BSidesSF 2023 - Hiring and Interviewing as Security Engineers (Arpita Biswas)

hello hello welcome to the final Villages talk of this first day of b-sides uh we get the pleasure of hearing from Arpita who will talk with us about um all things hiring and interviewing um so let's give her a big round of applause [Applause] especially the last benches oh by the way quick check how many of you is this your first conference after covet in person laughs how many of you are overwhelmed by it I was like wow it's grown a lot since you know when we started off as besides SF how many of you overwhelmed right now I I was done um but okay anybody having social battery at zero please feel free to hop out go back home reach us it's fine I'm gonna talk about trying to make some method in the madness that security is and you know you can find me talking security at conferences like this I also Mentor at security Mentor Club I also work for the women in cyber security and in general you can find me talking about security sarees dogs food hikes any of those countries so when Tom actually reached out to me about career Village I know it's not the best of the times right now which is why I stepped I wanted to help in any way I could and my way of helping you all is uh for lack of any better words distilling my gray hair into the slides that I have so I hope it makes some sense it's a very um it's a very click having slide so I'm I'm open to sharing slides later on so you don't need to take any notes it's a click heavy slide because then it lets you go back home and take notes and go from there so that said why are you here at 4 pm still listening to me I have spent over a decade in security I am currently at databricks I have worked at b2bs like databricks mapbox I've worked at b2cs like fangs I worked at startups I've worked at unicorn rocket ships I've been there done that I've worn so many hats at this point of time that I've covered you know I've been a security software engineer I'm a detection engineer incidence response engineer I've been giving interviews since 2013 and I've been taking interviews since 2020 so that's a lot of breadth a lot of hats that I've covered over the years and like it or not some people might burn out but I'm still here talking about security so in this talk today I'm going to cover a few um two aspects of interviewing you know one is how do you interview for the different roles in security because there's so many kinds of roles you cannot prepare for everything when you are interviewing as a security engineer you can be so many different kinds and each of them need a different way of preparation and the second the other side is how do you hire for these kind of roles because as a manager you're constantly shifting between different roles different skills different people different countries how do you make sense of that so that's what we're going to try to cover in the next 20 minutes vicious luck so this slide that you see here is intentionally very text Heavy but it has almost all the categories that security means to different people this is the Mind map of a seesaw it's been on my wall for the last five years because even I lose track of it so one side that you see is you you have risk and governance you know features like a lot of people who do this on a daily basis of how risky is your business how risk is the product can we buy cyber insurance for a company and those kind of decisions the next set of decisions and the people and the teams working are business risks you have your Disaster Recovery your business continuity plan right ensuring all the processes all the plans work as a as expected all of that the third category is compliance legal uh you know it to people outside of compliance and legal it seems very tedious but in my opinion it's it's one of the quickest way to gain your customers trust so if you have a new product in the market and you have a sock tool or some kind of compliance I as a buyer would know that you have at least certain checklists done and hopefully done the right way so I can trust your process on the other side this is what I'm going to talk about the next three ones which are in the trenches more of I see work more of people like probably most of you here that would be secops which is a lot of the operational in the trenches reactive alerts report responding to alerts doing pen testing Etc then we have the infrastructure side you are probably an engineer working to protect your infrastructure or you're an engineer trying to protect improve your own product security so these are roughly the the groups and as you can see it's not easy right so it's so many things so when you say I'm interviewing as a security engineer you could mean any one of these things so if we were interviewing I'm not gonna go to the first three I'm gonna go to the next three but I'm sure many of you me included have been in these kind of interviews where I've been asked random terrible questions not related to my workspace at all so here's my note to all of you when you are interviewing for a company it's a two-way street if you don't understand what's being interviewed why you're answering certain questions chances are it's not a good place to work either so skip that take it as a two-way interview two-way street ask them the equal questions and we'll see deeper how so the first category of interviews that we often or I have often given is product you know I'm building and my company sells security products for example at Palo Alto right so you build firewalls you have a lot of the information in there and you can see the common titles and roles are pretty much very common like software engineer Cloud security engineer network security engineer all of these kinds the skills you need here they are mostly uh your basics of computer science that you need you're a software engineer first then a security engineer so you can skip past the security classes if you want if you want to go down this direction but you also