Who is excited? Who has been up since like yesterday? Yeah! So welcome to our talk. Hackers hiring hackers, how to do things better. A key component of the talk is presentation, so you can ask questions and raise your hand. We want you to share your war stories. Ask questions at any given point. If you think we're giving you complete bullshit, let us know. Be respectful about it but that is the great thing about DEFCON. We can talk bull shit and then talk about it. >> [indiscernible] >> But not literally. So the way that Irish and I came up with this talk was I was in his area for work and we met up and we were drinking and eating and we started talking about how bad things were trying to find a job in -- even for those that had been there for a while, let alone the newbies. >> Whose first DEFCON is this? That is? How many hiring managers do we have today? How many of you are currently looking for people to hire? Nice. And how many newly graduated, looking for your first InfoSec gig. How many of you are curious of just what is going on? Okay. Nothing else better to do. >> This talk was not done with any consent by current, future, past, present employers. This is just Totten and myself expressing our frustrations and how we can do better as hiring managers and how we can do better. You can read the legalese there, this is just us talking. I'll let you guess which picture respects which one of us. [indiscernible] this costs extra. Who here is a human? >> We're trying to figure out the mics, it's okay. Yeah. We're both currently in information security industry. I'm a security consultant with rapid 7. I basically do training ask deployment. Irish, what do you do? >> Blue team protection and currently working as the director of research. Why are we talking about this? Why would we have this conversation at DEFCON? There is a lot of sexy talks about how to phone this and phone that and put these things together but there are very few that address the human element. This is also an engineering exercise. If you want to look at it and put it in that context. How do we get people hired? How do we get people entrusted in our roles? How do I get that right resume to get in this role? To get that next opportunity. And both of us have not be doing a very good job of this. And we'll have some examples later, actually.We're doing a poor time in communicating our expectations of the job, we're going to interviews without knowing how to showcase our experience and how to posture ourselves in trying to represent who we are. What can we do and how can we reduce that risk for the organization? And from a hiring management perspective, sometimes we get those applicants, we don't get a feeling that they're interested. >> From the top secret perspective, hackers, either new or experienced, we're getting frustrated because we don't -- we don't know exactly what they're looking for, right. The descriptions are ambiguous. We go in, they tell us there is no hackers to hire and they really want a hacker and then we show up with your experience and with our willingness to learn and we feel like we're getting shut down for no good reason. >> And how many of us have heard, it's hard to find people to hire? (lost audio connection). >> Sorry for the technical difficulties, folks. Hard to find people to hire. We scare the folks that we're trying to interview or talk with. Scare recruiters and we're teaching ourselves in this process. And getting retaining talent is a social engineering exercise. How is it a social engineering science? From a hiring manager perspective, just finding people interested in the role and getting them to apply. Getting upper management approval for the role. Getting a description that they will let get posted on the website. Let's not forget, once you get them in that role, being able to nurture that candidate so they grow personally and professionally and they want to stay and help others and yourself grow. How can we be better hackers, helping each other out? From the job hunters perspective, writing a convincing resume, a cover letter that expresses why I want this job. Why am I looking for a new role. Getting through the interview process. Not just with the hiring managers but with the other team leads that we have to talk with and get their input. And the folks that we're going to be working with in that role. Getting and negotiating a suitable offer and showing up on day one and getting [indiscernible]. >> Again, apologies for the technical difficulties. So expectations. This is one of the -- we broke it down to four different core problems or core opportunities to improve. There is nobody to hire. Oh, but hey you want to work in a comfy office with a 6 month contract to fire just like [indiscernible]. Because we've never gotten those calls before, right? There are folks to hire, just not in your market, not your salary range, and not with the requirements that you have. What do you need to do? Set and adjust your expectations from both sides of the team and nurturing the team that you have. -- talks about, in a series of blog posts and I wanted to stick this in. Hiring the unhire able. There are folks to hire. We got to set our expectations appropriate to the organization, what you need and what's available out there. So, what do you want? I want a junior level or entry level person. Hey, they need at least five years of experience. What? Bingo. Because, right. Now it's again