Instead of complaining about the security hiring process, walk a mile in a recruiter’s shoes and have a little compassion for what they’re going through, and how you might be able to help, at any level.
Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), with our guest Caleb Sima (@csima), CSO, Robinhood.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor Safe Security
If your CFO or Board was to ask: ‘How much could we lose to a cyber attack?’ Would you know?
Introducing SAFE – the industry’s most complete Cyber Risk Quantification solution to help you answer those crucial questions in real-time:
- Visualize and measure cyber risk across your entire estate
- Discover your $ risk exposure per attack vector
- Gain personalized, actionable insights to tackle your most critical risks
- Communicate your real-time cyber risk posture to your Board
[David Spark] Instead of complaining about the security hiring process, walk a mile in a recruiter’s shoes and have a little compassion to what they’re going through and how you might be able to help at any level.
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode, you know him if you’ve listened to the show before, you know his voice, it’s Geoff Belknap, the CISO of LinkedIn. Geoff, grace everyone with your voice yet one more time.
[Geoff Belknap]Welcome, everyone. This is my voice, and this is where I would usually try to make a dumb joke.
[David Spark] We will insert one later in post-production.
[Geoff Belknap]Put one here, Aaron. Thank you.
[David Spark] Yes. Our sponsor for today’s episode is Safe Security. Safe Security. If you are struggling with risk management, that is their bailiwick. It is actually one of our most popular topics actually, risk management. But not what we’re going to be talking about in today’s show, but they’re going to be talking about that later in this episode. I want to bring up today’s topic, which is a doozy. Geoff, with all the complaining that security professionals do regarding hiring, you posted on LinkedIn asking hiring managers to have some compassion for the recruiting team. That’s all you said. And wow, you got a response. Close to 9,000 reactions and more than 600 comments and 200 shares. What do you think was the button that set everyone off?
[Geoff Belknap]Boy, I think a couple of things. One, LinkedIn is a great place for people that are working on this specific issue. My network might be a slightly biased to hiring managers and recruiters that work on this topic. But I think overall, you know what we’re all struggling with is we’re all…everybody in the security space is trying to hire great people.
[David Spark] Yes.
[Geoff Belknap]And there’s a limited number of them. You know who we all have to work with to do that is our recruiting partners. Nobody ever talks about what it’s like on those recruiting partners when a hiring managers to them like, “Hey, I just need a great engineer that’s got 17 years with this technology that’s only existed for 10 years. I need them to be an expert in six very diverse, different technologies or have experience with something that maybe no one has experience with.” And it’s their job to translate that into actually finding a human that meets any part of that requirement, which involves them talking to every single human in infosec as far as I can tell. That sounds like a challenging job. And you know what? I think it’d be a good time to have a talk with our guest about that.
[David Spark] Yes, very excited to have our guest. I saw our guest speak at the BSides in San Francisco. We’re very excited to have him on one of our shows and thrilled that we finally got him on. He is the CSO of Robin Hood. None other than Caleb Sima. Caleb, thank you so much for joining us.
[Caleb Sima] Thanks. Glad to be here, David.
Why is this relevant?
[David Spark] Theresa Nordstrom of the Talent Company said, “Recruiters are bashed daily but needed more than ever. Thank you.” That was directed to you, Geoff. “It’s a tough role right now, and one of those that will rarely please everyone or even close to half of people.” Which that’s an interesting point to make right there is no one seems to be satisfied with recruiters. And Stefanie Zechner of Science. People. and Business. said, “The recruiters are often the first interaction a candidate has with an organization, and a passionate recruiter will go above and beyond to create a stellar candidate experience.” Geoff, I think that very last line is key here from Stefanie of you want a really good candidate experience because if they have a bad experience, they’ve got friends. And their friends might be that great person you want to hire. Right, Geoff?
