Hiring the Right People

This issue of the IT & Cybersecurity Leadership newsletter focuses on the processes involved in effectively finding and hiring the right IT and cybersecurity personnel. The hiring process sets the tone for a new hire's tenure and significantly impacts their longevity with the organization.

The first step is to identify the right candidates and then persuade them to join your organization. Timing is crucial; move quickly to secure the best candidates.

The Job Description

Start by determining why you need a new person and what their responsibilities will be. Identify gaps in your organization and the skill sets needed to complement your team. Define the roles the new hire will take on, considering the necessary personality traits and soft skills. From this list, distinguish between essential and desired qualifications.

As discussed in the Improving Diversity edition of this newsletter, make sure that you: streamline the job requirements, use gender-neutral language, and understand motivational differences to increase the size and diversity of the applicant pool. When it comes to the job requirements, don’t get too specific about the technologies involved (e.g., “Experience with managing next-generation firewalls” instead of “23.5 years of experience with PA-7050 firewalls”). Getting too specific unnecessarily limits the size of the applicant pool and provides malicious actors with valuable OSINT.

A job description should have two parts: a list of responsibilities and a list of required skills. Use bullet points for clarity, with the most important items at the top of each list. Add documented tasks to the list of responsibilities. Include the skills needed to perform those tasks in the list of required or preferred skills. Keep both of these lists as brief as possible.

Two competing philosophies exist: hiring the skill versus hiring the person. Hiring the skill focuses on finding someone with exact skills while hiring the person looks for quality individuals with intelligence, creativity, and imagination. The latter approach can lead to significant improvements as these individuals may innovate and optimize processes. It’s recommended to “hire the skill” only for specific tactical needs of the organization.

You should have a clear understanding of the skill level required for the position. Aim to hire individuals who are smart, highly motivated, and nearly overqualified. These candidates will likely find repetitive tasks uninteresting and will seek to automate or improve processes, thereby enhancing the organization. Essentially, they will willingly make their current role obsolete, confident that their motivation will lead to other opportunities within the organization.

Talented and motivated IT & cybersecurity professionals who are nearly overqualified bring more value than two unmotivated, unskilled workers hired just to fill positions. The ideal candidate for a junior role is bright, eager, and relatively new to the field. Investing in these individuals and providing them with opportunities to learn and grow will quickly elevate their skill levels, making them ideal candidates for promotion to more senior positions that are harder to fill.

Recruitment Strategies

Recruitment can be conducted through various channels:

• Personal recommendations
• Conferences
• Job sites (especially those focusing on technology jobs)
• Skill-specific communities (e.g., the ZeroTrust group on LinkedIn)
• Your organization’s website
• Recruiting agencies

Handling HR Challenges

One common issue is that HR may not fully understand technical resumes or job descriptions. To avoid losing good candidates, assign an HR person to specialize in IT and cybersecurity hires. Train them to recognize relevant qualifications and work closely with managers to ensure they understand the terminology and requirements. Even the best recruiting campaign will fail if resumes don't get past the HR department. Excellent resumes are often rejected before they're seen which may occur when a computerized resume-scanning system is used. These systems may be setup to filter for keywords, which works well if you're looking to "hire the skill," but not as effectively if you aim to "hire the person."

The HR person will likely focus on keywords such as certifications, specific technologies, products, and brand names. You may need to explain the terminology. For instance, you may need to clarify that Linux, RHEL, Solaris, and FreeBSD are all Unix variants. If you need someone with experience in a specific Linux distribution, specify whether you require experience with that exact distribution or if experience with any Linux distribution is acceptable, provided they are willing to learn yours. Provide HR with a chart of terms and their equivalents. If your company has an in-house recruiter, implement an education process to ensure they understand the terminology. Even the best recruiting campaign will fail if candidates perceive your recruiter as uninformed.

Timing

Timing is everything in hiring. There is a narrow window when candidates are available and another narrow window when you have open positions. Companies must move quickly to avoid losing top candidates to competitors. Balance interviewing enough candidates to find the best one while acting swiftly when a suitable candidate is identified.

The Interviews

Divide desired skills into small, related sets, and assign each set to different interviewers. Ensure all interviewers know their assigned skills and those covered by others to avoid duplication. Critical skills may be assessed by multiple interviewers but with different questions.

The interview process should be completed with a nominal number of meetings with the candidates subsequent to the initial screening interview. Lower-level hires may require 1-2 meetings, while senior-level positions may need 1-4 meetings. If there are more key stakeholders than that who are involved in the decision-making process, consider using panel interviews.

All interviewers need to remember is to respect the candidate. The candidate should always feel that the interview was worthwhile and that the interviewers were the sort of people the candidate would like to work with. The candidate should come away with the impression that interviewing them was the most important thing on the interviewers’ minds at that time. Key practices include:

• Reading the candidate’s resume beforehand
• Being punctual – don’t leave the candidate waiting
• Minimizing distractions – before meeting with the candidate, turn off radios, cell phones, etc.
• Showing interest in the candidate
• Explaining what a great organization you have and what you appreciate about the organization
• Starting with easy questions – begin with relatively easy questions that they should be prepared to answer
• Making sure that everyone is asking different questions
• Avoid trying to prove your superior knowledge
• Not prolonging one part of the interview unnecessarily; if you discover the candidate’s limits in one area, move on to another
• Addressing any concerns you have about the candidate during the interview
• Allocating 25-30% of the interview time for the candidate’s questions. Good candidates will ask insightful questions, giving you an understanding of what matters to them. The first and last interviewers should be ready to answer questions about the rest of the hiring process.