setting that expectation. What things can you pay for, what, how well did you socially engineer your supervisors and bosses and financial team to get the funding that you need for that role match the expectations and requirements to that. Right? We've seen position restrictions all over the place. Jack of all trades and master of none. What do you really, really want? I'm not doing the dance, sorry, guys. It's too early and I have not drank anything yet. I am not doing the dance. Okay. If you want to log monkey and you need somebody to work on a sock, say so. We've all seen those encrypted sort of job descriptions that make no sense and have a list of buzz words and lingo. >> And a lot of these -- that's okay. There is a lot of broke-ass college students that will take anything. But if you don't tell them that they're going to be a log monkey and that it's going to be a learning -- something they can learn and grow and do, they're not going to apply because they're going to think they're overqualified. Something that a lot of us suffer from is that imposter syndrome. We're not good enough. And your job descriptions aren't helping. We don't know what you're looking for is entry level and that you're going to help us grow with your company. Right? So just say what you want. >> So what really matters? Your environment, your team, your business that you're supporting.What really matters, to the environment, to the team, to the business that you're supporting? With that experience, doesn't ask for things just because. That's really going to [indiscernible] we need folks to go I've never done this with X tool and they're not going to apply. And that might be the perfect candidate for you or they could be within 3 to 6 months because you helped them nurture and grow. Yes, we've seen those job descriptions. We've seen those job descriptions, oh, you have to come from an ivy league school with a certification that none of us can afford on our own. We all know how that testing process is just so awesome. >> Another thing that helps is letting people know if you don't have these certifications that you're willing to get them within X number of months. That is good to have on there, too. That shows the job hunter that you actually care. >> -- from other companies that were able to nurture and grow their team. We need to help grow our own. We need help nurturing our own. So scope, what is -- for? What are you trying to do? Get into the specifics of it Mr. or Mrs. Hiring manager. Or is this all the fittings. A Jack of all trades and master of none. That sometimes needs to be the case if you're in a small organization and you only have one or two people on your team. Where do we fit? Where are you supposed to fit in that organization? Does it make sense that we fit under IT or under legal. And for a lot of start ups, we need a security person, let's get a security architect and throw him under the manager of IT. >> And that sounds good in theory but in practice you're going to have issues because it's a conflict of interest. The head of IT is concerned about up time and making sure the users are happy, they have 50 zillion versions of Java. But security doesn't want that: We're going to butt heads with management. So it's important for us to consider where we're going to put our people. >> From the other perspective, apply, the job is yours. Throw the money in and send them to hacker summer camp. There are conversations that I had with candidates that expected double and triple the going rate for that role in that area. Are you trying to troll me or are you looking for a new role? Great question. The question is what is the rate? And that's dependent upon where that organization is, physical location and also what the job is and what it entails. And experience. There's multiple qualifiers that fit into that. Yes. Correct. So the question is, hey, we have some references to figure out what that rate is? And why don't we circle up after and I can give you a couple of those. There is a couple of websites specifically for if I'm working in X location, what do I need to move to Y location? What's the equivalent of that. >> You can post that on Twitter as well. Because we know after this talk, there is other talks and other things you want to see. So we'll post our, I'll post my Twitter handle so you can look and keep an eye out. >> There are a couple of different salary surveys as well to figure out what is going on and figure out what that is to the location that you're at. Yes, sir? >> Do they want experience? >> The scenario, yes, I would like an unpaid intern for my team, with experience. >> That's exactly what we're about to talk about. >> Thank you for the segue. >> He is absolutely right. A lot of hiring managers are stumped because we don't know how to -- properly convey to HR what we really need. They just know what they think they want. So that's when it becomes a social engineering exercise, right? >> Application process. How do we get this put together? And this needs to be done on both sides before we make the first calls. Because you know what, you can finish the application process, and hire and start somewhere else before you even reached out and said [indiscernible] how would you like a phone call with the HR recruiter. How do we find candidates. Us hiring managers and meeting them face to face. Contributing back to the community. Working online with stuff. >> And it's great that we