[Geoff Belknap]Absolutely. And they might be a great person that you’re going to hire later or that you might be developing a relationship with so that you can hire them in the next job that you’re in. Whatever it is, I think the bottom line for me is as much as a CISO’s job is to make sure that they’re the senior most executive accountable for security at your organization, it’s to make sure that they can be a magnet that can attract sufficient talent to make your security program work. That doesn’t happen without a recruiter that can share that message and that can make that narrative land with the people that you want to interview. If they’re not going to get through the recruiter to you, you’re never going to land those talented people that you need or those people that you think can level up and be talented. So, if you can only imagine the number of interviews that Caleb or I have probably sat through, there’s got to be something like, what, ten X the amount of people that a recruiter has spoken to beforehand to try to get them to even spend 15 minutes talking to Caleb or I. That’s an incredible amount of work.
[David Spark] Caleb, I’m sure you’ve seen contentious relationships with recruiters which doesn’t seem valuable for anybody. And Theresa is seems like has this Rodney Dangerfield, we don’t get any respect, was thrilled that Geoff threw some her way. What has been your past experience working with recruiters?
[Caleb Sima] I think there’s this general expectation that the recruiter should just magically go find great people. That’s what makes a great recruiter from a not great recruiter is they can just bring great talent. But I think what we forget and many times what I work very, very hard on is there’s a shared responsibility between the recruiter and us. It’s our job to arm and provide the recruiter with all the necessary things that they need in order to sell the company, and the business, and the culture. That’s really important that they have that equipped with them. I think there’s a lot of just at least in my experience I’ve seen through others where they just say, “Oh, go and bring good people, and that’s your job. But yet at the same time, I won’t make time in my day, or my staff won’t make time in their day to get through the interview process, making sure we provide all the right information they need, provide them the way that they want to talk or how they sell the company and what they want to do and make time for those candidates.” So, I think there’s this lack thereof when I go and I start recruiting, the recruiting team is my other half. They are my partner, and we work very, very much in tandem to make sure that we can make the most efficient process we can and also really sell the candidates so that they can get that great experience.
[Geoff Belknap]Man, I just want to dive into this for one extra second and remind people that especially if you are a desirable security candidate for employment… You’ve got some great skillsets. Maybe you’ve done some great things, or you’re up and coming, and for whatever reason you’re getting all the calls from those recruiters. I understand that… Believe me, I understand. I think Caleb can relate to this. That getting a ton of emails about buying something or working for a company can feel overwhelming. But keep in mind what Caleb just said – those recruiters are our partners. We are tied at the hip, and our success has to be achieved mutually. If you’re a jerk to that recruiter, it’s a small world, too. We’re going to find out about that. We are working together and the recruiters are an extension of the team that is trying to recruit you.
[Caleb Sima] Yeah, absolutely.
What’s the issue here?
[David Spark] Binny Agarwal said, “Consider the time and energy expended by recruiting teams to find and hire qualified candidates. The level of difficulty is compounded by the introduction of new technologies and increasing importance of digital marketing. In person network is declining as a recruitment tool, as is the use of paper resumes.” And Bryan Howard of Mercury Performance Group said, “Also please don’t take your frustrations out on them. It’s easy to make them the ‘reason you’re short staffed, missing targets, upsetting clients.’ They probably aren’t in the top five reasons.” So, this goes back to my comment about the recruiters feeling this Rodney Dangerfield effect of not getting any respect. What do you do to make sure you’re giving them the respect, showing you appreciate, and realizing it’s a team effort that you both need to be refining both of your skills, Caleb?
[Caleb Sima] I could tell you a little bit of experience that I’ve had. When I first went into Robin Hood, I really took a lot of analysis around how do we recruit, and how do we hire. Because at the end of the day, the people is the most important thing that you’ve got. And so you want to make sure that you optimize and you make the process efficient. And so when you think about recruiting, it’s not just sourcing the talent, going through the process of the talent, getting an offer letter out to that candidate, making sure that you cover all of the bases, how do you collaborate the candidate, how do you make sure all of these things are done. You’ve really got to focus and buckle down on understanding that entire process from A to Z, figuring out how to make it smooth so that recruiters have a great experience.
