profile but this one looks better and ultimately because you mentioned about you know the words and stuff you demonstrate your good by achievements that's it like you you you validate that through experience and if you just keep that in mind honestly you you'll Stand Out above most people because most people don't have it they again it just looks like a job description um and it's boring as opposed to how you made a difference I had one client sorry I had one client
that um that actually told me we were talking through the job description and he's the head of security at Big public company and we've uh splited a couple of people to him and we were talking through how he hires and he actually said to me he said like if there was one thing I know I can't ask this but said if there's one thing for me I I want to see that passion for what we do for a living I want to see that they're excited to be in security and and and so the sort of stuff that's on the resume about going to conferences going regularly to your local you know Issa or Cloud security Alliance meetup those
sort of things really do make a difference he actually said to me if I could get away with it I would be like look can I have your phone um let me look through your news feed and and like obviously he knows he can't he's watching this now you'll know exactly I'm talking about him but he he was like if I could see through their news feed I know cuz I know the people in my team our news feeds are full of security related news because that's what we're passionate about and I think those are the kind of things he's not alone in a hiring manager in looking for those sort of things so if you can demonstrate it
without giving your phone across um because you're never going to do that right if you can demonstrate that in your resume it's really important to do that you know you're all here now today because I'm assuming you're very passionate about what we do um for a living right so put that on your resume and it does Stand Out MH these guys are making my job easier by answering all the questions that I before I get to them which is amazing it actually is amazing um because it means the questions made sense uh but we'll get more a little bit more in extracurricular later but Defcon
hatang sorry did you turn it off so recently we had a reduction en Force at our company um and they pretty much chopped our uh cyber security and compliance team from 7 to 2 um they pretty much left the two most Junior to do all the work that we used to do now that sounds horrible right bad we work so well together think of Voltron we're bigger together right we work really well together what is the Precedence or what has happened before when I'm trying to lead them like Moses and go somewhere else and take the entire team right so we're looking for a company which we can go ahead and use our awesome skills to help their cyber
security and compliance needs um have you seen a company ever say we need a team like that and pretty much be able to start up very quickly so as far as on my side I mean again working with Toyota susho systems we're working with all the other Toyota subsidiaries so I have definitely seen instances where it's like hey we're building out this brand new you know iot you know iot team or uh you know OT team or Etc we're doing a a manufacturing uplift project or you know vulnerability project or something so in occasion I will get those types of you know requests but it's very it's it's very I don't want to say rare but um it's not
common it's very not yeah thank you it's it's just not common um I've had people sometimes that will be like look I'm a package deal with this other person because I know how we work and if you hire me you have to hire them and I love that that's that you know that delivery however I can't I'm not the I'm not the hiring manager at the end of the day I don't make that decision while I appreciate it it's great but I I think that the best way to go about uh something like that I think and I I know this might be hard to to hear as well it's like I know that you guys
have that gel on that group and everything and it works out really well but if you're looking at if you're saying seven of you or five of you essentially that wow oh my gosh I mean I got 40 jobs open do you mind if you're on different [Laughter] teams I mean by all means come talk to me later I mean here's my thing I I I don't think any recruiter could really guarantee like you would all be on the same team or whatever or things like that and the other thing I'll say though too is that there's no guarantee that we can put you all to work together as a same team as much as I would like to you
know give you that you know light of shining hope it just I I can't commit to that obviously could I help you find jobs absolutely can we can we help you find jobs absolutely but there's i' it's not common yeah unfortunately you're relying on a very specific situation of a company having open head count for x amount of people right essentially you need a like the timing of you need a business that basically wants to build a team and they're ready to basically for that amount of budget for that amount of your head so it's unfortunately it's it's not it's unlikely not impossible so if I were you I depending on where you live I would be connecting with
Recruiters in your area obviously you'd research to check they're actually good and know what they're doing but depending on where you live there might be opportunities where people on the ground or in the in the vicinity know who's doing what out there so basically just expand the network to lots of recruiters to figure out is anyone doing this thing right now because there might be but unless unless you're talking to people out there that you won't know yeah it's not a common thing we we've what I would say is the way it would I would I would imagine it will probably work if if I look at the stuff we done right we we did a we had a
company that was five people pre-ip o they IPO they got a big influx of cash and in 3 months we helped them go from five to I think 48 in that instance there was a lot of people that were hired from the same company but really what happened is the person would come in they'd get interview they hired them and immediately like obviously we were already asking them who else do you know who else has come out of that company and so they ended up with a quite a big group of people that had work together but that is a a rare situation the other one we will get the other teams we've we've built um tend to have been like
