Hello friends,

I hope your 2024 is off to a great start. Recently, I’ve had a number of conversations around the (very real) negative impacts we are already seeing from increased us of AI in the hiring process, juxtaposed against the rapidly advancing capability of the technology. So today we are exploring both sides of the coin- the good and the bad of AI in the recruiting process. We will take a look at where we are now, and where we are likely to be going over the next few years. All of this, of course, through the lens of cybersecurity careers.

If you are or will be in the job market, this is critical to understand, since you won’t be able to directly observe much of what’s going on ‘underneath the hood,’ but it will absolutely impact your search. 

If you are short on time here’s the tl;dr.

• In the short term, increasing use of AI is a net negative. It’s perpetuating chronic problems with job descriptions and matching candidates to jobs on criteria that aren’t actually predictive of success. It’s promising an easy way to recruit but sacrificing quality for quantity.

• Over the longer term, it holds great promise and should be able to more effectively help match people with jobs that are a good fit for their skills and aspirations.

• Candidates need to adapt to the near term reality. AI is often in charge of the initial screen, and this is all resume and Linkedin based. You need to make sure your resume is highlighting the right set of skills. Even then, odds of success on cold applications are low.

• An unintended consequence of all of this is that the value of human interaction and connections is likely to increase, not decrease. Not a bad thing. 

In other news, I’m excited to announce the launch of our Crux referral program. Whether you are part of a VAR/MSSP/ services provider, or simply know people that may need some support, you have an opportunity to earn significant passive income by referring potential clients. If you are curious, please drop me a line and I can share more. As a quick refresher, we offer:

• Full time staff level recruiting

• Staff augmentation

• Consulting services on the people side of security (career path design, skills assessment, talent development strategy)

• Executive recruiting (CISO)

 Enjoy,

Brad

Incorporating AI into cybersecurity recruiting- what we gain and what we lose

If you are in the job market right now, you undoubtedly notice the little ticker on Linkedin that tallies the number of applicants for each opening, and the rapid pace that number of applicants shoots up.

You certainly are noticing the number of form rejections you receive from those applications- even when you are unquestionably qualified for the role. 

While some of this is undoubtedly due to the macroeconomic conditions- including layoffs and less overall job turnover- a good deal of it is also due to the newfound ease of applying (just click a button, or even automate the application itself) and the downstream automation of how systems handle all those applications. 

There are many cybersecurity postings that are attracting north of 500 applications. Guess what, no human is reading all of those. 

What the ATS is really doing

Applicant tracking systems are the modern boogeyman for the candidate- the black box that is preventing you- the qualified candidate- from getting to interviews and having the chance to truly demonstrate your strengths. The mysterious system that you need to learn how to beat. 

While in some forums ‘the ATS’ has achieved an almost mythical level of malicious capability- the reality is more pedestrian. Most of these originated as tools to manage the recruiting process, manage posts, and consolidate data. A CRM for recruiting, if you will. 

Over time, they expanded capabilities to automate the ranking of potential candidates, and they do so by using ML (and increasingly LLMs) to rank candidates for fit with a given role. They do this by extracting a perspective on a candidate’s skills and experiences from the resume, and comparing those skills against requirements in the job description. 

Most of these systems are still pretty dumb. For example, say ‘project management’ is a requirement, but you don’t list the actual words? Never mind that you were a consultant for a decade leading teams- that skill isn’t recognized because most tools are bad at interpolating context and are really just looking for keyword matches. 

There are tools out there like jobscan that can help look at your resume, compare against a job description, and suggest improvements. They are worthwhile and can help. But overall recognize that fundamentally this is a law of large numbers problem and there is no magic bullet, and ATS systems vary wildly in their capabilities and results. 

Overall advice:

• You won’t ‘beat the ATS’. But you can improve how you appear

• You need a skills section in your resume. This is for the ATS, not for humans. Load it with the relevant words and put it at the bottom of your resume

• You also need a skills section on your Linkedin profile

• Read job descriptions and ask yourself- what criteria is the recruiter likely looking for? Make sure those words (specifically) appear in your resume

• Don’t over think this. Your hit rate won’t automatically triple. Your interview/apply ratio will still be low. You need to make human connections to really increase your odds and hit rate.

The arms race

In cybersecurity, we are all too familiar with the cat and mouse dynamic of defense against the adversary. There is a perpetual cycle of discovery and closure of new vulnerabilities, tactics, and vectors.

The concept also applies to recruiting. Candidates experience low interview hit rates and so apply to more jobs. More candidates, more automation.

It’s a vicious cycle. 

One of the great ironies of this all is it is forcing a return / premium to the human dimension. And for job seekers, that means being networked. I won’t go into it extensively here, but you can check out these posts (part 1 and part 2) for deep dives on a how to execute a job search process, with practical networking advice.

Referrals, endorsements, and introductions from trusted people have always been a critical component of the hiring process, and exceptionally valuable. I’d argue that they become even more important in this environment. If you are in the market today, I’d guess that there’s a 90% chance that your next role comes about based on a human connection, not a blind application.

Have I got a bridge for you.

There is a lot of snake oil being sold on the vendor side of recruiting today. I suppose in the software and tech world there always has been. Something along the lines of ‘just buy this tool and your problem will go away.’ (Like the one security company that promises to ‘end cyber risk’ ahem, ahem ❄️🐺). 

In the recruiting world, we are awash in promises to fully automate the process of recruiting from end to end and that AI will automagically find the perfect candidate for every role. 

AI absolutely does hold promise for improving the effectiveness and efficiency of recruitment, and to some degree it is making things easier and faster already. But the promises of full automation and superior screening are misplaced.