need to understand your business a little bit because you can't build good features without understanding what your company sells anyways so these are the titles these are the skills coming next is how do you hone your craft if you want to be a software security engineer this is not an exhaustive list this is a list that works for me but the idea that you should go away with is you should have your elevator pitch ready as a software engineer if you're interviewing for one of these if I ask you here what do you do second is you should try looking at all the regular software engineering interview questions that's out there in the market out there on the internet cdci lead code etc etc practice practice it because that's what makes you less um practice where you fight so if you practice in the right places you're most likely going to be nailing those interviews you can also start given how hard the job market is right now you might not be getting many calls etc etc so you might start looking at open source projects because that's where you're building up your you know your resume your portfolio you're working and you're also helping some open source Community uh build products which a lot of us in the industry often use and last but not the least if you go down as a regular software security engineer you are potentially allowing your career and your movement in and out of very many different software products it could be a database developer next or a spark developer Etc you don't have to stick to security the next is proactive set of roles these are security specific roles where you're looking at either improving or securing your product or improving and securing your infrastructure by that I mean you know for example if I build if my company sells potatoes how can I secure the potato as in like are there any bugs in it are there any vulnerabilities in it can I scan it that's project how can I protect the farm which is your infrastructure for growing so that's possibly AWS Azure gcp wherever you're building your infrastructure so that's corporate infra security and then you also have bits and pieces of Enterprise security thrown in for example how does your company configure OCTA or what do you do with lastpasser I hope no LastPass person here but all of those things put together is your proactive security engineering when you are in this field or in this roles you should focus on preparing more as a security engineer first you might not have the greatest coding skills but if you start preparing a security engineering skills and bring up your coding skills later on that's totally fine for improving um you know for improving interviews and talking more about this line of work I would say uh all the list here and shout out to projects like Yara the ovasp cheat sheet you have OS query rather these are all I mean look up GitHub for security projects you will see the most hard projects pick anything that suits you start contributing because the minute you contribute you have something to show to an interviewer that hey I have done this piece of coding so that itself is half a battle one there oh last but not the least I want to call out the sixth bullet point for the longest time I never had a good ctci equivalent for security engineering and then Tad came up about two years back he put up a very rough list of security engineering questions I don't think it's been updated much since then but it is the best that we have out there so if you want to look in one place what all do I need to answer I would start off from there the third category and I'm smiling because that's what I do right now the third category is reactive security Ops this set of roles is mostly your IR Ops your investigations your threat hunting your detection engineering your forensics analyst you're red teaming all of these comes in as reactive roles so the skills that you need here actually the first skill I would hire for is resilience and integrity you will have burnout if you don't have these two and if you can't keep up with the pace because it's an incredibly fast moving it's a roller coaster ride I can walk into the office on morning and be like oh wow or oh no so it can go either ways but then comes the technical skills you still need you know you still need to know the tools of the trade you need your store you need your hunting skills you need SQL pretty much quite a lot you need to know how to pass through large amount of data logs everything else in there so all of that put together makes it reactive security which is very close to being a roller coaster ride but you can also burn out for these I would say the first thing is you should say is hey I survived these many years doing IR or I survived these many years doing pen testing that to me is the biggest fact that you're still talking about it means you are you've survived it you want to do it and you're doing it for the right reasons a lot of the learning that comes in from here is where most of the hacking resources come in you might want to look at security conferences as well because you know conferences like these end up having a lot of hacking conversations as well so on the list here you want to talk about conferences hacking uh expertise is do do the ctfs that have that conferences have if you don't want to do that part but that's a very half visit path if you don't want to do that path you can also go look up any course any online certification which I'm I'm not pro or Force for certifications I just think it's a good way to give a structured learning that you would need to nail that role so if you want to look at some roles there and look at some incident handling courses that would be the place to go so that's it we have covered the three series of interview tracks we have the product where you build security products we have the proactive improving shift left security and then you have the reacting where you are fighting fires day in Day Out now comes to hiring if you thought giving an interview