okay we'll come in we're we're getting rid of our third party sock and we're going to have our own sock right so that in that instance they would love people that have worked together but again it's not very common I wish it was cuz it is great business for us but
yeah so we come from a specialized solution in the industry think of sdw right if I think of competitors maybe zscaler or uh paloalto or foret or how about if we at trit and go to the competition that will literally give them that Leading Edge that is the marker that says you know what we just took away from our competitor and now we have the crackshot team that'll lead us to success you need to figure out who who in those organizations basically has who would benefit the most from that so what type of person what type of senor and either get find a way again using LinkedIn to basically research who that could be connect with them or try and
find a Mutual contact who can introduce you to that person but essentially you need to know who who' benefit the most from that and then essentially find a way of speaking with them yeah so listen I I think that um I think the big takeaway across the board is it is possible right and then networking which is exactly what you're doing is the way to get it done right and it's going to be a scenario maybe like what Chris was describing maybe you know Drake's company wins a contract and he has to fill 50 people today boom he needs all seven people right so the scenarios are out there it is possible it it's going to come down to networking
right and and talking to people and you know doing that the human element piece there being strategic yeah yeah you're really kind of pulling your own recruiter C honestly in reality because you're having I mean and the other thing I'll say too that you can keep you know a breast on also is like look at the companies that are massively hiring look at the ones that are very focused in that cyber security framework or look at the ones that are brand new companies that are like when you go on LinkedIn I'm sure you see the jobs underneath each and every company right if you see like 30 positions they're massively hiring get in touch with the recruiter
find out what they're actually looking for explain your situation see if that would be of interest cuz you never when they're ramping up like that that's the time to strike the Iron's hot or El they're trying to win new contract they're out they collecting letters of intent and conent offers things like that I'm going to I'm going to give you just one piece of advice for for you personally right you're probably not going to get a recruiter that's taking that project on because we're always looking for those clients right we're constantly looking I wish we could find them very easy it would be a lot of time to put in just for one particular scenario but what you will be able to do
yourself is you'll be able to do this sort of thing go out look at the competitors I would personally if I'm in your shoes I'd be looking at the the zscaler new startups yeah I'd be looking at the ones that are checking out right who's getting funding because that will be something that will push them to hire I would look at whose early stages that could just hire in a team right as soon as they get that first level of funding they can come straight and bring you bring you in those are the things I would look for absolutely thank you all right I know we had one more question but go ahead um how much do you guys rely on
ATS in your resumés and do you see organizations for senior level positions C so director levels using ATS and basically if you don't pass that they your resume goes in the trash so let let that leads that's a perfect lead in to the to the next question uh because we're going to talk about Pro process right and and ATS is part of the process um his question was how much do you rely on the applicant tracking system and I think the answers are going to differ greatly so let's go across the board I was going to ask how long from application to offer can people expect the process to take so feel free to in
to uh Enlighten everyone on what that process looks like they may not realize you know they're like I applied what happens next why haven't I got an offer what what you know we all have different stages whether it's doing a background investigation I I won't answer it for you but let's start with how long what is the expectation and what can they expect from a steps process to include answering his ATS question so I mentioned earlier about um qualifying the job with the hire manager so we've done that part that's the first start of the process next step is advertising the job if this this will differ you know the different strategies for agencies and obviously intern will be different
as well personally I'm not a fan of job adverts um because it means I have to go through the applicants and 90 odd percent of them don't match the needs of what we're looking for so unfortunately um it's a bit of a waste of time um you know when you've got a security guard applying for a application security engineer role I can't do anything with that when you've got someone applying from overseas that has no working rights to a job that is in Australia requires Australian citizenship I can't do anything with that so if I'm honest with you I'm gearing more and more towards not advertising jobs and utilizing my own network on LinkedIn so my preference or
my go-to is actually head hunting so I prefer just to basically company paying us for a service let's give them the best service and go and find the best people in the market that match our needs so that's why keyword stuff on LinkedIn really helps when we do advertise jobs um we don't have the same process that you would have so um we don't have like this applicant tracking system that has all this bunch of stuff essentially if we just look at LinkedIn you know people apply on LinkedIn we just look at every applicant it's as simple as that um but again it's a it's a Time versus volume thing as well because if you've got 400 people
applying to a job It's Tricky um so let's pretend either we've head hunted we've advertised whatever we've got someone who's right for the role we send them forward um every every company has a different recruitment process every customer work of is different we'll try and influence as much as we can to basically speed because time is money because the bigger the the window the more opportunity is for us to lose that person to someone else um but essentially if I send someone today let's pretend most recruitment process processes are two or three rounds it might be effici ly could be two weeks so if you say 2 to 3 weeks from App submission to offer is the ideal um and