We have a great experience, and also the fact is I message to my team there is nothing more important than hiring. And especially… And you know this. Geoff will know this, too. Every security team is drowning. Everybody has fires that they’re all fighting. And the thing about it is the only way you dig yourself out of that fire is you hire. And so you’ve got to look at what’s going on in your team, make sure that they make it important. So, we really worked with our recruiting team to do things like what’s a P0 candidate, a P1 candidate, P2 candidate. And if it’s a P0 candidate, I told my team I don’t care what meeting is on your calendar, you move it. Because it’s for the candidate. And if the candidate says this is the time they’ve got, you move that meeting, and you have that interview. And so there’s a lot of these things that go on that you have to really push the shared responsibility model, again, around how does our team make sure that they move their calendars for these candidates, make sur that when they finish the recruit, you have the right debriefing.
You put your feedback in in a timely manner. All of these things are super critical so that when the candidate gets that experience, they see fast. They see efficient. They see pleasant. And the other thing that we do is we sell our candidates a lot. So, it doesn’t matter if you’re a senior staff hire or you’re a junior hire, I treat you the same way. And in fact one of the key things that we do is we say a lot of times with candidates they don’t get to ask questions. What we said is up front, “We’re going to allow you to interview us first. And then once you interview us then we’ll interview you.” And I think just those small steps increase a lot of, again, the responsibility of us to work with the recruiters so that they’ve got a great experience.
[David Spark] Geoff?
[Geoff Belknap]Yeah, I think the underlying theme here is if you’re a sophisticated recruiting organization… And what I mean by that is if you’re an organization that is sophisticated in its approach to recruiting, what you’ve figured out is exactly what Caleb is talking about – is that candidate experience is the number one most important factor in a candidate deciding to go to one organization or another. If all things are equal, they’ve got a superior skillset, and they’ve interviewed with several organizations they’d like to work with, that candidate experience is really going to matter. And what that candidate experience means is… And I think sort of Bryan Howard is referencing this when they talk about if you’re short staffed and missing targets, the recruiters probably aren’t the top five reasons.
What the reason is is did your people miss any of those interviews, did you do an interview with a candidate where you were kind of a jerk to them or maybe you didn’t treat them well, or you didn’t make the experience positive for them. This doesn’t mean babying them and making sure you bring them a coffee, especially in the last couple of years where we haven’t been doing too much of this in person. But it means making sure that you are treating them with respect, that you are treating their time as valuable, that you are asking them relevant questions, and that you are really getting at the heart of whether their skillset matches what you’re looking for, whether they’re a culture add to your organization. And all of this depends on you understanding how the recruiting process works, understanding how to leverage your recruiting partners, and really landing that candidate perfectly .
Sponsor – Safe Security
[Steve Prentice] Is cyber security fundamentally broken? Saket Modi, cofounder and CEO of Safe Security, thinks so.
[Saket Modi] First, too many products and too many dashboards. Second, the only analytics that’s happening is in the SOC, which is very, very reactive and only tells you about an incident after it has occurred. Third, cyber security products are not speaking the language of the business.
[Steve Prentice] This is where they find their niche.
[Saket Modi] We’re an API first platform. We come in and take read only API access from your existing security products and merge those signals together into our data lake and point them to the 560 techniques of the ATT&CK MITRE framework.
[Steve Prentice] This is how they take it from reactive to proactive and predictive.
[Saket Modi] We use something called the Bayesian Network. Bayesian gives you the probability of an event occurring in the next 12 months.
[Steve Prentice] This is how banks that loan money work.
[Saket Modi] Not only do we predict the ransomware, but what is the estimated dollar value impact of that ransomware that can occur in your environment in the next 12 months is what we give you.
[Steve Prentice] The IBM cost of data breach reports says that you can cut the cost of data breach by 48% if you use cyber risk quantification, CRQ, to make decisions. So, for more information talk to Safe Security, a CRQ leader, at safe.security.
What are they doing right? What are they doing wrong?
