How CISOs Can Work Successfully With Recruiters, The Battle With HR And Why The Recruiting Process Is So Complex

Episode Interview Description

Topic: Infosec Hiring Subject Matter Expert Pete joins me this week to discuss the breakdown in infosec hiring. We discuss how CISO can work successfully with recruiters, the battle with HR and why the recruiting process is so complex for many.

Guest Bio: For the last 6+ years, I have matched excellent candidates with exceptional opportunities in the Information Security industry.

I currently serve as Managing Partner at InfoSec Hires, where as the name might imply, our sole focus is recruitment, talent development, and retention within the Information Security Industry. InfoSec Hires has a vast network of both candidate and client contacts, and we are here to serve you!

James Azar Host of CyberHub Podcast
James on Twitter: https://twitter.com/james_azar1
James on Linkedin: https://www.linkedin.com/in/james-aza... ******

Sign up for our newsletter with the best of CyberHub Podcast delivered to your inbox once a month: http://bit.ly/cyberhubengage-newsletter

Website: https://www.cyberhubpodcast.com Youtube: https://www.youtube.com/channel/UCPoU...
Facebook: https://www.facebook.com/CyberHubpodc...
Linkedin: https://www.linkedin.com/company/cybe...
Twitter: https://twitter.com/cyberhubpodcast
Instagram: https://www.instagram.com/cyberhubpod...
Listen here: https://linktr.ee/cyberhubpodcast
CISO Talk Podcast: https://linktr.ee/CISOtalk
The Hub of the Infosec Community.

Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

Episode Transcription

0:17

Hey folks, James Azar here with the cyber hub podcast. It's Friday tech corner. Y'all know what time it is, we typically talk technology. But today, I've decided because November is going to be the month where I highlight veterans and cybersecurity veterans who've transitioned from the military to civilian life. And we talk a little bit about their experience and the challenges of transitioning. And one of the big topics this October, I mean, everyone who's paying attention to National Cybersecurity Awareness Month is going like, oh, awareness, awareness, and not really, I could care. I don't want to say I could care less about awareness. But awareness is one thing. But doing is something completely different. And I want to talk a little bit about doing want to talk a little bit about doing a talk about recruiting and hiring and the need for staff and the need to really bridge that gap. I've done a few podcasts with Renee small and Naomi Buck Walter, you guys could catch those on LinkedIn, where we talk a little bit about that. But today, I decided to bring a man a legend, a hero, a lot of different things. The one the only Pete Straus, Pete, welcome to the show.

1:21

Thanks for having me, James.

1:23

Well, it's great to have you on I know, you and I connected on LinkedIn. And you know, I love LinkedIn, because LinkedIn is like, the perfect platform to connect with, it's like the only decently like social media platforms that can still be used without like, you go. Alright, I don't think my feets being manipulated as much.

1:40

Right for now.

1:44

Everywhere else you feel the same way. That's why one thing one quick thing, folks, as of December, we'll be moving a lot of our content to local comm. So make sure you stay up for that. Especially our goodbye privacy podcast. And several of our other podcasts that some of you may or may not know about are going to be moving to local calm that way, we don't get censored. And I don't have to go through a six month battle to put out a season of my podcast. So just keep an eye out for that be okay, back to you. Let's let's talk a little bit about, you know, recruiting. So and InfoSec. Two words, that for some people are very irritating and very challenging, and people don't quite get it. So let's talk a little bit about that. Before we do that, though. Tell them tell us a little bit about your background and how you got started in InfoSec.

2:38

Yeah, so I've been in the security recruiting space since 2014. Back in the day, I trained with key Force started off in it, staffing, and then was actually recruited by the CEO of my last company, IT audit and security assessment firm, to basically build their HR and recruitment department is from scratch back in 2014. So while I was doing that hired over 100 people was extremely successful in doing so. And now, a few years later, I've been running InfoSec hires for about three and a half years now. And helping companies of all shapes and sizes, find good security people. And yeah, that's my story.

3:22

Well, brilliant. So let's talk a little bit about ideal in a perfect world, which I know we don't live in one. But in a perfect world, Pete, what's the role of a recruiter?

