- I've always been lucky when it comes to staffing. I employ people I'm very happy with, and despite high turnover within the industry, I've always managed to retain key people. There are many reasons for this, but hopefully, one of them is because I treat them well and let them develop professionally.
However, although I've been lucky and able to keep turnover down, from time to time, we take on small projects that require temporary staff -- and that exposes me to the horror of recruiting. I hate it. All those résumés. All those phone calls. All the time wasted in interviews.
Don't get me wrong; I enjoy a good interview. It's just that so few interviews are even barely passable, despite my best efforts to put candidates at ease and get the best from them.
I was looking for someone to improve the security awareness of my company, prepare awareness materials and present them to employees. Because written and oral presentation is vital to the role, I was looking for a résumé that summarised the candidate's experience in a readable format. I also was hoping for a well-presented interview, with swift rapport. Formal qualifications weren't vital, but the breadth of experience represented by a Certified Information Systems Security Professional qualification would certainly be welcome.
The problems started with the résumés. A concise and relevant listing of experience is useful, but a three-page list of every bit of software and hardware a person has ever used doesn't impress me. "Ooooh here's the one we must hire. He used Microsoft Word 2.0" isn't a phrase I say very often.
And the hardware experience listed was even weirder: "386, 486 and Pentium processors" is a depressingly common line in this section. Did these people take part in the design process? Did they write tailored code for these chips? It turns out, they didn't. What they mean to say is, "I ran Windows on a range of processors." I delight in asking detailed questions about Intel's MMX CPU extensions and the like until the candidate is forced to admit what he really meant.
In an interview, I always ask the names of the last three books the candidate read. Few of those who have listed reading as an interest on their résumé can even name three books. My advice to candidates: If you want a job, remove this section.
These problems aren't very security-focused, but neither was the candidate who wrote, "I can drive a tractor" under "Other Skills and Qualifications." And another tip: Yes, the Microsoft Word résumé wizard looks very original to you, but it won't stand out on my desk when it's the 500th I've seen in that format.
If the candidate miraculously passes the résumé phase, I interview him briefly over the phone. This isn't standard practice, but I find it helps filter out the wildly inappropriate candidates. Another hint: Don't take these calls with your mother in the background or on a mobile phone on a bus. I've had candidates do this and, oddly enough, they weren't called in for further interviews.
The final hurdle is an interview at my company's offices. Some ringers still manage to slip through to this stage. Making up a complete pack of lies on your résumé and then trying to blag your way through the interview isn't going to get you the job, and once I tell your recruiting agent and my friends in the industry, you won't be getting a lot of other jobs either. I talk with other security managers and pass on good candidates, and I recommend that other security managers do the same.
The Trojan Horse Candidate
Security managers, be forewarned: I've met some charming job candidates whose motivation for interviewing appeared to be to find out about our financial systems so they could hack into them later. They had no background experience and no interest in the salary, long-term prospects, career progression or holidays. They did pay special attention to what operating systems and protective measures we ran. They were generally shifty and evasive. Any of these characteristics on their own could have been innocent enough or the product of interview nerves, but the combination made us overwhelmingly suspicious.
My strangest interview, however, was with an applicant who had a few cryptography skills on his résumé but was mostly business-focused. We were looking for someone to write a cryptography library, so he looked like a pretty reasonable fit. The interview was going well until about 30 minutes in, when he asked why we were asking only about his cryptography "hobby" and not his work skills. We were even more surprised when he explained he was applying for a securities management position, rather than the information security management role we had to offer.
I now take a little more care to check with the recruiting agent or candidate before we have an interview.
Despite all of these trials, we did manage to find the right candidate. The recruiting agent infected his résumé with a virus before sending it to us. This helped the résumé stand out from the crowd, but not in a good way.
Now that he works for us, we've found out the truth behind the agency's claim that it interviews all candidates before sending them to us. Technically, it was true, but a five-minute chat in a coffee shop before sending a candidate to the wrong office doesn't exactly meet our expectation that the agency has carried out an in-depth background check and skills evaluation.