[David Spark] Monika Bach over at REI said, “Have you thought about the process you’re creating for candidates?” Aw, referencing what you just said, Geoff. “Are you being responsible and thinking about the candidate’s journey versus being opportunistic?” By the way, I’m just going to throw this out here, I hate this sort of thought of, “Oh, well, let’s throw all these requirements out there and see what we get,” kind of a thing. That falls under the opportunistic… That drives me crazy. That’s where you get a bad employer brand, I believe. But I also want to add Matthew Decker of Dragos who said, “There is nothing better to a recruiter than a company that does what is needed to attract awesome people. Pro tip, start listing compensation in your ads. It works.” I know a lot of companies can’t do that, or they feel uncomfortable doing that. So, that pro tip works for some, not for others. But, Geoff, what do you think it takes to attract awesome people? Because everyone wants to do it.
[Geoff Belknap]If I’m honest, I spend a lot of time on this podcast, because always in the back of my mind is what is the impact that this conversation is going to have on people that might be looking into working in my organization. Now, I’m not always saying the things that I think that candidates want to hear, but I think about my presence on a podcast being something that somebody that’s thinking about working for my organization might listen to. And they might get a sense of what’s it like in Geoff’s org, what’s he like as a leader, what’s the culture…what’s an insight into the culture I might get from this. But everything you do that is not part of recruiting is something that you need to look at through the lens of, “How does this appear to a candidate? How does this make it look like this is an awesome place to work? Is it the great work we’re doing? Is it the great people we have? Is it some of the technical innovation we’re doing?” And then that has to carry through to that candidate journey. “What’s it like when a recruit reaches them? What kind of job description are you putting out in front of them? What is scheduling an interview like? What’s that process like?” All of that stuff are the secret things that most people don’t think about that really influence a candidate’s decision.
[David Spark] I will just say there’s one word that describes all of this, and that is brand.
[David Spark] Employer brand specifically. And people who are not in brand marketing and stuff don’t realize that literally every touchpoint is critical because you could have a dozen touchpoints of one is bad, that could ruin everything for you. Caleb, what do you do as your part? And I’ve already heard some of it like asking them to interview you first. What are some other sort of key touchpoints you found that are key to your employer brand?
[Caleb Sima] That’s a great question. I think to sort of Geoff’s point, a lot of the things that we do publicly, if we post blogs, or talk about things, or speak at conferences, or sort of marketing that brand…
[David Spark] Or being on this show.
[Caleb Sima] Or being on this show.
[David Spark] Which hopefully will be helpful.
[Caleb Sima] That’s right. But I also think I found very strong word of mouth. The security industry in particular is quite small, and so I know tons of people on Geoff’s team. Geoff knows tons of people on my team. Everybody sort of really connects and networks with each other. And so I think word of mouth is really, really key in that brand. One of the things that kind of stuck out to me in this quote was this being opportunistic thing kind of really stood out. And it’s like, “Well, then how do you tell if a company is being opportunistic or they really care about you as an individual and your career?” And so one thing I might bring up is if you’re interviewing a candidate, a lot of times I feel that it’s 100% sell. Like the recruiting and the hiring team is about selling, and selling, and selling to get this candidate to say yes. But do we ever think about is this role or is this company the right thing for the candidate? And even though this candidate is a good candidate and even though maybe they want to work at this company, is it the right thing. And so I wonder when I see that word opportunistic…
We’ve had times in our interview cycles where the candidate has wanted to work or we think that they wanted to work, but we’ve come to this mutual conclusion, “Hey, I don’t know if it’s the right thing for you. I feel like you’re going to come in, and you might be at an unhappy place because the state we’re in or what we’re doing is not the right thing. And you’re going to come in in a bad space, and it’s not going to be good for you, and it won’t be great for us.” And you’ve walked away with this mutual respect, saying, “Hey, that’s a great example of not being opportunistic.” Then that candidate actually goes, “Hey, that was awesome.” I can think of a specific example where we’ve had it where that candidate has referred their friend. Said, “Hey, this company, it wasn’t the right fit for me, but we came to this conclusion in the interview. But I think it would be awesome for you.”
[Geoff Belknap]Yeah, I think more often than not, people lose sight of the fact that the recruiting that you’re doing, especially if you’re recruiting partners, is long-term. It’s never just the job you’re recruiting for now.
How do we make this everyone’s concern?
