Hello friends,

I’m back from break! It was a great week and a half spending time with friends and kids, and getting the last turns of the season in.

This week we are going to dive into one of the most essential elements to building a team- having a good hiring process.

It’s amazing that nearly everyone agrees on the importance of the quality of a team, finding top talent, and building a good culture. Most would agree that having a good sourcing and hiring process is important to this. Yet, few companies have one.

Here’s our cheat sheet for doing so.

Cheers,

Brad

Engineer this (please!)

Has this ever happened to you?

• You think you are at the finish line of a hiring process, and all of the sudden it keeps getting strung along (‘Oh, we just want you to meet Bob. And you and Jane should really go out for lunch’)

• You get assigned to do an interview for a role a colleague is hiring- but all you get is a resume in advance- so you end up asking the candidate the same questions everyone else probably already did

• You apply for a job with a laundry list of qualifications, many of which (but not all) you meet, but get rejected anonymously by the ATS systems without really knowing why

• You hire someone that doesn’t work out and regret something you didn’t ask or look into in the hiring process. But then you forget to check for those things when you hire the replacement

I’ve had the privilege of working closely alongside engineers of various stripes for the past decade. I’ve been amazed at the challenging problems they’ve solved, the products they’ve delivered, and the processes they’ve designed.

I’ve also been amazed by how little of their considerable skills have been applied to the process of hiring people… unarguably one of the most important things that any company does.

The problem, partly, is one of ownership. Frequently the business and HR aren’t exactly sure where their authority and expectations lie when it comes to hiring process design. And there’s isn’t enough discussion upfront about what it should be as a new requisition is opened up.

I’ve also seen what good looks like. Danaher is famous for applying the philosophy of kaizen (continuous improvement) to literally everything. Their hiring process is no exception. When I was interviewing with them for an executive role, they knew exactly what they were looking for, how to assess for it, had not only clear assignments of each interviewer, but also spent a full day doing an in depth psychological profile on me. And at the end of that process, their ability to predict success and fit was incredibly high. (I didn’t get the job, BTW- and that was the right call on their part!)

A good friend of mine had a phrase: ‘Every process is perfectly designed to get the results that it gets.’ He’s right.

Do you understand the results of your process? Have you thought about the design of the inputs? Do you understand the relationship between the two?

When it comes to hiring, process matters a lot. There is no one size fits all approach that is the best. It should be fit for purpose based on the type of role. But there are good processes, and there are bad processes.

Your hiring process should:

• Seek to get enough candidates in the top of the funnel that you will have to choose between multiple qualified people

• Act as an advertisement for your company, and appropriately represent the experience of working at your company- remember that candidates are evaluating you too

• Predict candidate success in the role by getting you as accurate of a picture as possible on that person’s capabilities and skills

Common mistake patterns:

Overly ad hoc

• Other than the basics (resume reviews and interviews) there is no process. It’s up to the recruiter and hiring manager to come up with a new approach each time. Both people are busy so they figure it out on the fly.

No definition of good

• The target for ideal candidate is unclear. There’s a job description, of course, but it is full of cut and pastes from other JDs. There’s no alignment on true must haves and nice to haves. No consideration for likely tradeoffs. And thus no way to really thoughtfully assess the candidate against a standard, and thus predict success.

Lack of coordination among interviewers

• There are plenty of interviews, and maybe a quick pre-wiring discussion but no separation of duties. So the candidate walks through their resume a bunch of times, repeats the same canned lines and walks away unimpressed by what she just saw

Fine with ‘say’ not ‘show’

• The candidate seems like a good person, so everything, including their technical skills, is taken for granted (guess, what… even good people have a tendency to exaggerate)

Cognitive biases

• We all like to think we are clear, perfectly rational thinkers. Guess what, we are not. We need to be aware of our own innate baises, which can lead to bad decisions during the hiring process. These include:

1. The halo effect (we like one thing, say the candidate when to our alma mater, and that overwhelms everything else)

2. Confirmation bias (we look for data to re-enforce our first impression)

3. Attribution bias (we assume that outcomes are a results of capability, not circumstance)

4. Affinity bias (we prefer people who are like ourselves)

The best processes include the following:

1) True understanding of what’s needed and what’s nice to have. And an understanding of specifically how you are assessing quality against that

• Separate the base level required skills from what can be learned, and gauge ability to learn as part of the process

2) Sourcing from diverse pools 

• The larger the top of your funnel is, the better (as long as you have effective screening criteria)

• Leverage: internal referrals, inbound resumes, outbound outreach to passive candidates, etc.