have a couple of hiring managers here and it's a great start. But we need to get our companies more interested in DEFCON, et cetera, because that is where they're going to find the talent, right. That's where they're going to seek people that know their stuff who are interested in hacking and interested in learning things naturally and they can use that and harness that. They look at our conferences and think we're a bunch of drunk kids running around and turning pools purple. >> I haven't done that in years. I don't know what you're talking about. She is color blind. Leave her alone. The other thing to think about is your role, hiring manager, in talent. More than a lack of upper management or the things that we're talking about, the gap of middle management. We're the ones that do the staffing, and spend the budget and want the best optimal usage for the budget. When there is a failure at the [indiscernible] level the whole thing falls apart. Let's talk about HR and recruiters. You have those paid recruiters, the overseas body shops you can tell by the first word. Need I say more? I will say that the CEO of E24 has an interesting blog post called dear head hunters, fuck you. It's actually quite an interesting read. I would highly recommend it. So types of questions. When you're figuring out what that position description is, they matches up to the types of scenarios during the telephone and interview process. >> It helps when writing the questions to look at the job description that you put out there and you can use that to tailor the questions, right. We want this.How do I find out if this person has this or if they're trying to pass through [indiscernible]. >> In defining the key areas, we saw some interesting things. Hiring a recent college grad with five years experience and Olympic medals and superpowers. And compensation. You have an idea as a hiring manager for your particular area what -- you have an idea. Pay them what you're worth and what you're capable of. If you can't, how do we work other ways? Vacation, flexible work schedule. Maybe work out a training budget and throw that in if you can't pay them in compensation. There are ways of working around that from a hiring manager perspective and for someone trying to get hired. It's not just about the Benjamins. At least I hope not. We want professional development. Thank you. Just the stock options and free lunch isn't going to cut it. The beer cart and the ping-pong table isn't going to cut it either. And UX (ph.) love it. >> This is mildly depending on who is looking for a job and you recognize that. Especially people entering the work force, they have a completely different set of expectations than the majority that have been in the industry for a while. They might be happy with the T-shirt and cool free lunches and beer cart on Friday. Sometimes you offer different things to different people that you're looking to hire. And that's okay. >> Let's talk about the application tracking systems that we all love. From a hiring manager, we have to remember, that's the first or second step after looking at that position description you have posted and giving that first impression to the candidates. Why are you asking for PII in the application process? Why and do a check? Perfect example. Why are you asking me for a social security number, driver's license, and state for a senior manager of information security ... >> That should disqualify them. If they answer those questions it should be like, nope. >> Another great example of the sexy is there are some birth and driver's license numbers this is a CPA auditor company, the HR gal that replied back to me saying I didn't get an interview never responded to my emails about can I talk to you about the privacy violation you have on the website [indiscernible]. Notice the nice little certificate there, too. >> After they're selected, right. That's a great question. Some of -- the fact that you have to do a background check before you bring somebody on. How do you do that? You need to ask for the PII. >> In the consideration of time ... Okay. Background check. That is not whether someone is qualified or not. It's saying what kind of background do they have with credit and law enforcement issues. As hackers, some of us make bad decisions. Others are just caught. So background checks. Yes, that's done after the interview process because is that costs them money. And that is directly against a line item in my budget. So if I'm serious about someone I'm going to have a conversation with them beforehand, this is the HR policy for the organization. I need to do this. Is there anything we need to talk about beforehand. There is a form and a proper way of submitting that form with the PII on it so it's safeguarded and done appropriately. >> A lot of times this information isn't used. You can be my segue person, sir, for the rest of this talk. I can't put special characters and passwords, really? This one was weird. Here click on this link and I get this pop up, going you're logging in as user name HR but the website does not require authentication. Hum ... Hum ... Fail. This gentleman here is filling out the job application and was frustrated enough with this question, which do you most identify with and why. >> [indiscernible] by the way. >> So this -- you do not put any context into what sort of job he is applying to. If this is an online media company, it might be relevant. Certainly