then essentially we're trying to get things closed off the back of that um so internally we've got our own guidelines but obviously again Chris will be different and Sil will be different as well because again they'll run different processes and and I feel sorry for you because when you're running you know 40 positions or whatever it is there's only so much you can do and you've got to rely on job adverts as well cuz you're a human and then you got to rely on the ATS I used to have 149 positions at a time so it really is not it's okay it's a it's a sweet spot now for Me Drake's back there thinking he has 300 he does
and I've got like 200 but so so I want to just uh add a little bit of color uh that that answers your question the see the difference uh because we talked about being different types of Recruiters in different scenarios providing different Services if you're the at some point whether you're talking to Chris first or Ricky first or Sylvia um at some point you do have to apply that's going to be that that is part of the process everywhere to get hired if they're following the law so you have to apply so then the applicant tracking system is part of the process at that point because you're applying to the company that's going to employ you to
the company who's going to hand you your paycheck uh how much does in my opinion a recruiter look at the applic ations and search through whether it's workday or too or Greenhouse or IAM they all are they're all very different most are cumbersome most are not user friendly and easy to to get around in and so your resume gets lost at that point the recruiter isn't isn't able to easily search through all of the applications and and like Ricky was like if you uh deliver news papers for a living and I'm looking for a full scope poly AIML person then I I'm never going to get through them all because there are hundreds and hundreds of applications so
I think what you were asking is how much is the applicant tracking system part of the process a a a big part of that answer is the quality of the system yeah right and most of them are bad today you keep hearing about terrible resumés terrible job descriptions and terrible applicant tracking systems that's pretty consistent right this is where the recruiters come in and the networking comes in in in my opinion you've not even touched on interviewing next oh I know bad interviewing yeah we haven't even touched on interviewing we'll get there I agree with what you said but I I in your opinion do you see companies for ceso type positions or senior director
director positions using recruiters less and using ATS and AI more to find their candidates cuz you go on LinkedIn Within 20 minutes for a ceso position there's 100 applicants 95 of them probably shouldn't even have of um half of them are security guards basically 95 of them probably shouldn't even have applied for the job like you were saying so I just see more companies using ATS and using AI to try and find their candidates and saving money on the back end from using a uh a recruiter I don't think that's really happening at ceso level so I so I've got um I got a really big ceso Network I'm actually about to launch a podcast called root to se so um so I
plug for that but but 3 o' he does the route to ciso talk right here in this room straight afterwards yeah um but basically most of we do we do a fair amount of retained work uh but the truth is most seos I the root seeso podcast is about me talking to seeso interviewing them about their in their their route to getting that title most of the people people that I know almost all the ones I interviewed didn't get it through a recruiter right at ceso level it I can tell I know companies that only do ceso positions and they're doing less than 50 placements a year significantly less than 50 placements a year and they're
two or three person companies right um same with the the the the big head hunting companies most of your positions as seeso you will get through your network right you'll get through you you either somebody that you work with before will take you in somebody that ciso will recommend you those positions often get filled before they get to us I don't think AI is having a huge impact in that um uh but it's definitely all about Network even more so at that level I think there's something like somebody was telling me that 70% of the people with seeso titles are out of work at the moment I had a dinner last night and they were talking about that there's a
lot of cesos out there the ones that tend to use recruitment companies um have often tried their Network and and at that point they're not really getting the people they want us to head hunt very specific types of seeso um for them so I don't know if that's useful but that's why I see sorry so I'm I'm gonna I'm gonna let you touch on that because you're dying too but let's get back to the add to the answer to the question of the process I'll take 20 seconds on this so really quick so again I'm in a very different like setup as the guys are I am in a corporate setting however we use an ATS we use we also use vendor
staffing agencies on top of that because we have contractor positions that we require somebody to put them on contract don't ask me why that's above my pay grade however with that being said the ATS system is what I basically live in every single day um the one thing I'll also say is that when it comes to that I'm very much much like him like I love doing my own head hunting I came from startup I came from Staffing and then I went into corporate so I rely on my own knowledge more so than uh you know a stock JD or or whatever have you so I think for me it's it's kind of finding that balance and understanding like
what's going to be the best solution for whatever that position is but again just to give you that that yeah most of our clients are using ats's we like we have to work very closely with the internal recruiters the best relationships if you've got a really good relationship with the internal recruit it's so much more of a smoother process and a lot of that ATS stuff is kind of I would say bypass because it still goes through but they're like okay well we' bought in a specialist company for a reason right these people we don't need to then put them through some sort of AI tool to them filter even more so Sylvia from uh
how long what when you think of your process from Outreach to pre-screen text screen panel interview client interview customer facing interview there's think of your process and and help them understand what their expectation should be which I'm sure you tell them the first time you talk to them oh yeah um I have no problem being as transparent with you guys as I am with everybody else I mean I it's kind of my staple here's the thing every position is different I cannot I've closed a position in as little as four days from start to finish with all those steps that she just said I've also taken 123 days to fill a position because you know