[David Spark] Brian Walch of Shiftfocus Coaching and Consulting said, “Spend some time listening to your recruiter and what they are hearing from candidates. Then tell them about your hopes for a candidate and what you hope they will grow into, and all the opportunities they will have if they join your team.” Caleb, you’re nodding your head. I think this is a great quote saying the fact that they’re talking to more people like you described, Geoff…probably ten times more…than they’ve got ten times more insight than you do as to what’s going on. Caleb, I’ll just ask, what have you learned from your recruiters that you didn’t know?
[Caleb Sima] I learn new things every day. A lot of times, what is our brand in the market – how are people responding to us, I think, is important. What do they think is important in our company? How is their experience in the interview process? All of these things I think we get from our recruiters. But more importantly actually going back to the partner thing, especially to Brian’s quote, if you sit with your recruiter and say, “Here’s the role, and here’s what we’re thinking about the role, and how we’re doing it,” that recruiter might have feedback for you. Saying, “Hey, listen, actually from the market and what we know in talking with candidates, your way that you’re wording this or your expectations might be a little out of line.” I think like Geoff said at the beginning of this thing where, “How do you know…?” When someone posts a role they want 16 years of experience in technology that’s existed for only 5 years. Who’s going to tell you that? Your recruiter. Your recruiter is going to say, “Hey, I think this might be a little high expectations for the role and the comp that we’re hiring for here. Here’s my experience and the best way to go fill this role.” And the only way you can that information is doing what Brian is saying.
[Geoff Belknap]Man, I cannot agree with this enough, which is rare for this show. But I think even more than that, if you’re not listening to your recruiter when they tell you… Because this is exactly what Caleb is saying is they’re talking to 20, 30 people, it’s going to be very easy for them to come back and go, “Hey, people are laughing at the fact of this requirement or the compensation for the experience you’re asking for,” whatever it is. Your recruiter is going to have very fresh feedback about that. The other part is if you’re spending all this time with your recruiter and you’re not asking them and really listening to them about what they think of this candidate that you have on site or that you might make an offer to, you are missing out on tons of insightful experience that that recruiter or that sourcer that’s worked with a zillion candidates has. Because that recruiter can show you their memory of what candidates have worked best in your organization. When you’ve hired really stellar candidates for roles like this, what’s the Spidey sense that they have about whether this candidate you’re talking to is going to be successful or going to be a problem. You are wasting a ton of experience if you’re not taking your recruiter’s input into the interview process just as much as anybody that’s doing a technical interview.
[Caleb Sima] And by the way, I might note that recruiters several times, we have overlooked a candidate. And the recruiter has come back and said, “Caleb, I really think you need to talk to this candidate.” And many times they’re right. I would have passed this candidate over. I would have not said this was the right person, but the recruiter pushed me. Very similar to what Geoff said – they can say negative things, but they can also come back and say, “You need to talk to this person.” And I have done that several times, and it’s gotten great results.
[David Spark] All right, I got one last question for both of you. Someone has left your company just to go seek another opportunity. What is your relationship with X employees, and do you maintain good relationships with them? And have any of them referred people to you? I’ll start with you, Geoff.
[Geoff Belknap]Oh, absolutely. Look, the main thread we’ve had through this whole conversation is security is an incredibly small space.
[David Spark] Yes.
[Geoff Belknap]And this goes both ways. Like look, if someone is leaving because they had a terrible experience with me, I am fully aware that that person is going to share their bad experience with people, which is why it’s really important to have that brand awareness. And for you to be aware of when they’re leaving, why are they leaving. Are they giving fair feedback? Is there something for you to learn here?
[David Spark] Well, the hope is most people are just leaving for a great opportunity, and they just want to move on.
[Geoff Belknap]That is absolutely the hope.
[Caleb Sima] Not the reality.