for InfoSec it would not be in my opinion. This might also -- depending on the question -- reflect on ageism, too. >> So we went back and forth on this one. I'm cool with this question. I would have to be really, really picky and since I'm a person that overanalyzes things, it would take five hours. A lot of the -- folks say they know what amine nah is to begin with, maybe this is a culture I want to be a part of. It's a question of are they being professional. Do I want to be a part of this organization. >> That is part of selecting the right questions and at the right time. Should this be an essay question where I'm not sure if you're looking for a humorist or serious answer. Or maybe more appropriate for a human interview where you can have a conversation about it and why. Hackers, hacking the resume. No BS guys, and gals. We can figure it out really easily. It's knowing what the terms mean, what you want to do or try to do in this role. We're going to clear the bullshit. >> Even if you have limited experience with a tool, or a network topology or managing thing, put it on the resume but let us know how limited or experienced you are with that tool. If you've been into it and you can navigate around and you've done a light penetration test as part of your course work, I want to know about that. Because that's relevant to my interests, so that way I can help you work on your path to become a pentester if that's what you want to do and that's what I'm hiring for. >> Yes, I have a file of the worst resumes ever. Yes, I will -- I do redact them, but those I use as examples when I mentor interns and young staff on whatnot to do. Don't give me any more. I have enough examples. It's tailoring that resume to make it relevant to the employer and the hiring manager. It needs to be long enough to reach where it's supposed to go. It's only supposed to be one page, only supposed to be two page. Does it reflect what you can and want to do so it reaches where you want to go? Honestly for myself, I have a two-page resume and a full CV that is five pages and I submit both. >> When you're building out your resume pay close attention to what you name it. If you call it resume dot XX. I'm going to put it in order because I have 50 of them. It's hard to distinguish them. Put first name, last name, CV doc or something like that. Sanitize the meta data. Please. >> That's the next line. So one or two page or full CV. I send both because humans want different things and hiring managers want different things. Different HR folks want different things. I've run into companies where if the resume was not formatted to their company standard, you didn't get a phone call. >> They didn't share what that file format was. >> No, they didn't. You had to know. File names make a difference. And sanitizing the meta data. Managers make mistakes. HR makes mistakes and we lose documents and good labeling helps you out. Determining if you're qualified or not is not your job yet when you're applying for a gig. It's the job of HR and perhaps the tracking system and who is hiring will make that determination. Keep that in mind. >> It's okay to apply for things that you may not be qualified for yet burr are interested in as long as you have the ability and are willing and able to work. >> You have tracking systems. The CMS, the heavy ones that we love to hate and the lightweight ones. Submission, keeping track of who submitted and whatnot. With those, the heavyweight ones, it's recommended to be one of the first to apply and trying to fill out every application box or text box in that application.If you don't feel comfortable filling it out, put a dot. Put a period or something else in there. On those resumes, web safe fonts. Spell check and spell check again and have a friend who is an English major read it over for you. Don't use graphics or special characters. The system can't handle it. And the HR person is not going to call you and say your resume got messed up and you need to resubmit. >> Applications. You may be a unique little [indiscernible] but that should not be reflected in your font. I don't want to see text like a 12 year-old girl with a glitter pen wrote your email. Use Times New Roman or 12 point font or whatever and make it easy to read. If you're scrolling -- [indiscernible] that is okay too. >> That email application is the opportunity for the cover letter and why you want the job and why you match that job and things that you can't easily convey within the resume. Email, digital signature, bonus. Hey, you understand how that works. >> I was going to say check your copy/paste. I'll write an intro to an email and copy and paste it and sometimes I forget to change the company name. It's awkward and you're not going to get a call back. >> Real quick for the military and government jobs, they have their own special snow flake website which is the worst unwielding from death you ever experienced. >> Also it was breeched. >> And it was breeched like they all are. Be sure to answer the qualifier questions as best you can. The hint is to look at the description of all those questions, write it up first, and then go in the submission process. If you're trying to word Smith while the application is up, you're going to set yourself up for failure. We talked about this. Customize our resume. One or two pages for human digestion, awesome. The full CD, the ATS system, because they're doing that, they aren't matching. You