For technical parts of the interview, focus on shared areas of interest & experience and dig deep. Evaluate the candidate’s problem-solving skills and their ability to explain their actions and reasoning. Intermediate-level candidates should demonstrate a broad range of experience, strong problem-solving abilities, and clear explanations of their decisions. For junior candidates, focus on their attention to detail and methodical approach.

Develop creative questions to understand how the candidate thinks. For example, "If you were given unlimited resources and time, how would you improve a product or service you use regularly?" and observe their deduction and logic. Ask about their proudest accomplishment and why, which can reveal their capabilities and the challenges they value overcoming. Inquire about situations they wish they had handled differently and what they would change in hindsight to gauge their ability to learn from mistakes. Most importantly, encourage them to discuss real-life experiences. This approach is more engaging for the candidate and provides better insight into their capabilities.

Avoid asking trivia questions that have a single, highly specific correct answer, as people can forget these details under stress. If their job requires knowing the colors on a CAT-6 cable, they can look it up when needed. General questions provide more insight into a candidate’s abilities than trivia. Trivia questions, often called "gotcha" questions, can tempt interviewers to catch candidates off guard. Also, avoid brain-teaser questions, as they don’t reflect a person's ability to perform the job and only test if they've encountered the question before.

Do not ask candidates to rate their skills on a numeric scale. Unskilled individuals often overestimate their abilities, while more skilled people are more aware of their limitations. Instead, ask candidates to describe their experiences.

Ask about both positive and negative experiences. For instance, inquire about the best project the candidate has worked on and why they felt it was the best, and then ask about the worst project. Additionally, ask about their best and worst managers to understand what they appreciate or dislike in a manager and to gain insight into their working style.

The non-technical parts of the interviews are used to assess the candidate’s soft skills. This includes evaluating how they work in a team environment, relate to customers, organize their work, and whether they require significant direction. Additionally, determine if they prefer a narrow job description or enjoy working across various areas. Explore the candidate’s work habits, such as how they stay current with technology (e.g., through reading mailing lists, participating in newsgroups, and web surfing), and whether they balance this with their other work responsibilities.

The secret to effective interviewing is in the follow-up questions. These typically reveal more about the candidate’s capabilities and fit for the role than the initial question that was asked.

Besides evaluating candidates, interviews are an opportunity to persuade them to join your company. Respect their time and ensure the interview process is positive and reflective of the team’s quality. The interviewers should be people with whom the candidates will want to work. People work for money; they work harder when they feel appreciated; but they work their hardest when they are passionate about what they do, where they do it, and who they do it for.

Post-Interview

Record your thoughts immediately after the interview to capture your impressions while they are fresh. This will aid in making informed hiring decisions.

Selecting the Candidate

1. Review Interview Notes and Feedback

• Collect Feedback: Gather all notes and feedback from interviewers and panel members.
• Summarize Performance: Summarize each candidate’s performance across different interview stages (technical, behavioral, cultural fit, etc.).
• Highlight Key Points: Identify and highlight strengths, weaknesses, and any red flags noted during the interviews.

2. Evaluate Technical Competence

• Skills Assessment: Review the results of any technical tests or practical assessments the candidates completed (if applicable).
• Relevant Experience: Check the candidates' past work experiences and projects relevant to the job requirements.
• Certifications and Education: Consider relevant certifications (e.g., CISSP, CEH) and educational background.

3. Assess Cultural Fit

• Company Values Alignment: Evaluate how well each candidate's values align with the company culture and values.
• Team Dynamics: Consider feedback from potential team members on how well the candidate might fit into the existing team.

4. Verify References and Background

• Reference Checks: Contact the references provided by the candidates to gather insights about their past performance, work ethic, and reliability.
• Background Checks: Conduct necessary background checks (criminal record, credit history, etc.) to ensure the candidate’s suitability.

5. Compare Against Job Requirements

• Match Skills to Requirements: Compare each candidate's skills, experience, and qualifications against the job description and requirements.
• Gap Analysis: Identify any gaps and consider their potential impact on job performance.

6. Consider Soft Skills

• Communication Skills: Evaluate candidates' communication abilities based on their interactions during the interview process.
• Problem-Solving and Critical Thinking: Assess how well candidates demonstrated problem-solving and critical thinking skills.
• Adaptability and Learning Ability: Consider their ability to adapt to new situations and learn new skills quickly.

7. Decision-Making Matrix

• Create a Matrix: Develop a decision-making matrix to score candidates on various criteria such as technical skills, cultural fit, experience, soft skills, etc.
• Weight Criteria: Assign weights to each criterion based on their importance to the role.
• Score Candidates: Score each candidate against the criteria and calculate their total scores.

8. Final Deliberation and Consensus

• Panel Discussion: Organize a meeting with all interviewers and decision-makers to discuss the scores and final impressions of each candidate.
• Reach Consensus: Aim for a consensus on the top candidate, considering both objective scores and subjective opinions.

Making the Offer

1. Offer and Negotiation

• Prepare the Offer: Prepare a job offer based on the candidate's expectations and the company's compensation and benefits structure.
• Negotiate Terms: Engage in negotiations if necessary, ensuring that both the candidate’s and company’s needs are met.

2. Post-Decision Follow-Up

• Inform Other Candidates: Notify the other candidates of the decision and provide feedback if appropriate.
• Onboarding Preparation: Start preparing for the onboarding process for the selected candidate to ensure a smooth transition into the role (more on this process will be covered in the next newsletter).

This structured approach ensures a thorough and fair evaluation of each candidate, leading to the selection of the most suitable individual for the IT or cybersecurity position.