[Geoff Belknap]But I think a lot of people quit managers and quit teams that aren’t the culture fit for them. Especially when their skills are in demand. I think the other side of it, not to dwell on just the negative, is it’s a small world. And a lot of times I’ll have people that I loved working with, and I’ll tell them, “Hey, I’ll leave the key under the mat for you. If you want to come back at some point or if we want to work together again, absolutely. I’d love to.” But I think exactly what Caleb said before. I have been very blessed in being successful in my career so far, knock on wood. I want people to have successful careers. And a lot of times to do that, you got to work at other places. You can’t just work at the same place I’ve been at for the next 15 years. The most experience you can garner quickly in security is working at multiple places in multiple roles and seeing different perspectives, and different teams, and different problems. That is super valuable. So, I’m more than willing to let somebody leave for a better opportunity and see them again in five or ten years. They’ll be fantastic.
[David Spark] All right, 20 seconds, quick, Caleb, your answer. Past employees, have they referred people to you?
[Caleb Sima] Yes. And they’ve also… It’s always sad to have great people leave and go other places. But at the same time, I think you also know if it’s the right time, it’s the right time. And going into sort of what Geoff said, you’ve got to go and experience different things. And so we’ve always and I’ve always supported that as much as we can. Even though it’s a little disappointing, and it’s a little sad because you always want to work with great people. But sometimes they’ve got to go do different things, bigger and better.
[David Spark] All right, very good point. And that brings us to the point of the show where I ask the two of you, which quote here was your favorite, and why. And I will start with you, Caleb.
[Caleb Sima] Brian Walch.
[David Spark] Brian Walch. He had a really good quote. Yeah, just saying listen to your recruiters, what we’ve been talking about in this last segment. What did you like so much about it?
[Caleb Sima] It’s great advice. It’s well stated. It’s critical. It really is. I think it’s just a great reminder across the board that this is what you need to keep close to heart. If you do this then your relationship with your recruiters will be a good one.
[David Spark] All right, Geoff, your favorite quote, and why.
[Geoff Belknap]I really like Brian’s. But since I’m not going to steal the spotlight from Caleb, I’m going to go with Monika. I think she says, “Have you thought about the process you’re creating for your candidates? And being reasonable, and responsible, and thinking about the candidate journey versus just being opportunistic and trying to get this person in the door.” And yeah, you really got to think about what does the journey from beginning to end look like for this person, are they going to experience the process end to end positively, or are they going to experience four to six months of delay and get abandoned in the process. It makes a difference.
[David Spark] Excellent. All right, we are now at the end of the show. Thank you very much, Caleb Sima, who is the CSO over at Robin Hood. I’m going to let you have the very last quote. And the question I always ask our guests, of which I’m guessing the answer is yes… My question being are you hiring. So, hang tight for that. I want to thank our sponsor, Safe Security. They are safe.security is their web address. No .com. The dot thing afterward is the word security. Not many companies have that. I think that’s fascinating. Safe.security. Check them out. Thank you again, Safe Security, for sponsoring us. Geoff is always looking for great people. And Geoff, let me ask you – have people that you have interviewed mentioned that they have heard you on this show?
[Geoff Belknap]They have. Yeah, absolutely.
[David Spark] So, something is actually working out here.
[Geoff Belknap]It’s all about that brand, David. And I think you always have to be thinking about it.
[David Spark] Yes, okay. So, anything else? You want to make a call out to talented people who want to work for you?
[Geoff Belknap]Hey, if you want to work for me or somebody else who’s very talented like Caleb or many of our friends in the CISO community, LinkedIn is a great place to take a look for job opportunities.
[David Spark] Yes. All right. Caleb, any last thoughts on this topic? And, again, may I assume that you’re hiring?
[Caleb Sima] I am. This is a great topic, one of great importance, and I hope we continue to focus on it because I think there’s a lot of recruitment we can make in our industry in this area.
[David Spark] And any specific call outs if someone wants to work with you? I’m assuming that you have a job board on Robin Hood. Anything like that?
[Caleb Sima] We do. We have a job board on Robin Hood. However, just ping me on LinkedIn, and I will get you to the right place.
[David Spark] Aw, excellent. And mention you heard him on this show.
[Caleb Sima] That’s right.
[David Spark] That always helps us, I think, as well. All right, thank you very much, Caleb. Thank you very much, Geoff. Thank you to our audience. We greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to Defense in Depth.