need indicators. >> That's just awesome. >> Go to the next slide and you're going to be the second person for second ways in our talk. >> It's helpful to have a couple different versions of your resume. You hear that all the time. I have two main ones. One with my hacker stuff on it. And one without it. And so there is one resume with the Tottenkoph because companies want to see that and it shows that you're active in the community and learning and doing stuff. Other people might get a little scared. So you might want to turn it down or make sure you only have like the professional -- it's hit or miss. You might not want to work for folks that turn away you speaking at DEFCON, right. Because that means they may not pay for you to come. >> So yes, there are little tricks for when you do applications on USA jobs, that is just one of them. This is probably not the forum to further discuss that. I'm going to say, don't hack with your resume. >> It's not cute. >> I have gotten people that applied for jobs with exploits in the media. Seriously? Yes, I check for those things. Come on. Nor, let me put that caveat in there, is the application process an opportunity to do a penetration test on the application system. That is after you get hired. [indiscernible]. So you're talking about government stuff, security clearances. Does not belong in a resume. Does not belong on linked in. You're making yourself a target. Read the documentation. You read it. It doesn't matter, yes, it all got stolen. >> There is also some disagreement as well. We heard people say, I always put it on there and they won't consider the application unless it's on there. There are ways to get around it. Security clearance information upon request. [indiscernible] >> And yes, I've known folks that have lost opportunities over that. And all I can say is that organization can't handle doing this in the right process and right way, do you want to work for them? This is a time to communicate, folks. Professionally looking email, cover letter, professionally looking email address, digital certificate. The whole nine yards. We expect that within your work as well. And yes, I'm going to Google that email address and I'm going to Google that user name. >> We need to go through this quicker because we're short on time. So, yes, couple important -- it's a pain in the butt to write. Make sure you are friends with an English major. They can read it over and make sure it doesn't suck or sucks less. Use your network. You're at DEFCON, right. Which by the way, whoo!. We're at DEFCON. There are tons of events and contests and things you can do and meet new people. Villages and workshops. If you're not doing these things and meeting new people you're doing yourself a huge disservice. It's a great way to meet hiring managers. If you didn't make note of people who are hiring, you kind of failed. Can the people that are hiring raise your hands again, please? Thank you. Right. So working with recruiters. We have a couple of different types of recruiters out there. A lot of the times you're not a specific snow flake to the recruiter. They did a search of who has something they need and they'll send you an email. It's not a guaranteed job. >> Treat every interview with a recruiter as an interview. It's best behavior. It's trying to figure out which recruiter that you're working with that is one of those body shops over seas or a legit recruiter working with that company to match up the skills to an environment. >> We know there is a bunch of us looking for work. What we don't realize is they're looking for us. We are in high demand and we're in a constantly growing industry. People with our skill set are really [indiscernible]. Just because you know how to fire a wire short doesn't (ph.) mean you're going to get a job. Just keep it real. Interview. A lot of us have problems with interviews on both sides. Interviewer, interviewee. From the interviewee side it's difficult. We're trying to figure out the questions and who is bull shitting us and not, who is interested in learning and who is just wasting our time. >> The monkey questions get us nowhere and we've all had them. >> What do we mean by stump the monkey? It's to find out how smart or dumb someone is by playing a jeopardy-like game. It's rapid fire questions. It's important to know if someone is bull shitting or not. But you're not there to sit there and, you know, have them regurgitate their last couple years of college. >> Talking about question BIOS. Not being a dick. Today is not be a dick day. So what if the candidate doesn't know how to work with maple or oak or pine or Palo Alto or Cisco. Can they learn to use that tool to find the threats in your environment or phone that box or write that policy? I don't care what port or excuse me what protocol uses port 0. I can look that up. We should not reinforce the rote memorization of questions that the school system ingrained in us. It's thinking outside the box and figure out what is going on and stop the madness. >> So reviewing resumes, keep in mind the area that you're hiring in. Seattle, San Francisco, places like that have a lot of contractors. Contractors who can't control when the contract ends and they have to get a job as quickly as possible because they need that money. Keep that in mind and don't automatically discriminate someone because it looks like they're job hopping. If you talk to them and find out the background, it