Hello friends,

I hope you all had a wonderful fourth of July!

I’ve been publishing a bit less frequently as it’s been a busy few weeks with travel and family activities. We had a little getaway to Montreal and spent the holiday weekend in the mountains.

I can’t believe how fast summer has flying by.

This week’s focus brings things back to the basics- how to hire well. Enjoy!

Cheers,

Brad

Designing a world class hiring process

As we’ve explored before, most hiring processes are not well designed. They tend to be ad hoc and reactive in nature. This is despite the fact that most people will tell you that ‘building a great team’ is a top priority.

At the end of the day, cybersecurity or not, we all want to build a team of people that will do incredible work, and do so the right way. We hope that they will fit in and contribute to the type of culture that you want, and that they will stick around for a good amount of time. You want to be able to attract incredible people, have an efficient hiring process that doesn’t waste a lot of time, and, most importantly, have a process that is predictive of future performance.

Today, we’ll walk through a straightforward process for doing so. This may all seem pretty obvious- no blinding insights here. But I have consulted for and been a part of many dozens of companies throughout my career. I’ve only encountered two that really did this, and did it well (if you are curious, they were BCG and Danaher).

Here’s the process:

Step 1: Define skills.

Don’t think of the job description as a necessary evil or a task, think of it as an opportunity to clarify your thinking around what is needed to be successful. Focus on skills, not experience (after all, with experience you are really using it as a proxy for a skill).

Define no more than 5 must have skills, and no more than 5 nice to have skills. These will be your guiding lights for the hire.

Step 2: Think through how you would assess these skills directly.

This is where some creativity will come into play.

You have multiple tools at your disposal:

• Interviews

  • Asking questions and listening for responses that indicate the appropriate amount of insight or understanding

  • Observing behavior and skills directly in the interview itself

• Assessments

  • Directly testing skills

  • These allow for quantitative results and ‘racking and stacking’ scores

• References

For high volume roles, consider purchasing or building assessments particular to the skills most necessary for success. These types of assessments are extremely common in fields like software engineering, where a large portion of the skillset is testable.

In security, there aren’t many standardized assessments, but there are plenty of platforms that have knowledge tests around particular security domains and things like capture the flag competitions.

In addition to testing the hard skills, you should also strongly consider a generalized cognitive horsepower assessment (intelligence is the top predictor of success in most jobs), and personality/ motivators assessments to gauge fit.

Step 3: Build these into a hiring process

Define the particular steps in the process. Consider what comes first (things that are likely to weed the most candidates out).

For roles with a reasonable hiring frequency, this process should be standardized and repeatable, and generally you want to be able to have different people run the same process and get the same result.

Assessments help for this.

For interviews, define the questions in advance. You may even want to distinguish between strong answers, satisfactory answers, and weak answers.

Use all of this to rank against your critical skills (strong/ satisfactory/ weak), so that you can do an apples to apples comparison.

One note: in addition to assessing for skills (desirable characteristics), you want to make sure you also build screens for undesirable characteristics. Think through what the biggest derailers could be, and don’t hire a person- even if they score well on all the right skills- if they are going to be detrimental to your culture.

Step 4: Measure accuracy

Here's a simple way to think about this, like an equation:

• H_i= incredible hires / total hires

• H_m= hires that clear the minimum bar (but are not incredible) / total hires

• H_f= hires that fail to work out / total hires

You want to maximize H_i, and minimize H_f.

Everyone is a hire at some point so it may be tempting to think of this as simply the distribution from performance management reviews- however there are a couple meaningful differences:

1. People move into different roles over time once they join a company- what matters here is whether your process is successful in finding and hiring people that are a good fit for the role they are hired into (unless that role is explicitly thought of as a ‘feeder’ role)

2. Failure here isn’t just people that don’t live up to expectations. Failure includes hires that churn out quickly of their own choice. Often this is due to a lack of fit (don’t get along with boss, job isn’t what they expected, etc). There will always be some rate of this that’s uncontrollable (e.g. spouse gets a new job and they need to move), but most of the time it is controllable and should be viewed by the company as a mis-hire (or mismanage).

You should measure H_i, H_m, and H_f, and set targets for them. These targets should be aligned to your compensation philosophy. Obviously, paying well aligns with a strategy of having a high H_i. It’s necessary, but not sufficient.

Step 5: Learn from bad hires

If you don’t learn, you are doomed to repeat your mistakes. Dig into the root cause on bad hires.

• What really went wrong?

• What was your role in this?

•  What do you wish you could have known?

• Was it predictable?

• If so, how would you have seen it?

Narrow down what you need to fix:

• Did you misread the most important skills?

• Do you need to more widely consider the potential derailers and failure mechanisms?