is hard which it is it's nerve-wracking if you thought giving an interview is hard try taking interviews for a hundred people and B standard evaluation you're fair you don't have your subconscious bias you you are doing the right things day in day out while you're interviewing those hundred people it's incredibly hard if you want to do the right thing which is also why when you're giving an interview you never know it went well or not because it's very subjective today so how do you make a very subjective process into a more detail or a more standardized outcome so you're hiring for the right skills rather than what you think is the right person some things that have worked for me are outlined here you don't have to follow them but they have made my life easier which is why they're on the slide the first is preparation actually the first two slides are preparation the first preparation that I do is for my team anybody and everybody whenever they're joining every quarter every once in a while every one-on-one gives me a chance to go and look at the skills and capabilities Matrix on the left I dump out everything that I think my team needs it doesn't have to be filled in by one person it can be filled in by 15 people but that's the list my business needs from my team it can be something as stupid as industry Network how do you how do you quantify that there's no degree for industry Network or it can be as technical as rootkits and containers right but it's all there it's all on that page if you make it available to your team your team knows what you want they know the transparency they know where they can grow their career they know what gaps exist and not only that they will sometimes come in and be like hey Arpita you know what I want to learn that skill next can you help me do that so that makes your job as a hiring manager much easier what it also does is it lets you do targeted hiring it's very painful to maintain this list up to date but I think it's worth it because at the end it allows you to do what I'm gonna show next which is targeted hiring but also it helps you be a better nurturer or a retainer of your talent in the team so this when you see is that Gap list that I've identified and put it in an interview panel once you've identified your gaps what next you need a series of people to interview your candidates right so that can happen in two ways it can either be like hey five people go interview this candidate they'll come back saying great not great you don't quite know what is why is someone greater why someone not great or you can give them this evaluation Matrix where you say hey if you are if you are interviewing a candidate for me at an L3 level this is what I expect them to be if you're and then you go down and you see L6 it's all that L3 has all that L4 has going on and on and on and then you add layers to that onion and so it makes it very easy for your interview panel to hire and interview a person that you want rather than they would want on their team so it allows you to hire it allows you to ask people to evaluate using their intelligence but yours your selection criteria having done these two prep materials dear now now you come to the actual hiring this is all pre-hiring before you open open your legs so when you come to hiring you need to do about six or seven things one don't try to hire unicorns none of us are unicorns being a unicorn is extremely challenging extremely burning out we will not have security people if we try if we continue hiring unicorns second is keep the skills and capabilities Matrix very up to date once you have that up to date half your job is done as a manager because then you know what to hire for which candidates to go for where to Showcase you know my I need a gap I have a gap in gcp okay fine go to a Google conference you will find TCP candidates there then be very cognizant of um you know what you write in your job description you don't want to copy paste a same job wreck from five different wrecks because then you're hiring the same kind of candidate every time which does not improve your diversity so when you once you write down try to minimize it to five to seven items that you need on the mid on the candidate and that's it and you will not find unicorns but you will find the exact kind of candidate that you're looking for then sometimes and I've seen this when I'm hiring in different countries uh of late is because everyone's on video every country has a different video bandwidth every country has a different holiday month every country has different cultural jokes so when you are hiring as a manager if you if you are not cognizant of the workings that someone could have a different working style a different uh thinking style a different language style you're missing out on a lot of thought diversity that would actually benefit your team so when you have that list there and you know which which countries or geolocations you're hiring for what gaps you have put it in your evaluation Matrix stick to it and then you will have a holistic and diverse interview panel which will give you the kind of candidates that you're looking for and the interview candidates would then fit into one of the three buckets that I shared earlier so going back interviews are a two-way street if you are interviewing and you don't like the team you're talking to stick to your gut it's harder to do in a job market like this so I'm take that with a pinch of salt at least for the next six months but also when you're the hiring manager for an interview check in with the candidates they might not have liked the experience which you thought was amazing and you spent so much time preparing for it so be open to that feedback as a hiring manager because what you see what you think they're getting is probably not what they're getting so that was my uh gray hair in a slight deck and that said I'm also available in all of these places happy to answer any questions now and or later if they come up but all right