3) Balanced, intentional evaluation of technical skills and people skills

• Consider this model: view the people skills as minimum requirements, and then from there optimize on technical skills within your budget

• This means: hard passes on anyone that won’t fit company values, struggles with effective communication, cannot think strategically or creatively enough for job requirements, etc.

• Form a perspective on the value of specific certifications- can you take competence as a given? If not, consider a hands on technical assessment to gauge proficiency (or use technical interview questions with varying degrees of difficulty)

4) References

• ‘Trust but verify’- it’s perfectly fine to assume honesty and good intent, but references can prevent bad decisions and are time well spent

• You expect references to be strong, since the candidate chose them, and it’s okay if there is a bit of mixed take (just means the person is being honest).

• Frame your questions against the job ‘must haves’ and look for weak points there

5) Understand the value of your time; it may be better to utilize an external recruiter that has a strong network to take this work off your hands

Look for tangible examples of the outputs and content associated with this process in upcoming issues of our newsletter!

Tools, resources, and useful things from the internet

🧠AI powerpoint generator- this looks pretty slick, and useful for building an initial draft (Gamma)

🗺️Market map of generative AI startups (Dealroom)

🎭A good (and funny) reflection on the pain and frustration of applying for jobs via resume submittal (Resident Contrarian)

💣How potentially dangerous is the AI race? One educated take (Lex Fridman podcast with Eliezer Yudkowski)

📝Prepping for your CISSP? Here is 8 hours of instructional content that covers the breadth of the exam (Inside Cloud and Security)

☁️Maintained database of cloud security vulnerabilities from Datadog

News

🛑Elon Musk, Steve Wozniak and several other tech heavy hitters are calling for a 6 month moratorium on breakthrough AI research to build a regulatory framework (Fortune)

🤖Microsoft is embedding GPT-4 inside its security stack. Not surprising, but implications aren’t entirely clear at this point.

📷Ukrainian hacktivists duped several wives of an elite Russian unit (the one that bombed the Mariupol theater), which led to the revelation of a trove of sensitive personnel data. (HackRead)

⛪AI photo generation is at a tipping point of being so good, it can be very hard to tell fakes. Big implications for disinformation ahead (WSJ)

🦹The FBI and other agencies took down the Genesis market, which sold stolen credentials. 119 people across 13 countries were arrested (Hacker News)

🚢Concerns are increasing over the security risks that Chinese-manufactured cranes (and associated software) present at ports (WSJ)

📉Not a shock but cybersecurity venture investment is at its lowest level since the start of the pandemic. This is probably healthy for the industry.

Jobs to check out

This week we are featuring remote security jobs

💼Dell. IAM Engineer (Remote)

💼Edward Jones. Senior IAM Engineer (Remote)

💼Marriott. Lead Cyber Incident Response Analyst (Remote)

💼Capital One. Senior Director of Technical Program Management, Cyber Security (Remote)

💼University of Chicago Medicine. Senior IAM Developer (Remote)

💼Baxter. Application Security Architect (Remote)

💼Credit Acceptance. Director of Engineering, Security, and Compliance (Remote)

💼United Airlines. Principal Architect- Identity & Access Management (Remote)

Events

💼SourceCon. Dallas. April 12-13

💼B Sides Salt Lake City. April 14- 15.

💼B Sides Nashville. April 15.

💼Sans Pen Test Austin. April 17-22

💼B Sides New York. April 22.

💼RSA. San Francisco, CA. April 24-27.

💼B Sides New Orleans. May 3.

💼Sans Security Leadership New Orleans. May 8-13

💼Sans West. San Diego. May 15-20.

Crux is building the talent platform for cybersecurity. Check us out.

Thinking about your next move? Join our network.

Want help with your hiring needs? Reply to this email to drop me a line