• Did you believe they were going to be stronger at a particular skill than they turned out to be? Why?

• Was the interview poorly executed?

• ETC

Step 6: Make adjustments

• Refine the skillset and job descriptions

• Think about how you improve assessments and interview questions

• Train your interviewers

• Be transparent about mistakes that people make in hiring

Doing this requires discipline, and a collaboration between HR and the business that few companies actually have. But it pays huge dividends over the medium to long term.

Other additional pieces of advice

1) Be transparent about the good and the bad

• Many hiring managers move into ‘sell mode’ when they see a candidate that they like. This can be dangerous if it leads to a temptation to sugarcoat the hard things or mis-represent anything about the job

• Everyone knows that no situation is perfect. People are likely to view candor as a positive cultural element (which it is), and the costs are high for companies that surprise their new hires with things that they weren’t expecting

• Think about this: you want a good fit, and fit needs to go both ways. You should be honest about the job and the company all the way through the process

2) Have pay in bounds of your expected results

• There is a good and healthy range of flexibility between target H_i and pay. What you can’t do is pay low and reasonably expect high H_i. But you can shoot to overdeliver on H_i relative to your target pay. The bridge here is culture- people will accept a lower pay if they love their job. And generally whether they do is a function of the people they work with and the environment they work in.

• If you have a lousy culture and lousy pay, you will have a high H_f.

3) Consider the hiring process as a 2 way exchange (you are both interviewing)

• Recognize that it is as important for the candidate to get to know you as for you to get to know the candidates.

• Great people generally have choices, and you need to recognize that. Build time and space in the process to help them get to know the company, their manager, and what they would be doing so they are both comfortable with the job and excited about it

4) Recognize the virtue loop of hires and culture

• Generally speaking, people build culture. Great people can build great culture. Hiring great people can help build and sustain a great culture, and great cultures attract great people. It’s a virtuous cycle once you get on it.

Tools, resources, and useful things from the internet

🔧CISA and the NSA have published excellent guidelines for securing CI/CD environments

🔍Flashpoint put together a good overview of the role OSINT is playing in helping us understand the Russia-Ukraine war, through the lens of the short mutiny. Lessons in here for all parties interested in the potential of OSINT.

🪲Vulcan is one of my favorite (relatively early stage) cyber companies. They just released their quarterly report on most critical vulnerabilities. Take a look here.

😷As we know from the pandemic, there’s a huge shift in mindset from moving from prevention to management of an endemic issue. Jeff Greene suggests the same thing for cyber- and he’s right. (The Hill)

🔑FIDO has released enterprise guidance on the use of passkeys. Great tool for adding security and moving past passwords (FIDO)

News

🦹The invasion of Ukraine precipitated the beginning of the end for criminal gang Conti, which pledged loyalty to Russia. Nice piece detailing the downfall of the criminal cyber gang (Global Initiative against Transnational Organized Crime)

⚡Third parties matter. A data breach impacted Southwest and American airlines employees, including SSNs, passport information and other very sensitive info. The company with poor form is Pilot Credentials. (Bleeping Computer)

⌨️Another week, another wordpress vulnerability. This one, for a plugin, is unpatched. Seriously, people- don’t use wordpress! Also, thought exercise, are the perpetual Wordpress vulnerability issues a counterfactual to the business risk of poor cyber hygiene? (Hacker News)

🛢️Denver residents like me are already conditioned not to like Suncor energy. Whether karma, incompetence, or both, they just suffered a significant cyber attack that shut significant components of the company down, including their retail sites (Global News)

Jobs to check out

This week we are featuring CISO roles.

University of Oregon. Chief Information Security Officer (Eugene, OR)

Blue Cross Blue Shield of Arizona. VP, Chief Information Security Officer (Phoenix, AZ)

Jaggaer. Chief Information Security Officer (Morrisville, NC)

Robinhood. Chief Information Security Officer- Crypto (Menlo Park or New York)

Generate Biomedicines. Vice President, Chief Information Security Officer (Somerville, MA)

NASA Jet Propulsion Laboratory. Chief Cybersecurity Officer (Pasadena, CA)

Canonical. Chief Information Security Officer (Remote)

Events

💼BSidesPGH. Pittsburgh. July 21.

💼Black Hat. Las Vegas. August 9-10

💼BSidesLV. Las Vegas. August 8-9.

💼DefCon. Las Vegas. August 10-13

💼ISACA GRC Conference. Las Vegas. August 21-23

💼Grrcon. Grand Rapids. September 28-29.

Crux is building the talent platform for cybersecurity. Check us out.

Thinking about your next move? Join our network.

Want help with your hiring needs? Reply to this email to drop me a line