we don't get the right GD we don't get that intake sometimes so again trial by fire really is the name of the game on occasion and uh being corporate recruiter doesn't mean that I have access to the managers I'm just going to let you know that right now it doesn't um especially when we're dealing with clients as well because there's a lot of other things that go in between that so when we're talking from start to finish the best thing that I could tell you is ask the recruiter what is a timeline to fill for this position if it's ASAP then you already know like it is top priority if they're like oh well we're hoping to
have this person start in October November it's going to be a slow process and that way you know like if you're out of work you're like I can't wait till November for y'all to make a decision like I need to keep looking you know have it in your back pocket don't burn Bridges but at the end of the day just understand and you know ask that question early on because I have no problem telling you like hey I needed this person like yesterday like if I could hire you on the spot and I thought that you were great for it I wish I could but I'm not the decision maker at the end of the day there's a lot of
other stakeholders in place and I don't make that decision as much as I can advocate for you and I do advocate for both sides because there are occasions obviously where the manager's like they look at the resume and it's like okay I've spent 30 minutes screening this candidate I know that this is exactly what you're looking for after you and I have had X number of interviews and you're telling me all these extra things so the next time when I a manager's like H I'm like oh no no no no come back here we're gonna talk and then have that go ahead there's a lot of elements uh that play into days to fill they call it yeah
hate that statistic but there's also organizations like C jobs that that are publishing a lot of really good information for you the candidates they are advocating for you and they're going to tell you they're doing surveys they're asking questions from you and then they're putting that into uh digestible information for you they're saying you know what we're seeing we're seeing in this discipline or this industry or this clearance level or this geographical location days to fill I've seen some crazy numbers I've seen 30 I've never seen that I know you talked about I've never seen that I've been doing this for 30 years it could be 45 days it could be 70 days it's going to
depend on customers clients whether or not it's direct right so ask your recruiter from the first conversation that you have what you should expect so that while you're talking and then let them know other things that you're doing right um I sorry I turned this into an advice session but get that information up front if you can yeah please be as transparent on the other side things to yes thank you very much uh everyone uh I had a question following up on what Ricky presented last hour but I want like the answer for from everyone it's two questions the first one is you said to be careful on LinkedIn and I just got on LinkedIn I've never been because I've
had a job now kind of looking bit I was you said to be careful not to connect with the wrong people I wanted to know what what you meant by that and second question is regarding use of AI for resumé customization I've been trying a few uh platforms out there and I was curious if you guys had any recommendations to help us out when we're trying to tailor our resume to a specific uh position thank you um yeah just connect with the wrong people I mean just most people are fine there's just weirdos from from time to time um unfortunately women get it a lot worse than guys um the the you there's creeps out there um so I guess what I
was trying to say is be careful who you connect with and who you may meet um and how you do it I guess was this the thing I mean connecting with anyone doesn't really make a difference like it connection or a follow it's the same sort of thing um so I wouldn't stress too much about that um it's just what you then do if someone messages you and what you reply back with and what you share just be a good security professional and be cautious do you feel like the flip side of that which also ties nicely into your talk um is to be not careful but cognizant of what you're posting and what you're sharing right um
if every day on I still call it Twitter every day on Twitter you're like I hate my job I hate my boss I hate my job I hate my boss I hate my job yeah you're just gonna good we're just gonna associate it's just negative right like so um maybe talk about something you learned or something you look forward to learning or you know so just just know that kind of we we're like is it your profile is it your brand what is it whatever it is um it's your footprint is what it is right that's that's not the right word to it with you make a really good point cuz and it goes back to what
I was saying before about essentially you're basically trying to add value to other people you're sharing insights sharing opinions obviously that I guess is an opinion I hate my job Hate My Boss whatever that's that's just stupid but there are I remember um there was there was a guy who a few years ago uh when Trump first got elected he posted on Facebook about basically someone should shoot Trump and then this this guy was either like MD or CEO of a business and basically he got um you know his business it blew up on social media his business picked up on it he got sacked you know so what we say online has real repercussions
so you've got to tread you know a fine line between being negative being just stupidly crazy and just insights and if like even um know linkedin's getting more and more social is getting more acceptable to sort of I see people posting all sorts of like even family stuff whatever like personally I've posted I think two pictures of my family but we've I don't know been away or something and there's a work conference or whatever it is I always I'll block out their faces um but essentially it's just being mindful of who's reading your stuff and it again goes to the same thing of LinkedIn or so your your resume basically tailor your LinkedIn or your
resume for the person you want to be reading it so if you imagine your resume the person reviewing it
Related talks
7:26:26
28:06
4:48:22
23:16
56:14
21:07