could be something simple like a contract or a death or things outside of their control. >> Family illness I've come across. They went to school -- hey, the recession is still out there in some environments. It's hard to find a good job. Okay? We hear that excuse that it's not a cultural thing. They're not technical enough. We need to stop using this as a crutch for not hiring someone. We hire for aptitude. Hire for whether they can or learn to do something and protect our environment. Can they do the job? Can they learn? Are we looking for a purple squirrel? That is what the recruiters call it when you have something you cannot find. Or worse are they looking for the plaid unicorn. I had to go to ETSY to find a plaid unicorn because I couldn't find any art work because nobody is drawing it yet. How hard is it to find that perfect candidate? >> We want to know they're willing and able to learn. They're interested in their job. They're interested enough to protect our environment and our users. We want passion. We're not saying you shouldn't use the passion as an excuse to have them work overtime and burn them out because you'll have to recycle through new InfoSec people. We also want the ability to fail and admit they failed or were wrong. That is how we learn. >> Hackers, find the company you're trying to interview with. Figure out what is going on. Use glass door and figure out what is going on. Knowing your target and knowing who you're trying to social engineer to get into that job. Have your three bullets and stick to them. Question everything. Right. Please wear pants. Or at least a kilt. Question everything and question timing. Did the interviewees give you an opportunity to interview them or give you the token 3 to 5 minutes at the end? That tells me something about that team. At the end. I've gotten these emails, too. >> Very nice and polite, fuck you. Oh, thank you. No. >> Hiring managers we need to stop leaving people hanging. Let them know as soon as you figure it out that you're going to someone else. We need to find a way even if it's months or years down the road to provide feed back to those folks about why you couldn't hire them. >> And a note about not following up with folks. It's a really small community. There are 20,000 people here at DEFCON, but we talk. A lot, loudly, drunkenly and we will call out each and every one of you that wronged us in some way, especially if we're really, really trashed. So if you're a dick, or don't follow up at all -- like I had a friend that didn't get a follow up from a potential hire and I'm just like, or not a potential hire, a potential job, and I'm just like, I was really, really disappointed and it made me question the people who were doing the hiring. And a lot of those people I knew, I was close to. So just keep that in mind. Your actions do matter. >> Hackers, follow up as well. Send a thank you email to everyone you talked to and interviewed with. Even the receptionist. They help you get that opportunity to have that conversation. >> I got my first InfoSec job. I was ten minutes late because of a downpour and traffic in Seattle, they didn't disqualify me or penalize me because the PA to the hiring manager thought I was adore able and so polite. And they pay attention to those things. Keep that in mind. >> Show some class. Even send a snail mail thank you card. Yes, they do exist. But best not to send your social requests on social media just yet. That is a little creepy. >> Just a little about social networks. They do Google you. I know it seems obvious but they do. If you sit there and bad mouth them and you're looking to get a job there, chances are you're not going to get to the next level. >> Yes. You have to remember there are some folks that only have people they know and trust. Know and trust. Where other folks, it's everybody in the world. >> As a final note, a lot of us forget that we leave impressions on people no matter what side of the table we're on. It's good to be hypersensitive on how you portray yourself and talk to other people. You never know if you're going to try to get a job with this person down the line. >> So we went through this rather quickly because this is a lot. There is a little annoying things. It's those little things that get the network compromised and it's the little things that ding us when we don't get the job or the opportunity or get that person hired. >> It's not one side -- the hiring managers or the job seekers fail, it's both of our responsibilities to try to take our lessons learned from the past and try to do better. We'd like to give thanks to these folks. We stole a lot of quotes and pictures from them. And any last minute -- we have like five minutes. Any questions? >> Comments, concerns. No bull shit lies at all? >> Exactly. Job seekers, what he said is please use open source software, free ware to try to get that experience. A lot of times we see those in corporate environments because our budget is like that big. Yes? Just don't go all office space on your current employer when you're going to the next big thing. You don't know if the job is going to fall through or later on down the line the previous employee, manager, whatever is at the company that you want to work for. >> Again we talked about it's a question of timing. >> Definitely. He was saying -- there is a way to get your experience, to meet people. All right. Thank you everybody. >> Thank you, folks.