Let’s unpack it. 

1) We need to solve for quality before we solve for efficiency

Today, AI is amplifying two bad practices, both of which I’ve written quite extensively about.

First, most job descriptions in cybersecurity are poorly written.

• Laundry lists of requirements that few humans have in totality

• Requirements not aligned to level/ experience/ comp

• Overemphasis on things that are not always good proxies for skills: minimum years of experience and educational requirements

LLMs are increasingly being used to generate job descriptions, and they can do a credible job in many ways. The problem is that they push everything back toward the mean, and perpetuate what is generally a sloppy and not well thought through exercise. They can be a great tool for a first pass, or generating ideas, but they don’t nudge things in the right direction. 

Second, these tools are scoring based on the discrete number of skill and experience keyword matches, not on what is most important, and with no distinction between what can be learned and what can’t. I use a visual analogy of an iceberg- everyone pays attention to what is above the surface, because that’s what you can see- but you are missing the bigger picture. Experience on resume is minimally predictive of success. Broader context- motivation, grit, intelligence, curiosity, and capacity to learn matter tremendously. And you don’t pick that up with a keyword scan. 

This perpetuates:

• Keeping very talented people with high potential out of the initial screens

• Highlighting the same highly experienced people, over and over again

• The work not really aligning with candidate expectations, and thus disengagement and turnover

We are solving for the wrong problem. We need to figure out how to hire for quality before we solve for efficiency, otherwise we are just amplifying bad practices. 

AI is only as good as the data that it was trained on. And right now we are training with a definition of success that is totally disconnected from reality.

So we get garbage in, garbage out. 

The cost of a bad hire is tremendous- cultural degradation, lost productivity, more time work is not being done due to vacancy, team time spent sourcing and interviewing, etc. But instead of focusing on solving for an approach that brings in awesome talent, companies are spending time nickel and diming recruiting team productivity. We should only do that after we are getting fantastic hiring results. 

2) AI holds the potential to help vet more deeply, and increase quality of matching

While our current implementation of AI is guilty of perpetuating bad practices, that doesn’t mean that it’s without promise. Today the matching is being done at a keyword level, without context and without validation.

We are close to a world where AI can actually help validate, and likely do so with higher accuracy and less bias than is typical in human interviews.

• Using labs, we can validate hands on keyboard technical skills

• Using assessments, we can gauge analytical skills

• Using analysis of sample work, we can get a sense of written communication skills

• Using video interviews and mock presentations, we can get a gauge of verbal communication skills

• Using well trained LLMs we can actually construct good job descriptions

These results won’t be perfect. But they can be better than what we do today, which is typically either 1) making an assumption that a skill is there because of some other proxy, or 2) gauging during interviews with no calibration and minimal intention. 

Beyond validation, AI can help bring liquidity to the job market. There is indeed value in being able to parse through a large number of candidates- if your talent signals are right, the fidelity and quality of your matches will be higher with a larger sample size. And at large scale that’s just too much for a human to manage. 

So if we get the assessments right, and complement initial screening at the skill level with a well designed interview process that provides a second layer of validation and tests for cultural fit, motivation alignment, and manager fit, we will have great results for both candidates and companies.

3) We cannot lose sight of the human element

Candidates are already feeling the isolation of disconnection from the early stage parts of the recruiting process that are automated today- where, if you follow the process, all initial interactions are digital and there’s no transparency or clear logic as to when you get past the ATS screen. 

If you believe the marketing hype, a world of full automation/ low no touch is promised. 

And let’s be honest, it isn’t the connection between the candidate and the recruiter that matters, it’s the one between the candidate and the hiring manager, and the cultural fit with the team and the company. So some transactional squeeze on the recruiting end is fine, as long as it lead to rich engagement with the hiring manager.

The candidate experience suffers significantly if the process goes too far without them being able to do their own diligence on a company and the hiring manager. Space needs to be made relatively early on to ensure real human connection and the chance for both sides to evaluate fit. 

And in the world we are in now, where the results are poor from automated screening, both sides are frustrated, so it’s the ability to have someone that is trusted recommend someone for a job that matters most. And that isn’t going away. 

So get out there and build real human relationships. They will stand the test of time.

Jobs

This week we are featuring newly posted CISO jobs. As always, check out our job board for hundreds of opportunities, all classified by security domain and NIST/ NICE specialization.

💼Headspace. CISO. Remote ($200-300K)

💼Thorlabs. Director of Information Security. Newton, NJ

💼Howard Hughes. Director of IT Security (CISO). The Woodlands, TX

💼Ultra Clean Holdings. CISO. Chandler, AZ.

💼National DCP. Senior Director of Information Security. Duluth, GA.

💼NetApp. Vice President, Chief Information Security Officer. Research Triangle, NC. $264-396K.

💼New York Power Authority. VP, Chief Information Security Officer. White Plains, NY. $200-265K

💼GLG. Chief Information Security Officer. $220-270K

Events

One of the (awesome) features of our new website is a comprehensive list of upcoming conferences. It’s one of the largest collections of cybersecurity conferences available. Check it out!

A few of the exciting ones in store over the next few months:

🤝NetDiligence. Miami, FL. Feb 12-14.

🤝CactusCon. Phoenix, AZ. Feb 16-17.

🤝Rocky Mountain Cyberspace Symposium. Colorado Springs, CO. Feb 19-20.

🤝FS-ISAC Americas Spring Summit. San Diego, CA. March 3-6.

🤝SnowFROC. Denver, CO. March 7.

Thinking about your next move? Join our network

Looking for awesome talent? Post a need for free.

Crux is the talent platform for cybersecurity. Check us out.