How not to interview for a job.
aka, the one with the name dropping.
As you may be aware from the recent topics of these letters, you know that we’re in search of a security analyst back at the shop. It’s a good job, be the technical go-to / tactical security lead for the IT department so I can focus on strategic issues.
It’s the kind of job I relished about 3 years ago.
So why haven’t we been able to fill it?
Quality.
Of.
Candidates.
It’s just that simple. Much like Joel Spolsky describes – you never get to hire the really good ones off the street – they’ve already got a job.
So the latest candidate comes in for the interview… he’s already gotten past the HR front lines, so he at least passes the basic BS test. Time for me to go with the advanced BS test.
I kid you not, this is how it went.
First things first… zero personality — no light or fire there. And as you all know, infosec is a people game, you’ve got to be ready to really talk the talk. I thought to myself that it can’t be all bad… right?
Wrong.
We walk through the “So how’d you end up in Infosec”… and he commences the name dropping.
Yeah.
Name dropping.
Here’s the thing… if you’ve been around for a while, you’ve at least brushed palms with some of the names he’s dropping… telling me about his close personal friend $International Security Researcher/Celebrity$ and how he helped his dear friend to get his consulting practice up off the ground prior to it being sold off to a large professional services firm.
I’m asking myself why he’s looking for this analyst position if he’s in such close conditions with the above noted name drop.
Go through the experience some more… been doing this for a long time… many different organizations/organizational types. Nice.
So what were your specific duties with regard to incident response and handling at Company Y? He launches into how he’s developed his own information security management programme which he’s submitted to DHS and ISO for inclusion in the 27000 series of standards… because, you understand, he consults for DHS and ISO.
Ahem.
What was that?
Oh, you have a “side job” consultancy where you maintain both DHS and ISO as clients?
Wow.
Doing better than me buddy, my side jobs consist almost entirely of crass self-promotion in the form of being the guy who shovels snow for elderly neighbors and cuts the occasional extra lawn…
I continue to probe… at this point, I know that he’s not employable (if you’re paying attention to your consulting clients, you’re not paying attention to your employer – just a hunch), but I’m enjoying things now.
I start to quiz him on the tools he’s listed as “expert in deployment and utilization”. The list reads like a combination of the catalogue of a large security specialist VAR, the entire contents of the BackTrack 2.0 LiveCD, and every utility released at every hacker conference since Woz was learning to whistle.
And about a third of them are spelled wrong.
I give in and ask him The Questions. For your enjoyment, the answers:
hostname/essid: operating system and version
conference: anything sponsored by ISC2
you see an ipod connected to a laptop: call the staff member’s manager over, put employee on “Watch” list, publicly admonish
Yeah.
Not going to happen.
Thank very much for his time… oh, one more thing…
How well do you know $someguy$ at your current company?
Really well? Ok, tell him I was asking after him.
Why so crestfallen there bud?
[tags]ranting, infosec management, interviewing[/tags]