3:35

Well, and I think this is where maybe the industry could improve a little bit. So in an ideal world, your recruiter would be not just somebody who's, you know, throwing bodies at a wall to see what sticks that old adage, but truly serve as a partner to you as a seaso as a hiring manager. In an ideal world, I would say, you know, a recruiter is there to advise on industry trends, salary, bands, job descriptions, things like that. Often what I find, though, is recruiters tend to be generalists. So especially within a large organization, you'll have one person that's recruiting everybody from the accountants to the seaso. And it's hard to develop a specialty in doing that, you know, you're working on such a wide swath of skill sets, it's hard to, you know, really focus on a given area like InfoSec. So, in an ideal world, you would have specialist recruiters who know InfoSec specifically and focus on that and can advise, like I said, your hiring managers on what candidates are looking for what the market looks like, what salaries are, you know, how maybe you're able to improve your job descriptions? That's a big one, and one I certainly see a lot of talk about on LinkedIn is how can we improve those job descriptions? So an ideal world your recruiter would be able to help you with all of that?

4:56

We're gonna talk about job descriptions at the very end of this podcast, I promise I don't want to go down that rabbit hole right now, because we're going to get stuck there. So I want to get through some of the pretty stuff first, before we get into job descriptions. Having said that, though, you know, as a Cisco, I often hire recruiters to help me fill roles. Sometimes it's a it's a, it's a contract to hire, sometimes it's a direct hire, sometimes it's just a pure contract job, I need someone for three, four or five months to do one specific task. I know, I don't need someone full time. I know, I don't need to onboard that person and whatnot. And I find I have a challenge working with recruiters, I have a challenge because no matter and I'd like to think I'm pretty accurate in the way I want to describe a role for someone, I still have a hard time getting the right people meaning not wasting my time, looking at CVS that have nothing to do with the roll I'm looking for. So what can I do as a sis out to work more successfully with recruiters.

6:01

I think it's really about educating the recruitment force, whether that's internal recruiters, your organization or if you're working with an external recruiter, really helping them understand the the core technical requirements that you absolutely must have for the role. Then also the intangibles, which in many cases can be even more important than the technical skill sets, from my experience. You know, one thing I think that successful recruiters do well, is they spend a lot of time specialists security candidates on motivators, making sure that, you know, their reason for making a move is lines up well with with the role that you're recruiting for. And I think that's where a lot of recruiters fall into a trap is they'll find somebody that may be a good technical match, but they're, they're not necessarily looking for a job like the one at hand. So it's it's all about making that that perfect match and really digging in to candidates motivators and what they're looking for. And I think that certainly helps.

7:03

Yeah, there's a distinct challenge I feel when we talk about recruiters and kind of CISOs, which is the culture. Why is it so hard for success to get the culture across to recruiters.

7:23

And I think a lot of it kind of needs to take place in the beginning. So when you first talk to a recruiter, in the beginning, I call it a discovery call where you're first talking to the recruiter, and describing you know, what your group is like and things like that. I think the the devil is in the details, you really want to get as specific as you can. And really help the recruiter understand how to sell your group, sell your organization, because at the end of the day, that's what they're doing. Yes, we have to screen for fit, but we're also having to generate interest in the candidate. So providing a lot of specifics really helps for that. Anything that you feel that you do differently than your competitors. That's always helpful. That's one of the questions that I always ask CISOs when I talk to them is, you know, what would you say helps you stand out in the marketplace. Another thing would be what are your benefits look like stuff like that? Every little selling point, all that ammunition that you can give the recruiter, the more you give them the better chance that you'll have of getting the right people.

8:27

So let's let's talk a little bit about this challenge. And there's a challenge in most major organizations, which is to hire someone, it becomes hiring by group, you have the Cisco, you may have a department manager under there, who's going to be the direct manager of the recruit, you have HR, you've got the recruiter, and we forget the job candidate. And between all of that we create what I like to call a perfect mess, you know, the road to hell is paved with good deeds, and that my friend combination is a road to hell is paved with good deeds for an ideal candidate. I mean, a lot of people get frustrated in this process, what can we do to smooth it over?

9:12

I think, you know, if I had to describe the ideal setup, and when you're going to find somebody, it's important to have maybe two to five technical requirements that are absolute must haves, and then a couple of intangibles. Anything beyond that, more specific or you know, once you start to get like a laundry list of requirements that you actually must have, the harder it is to find somebody that fits into that narrow little box. So I would say you know, really sit down with your team figure out what are those core things that they absolutely must have on you know, day one, the first 3060 days that you cannot absolutely train for, that they have to have, figure out what those are and make those requirements. You can list basically as many nice to haves. As you'd like to, but making a bunch of hard requirements and a long list, that makes it very, very, very hard to find the right person. So I would say, you know, keep the must haves to a narrow amount, really figure out, prioritize what you really need, and then train for the rest. One thing I think a lot of organizations don't do is they don't want to train people. I know it's tough sometimes when you're running around, and you have so much to do, and you're working 6070 hour weeks to sit down and to train somebody new. But then you're also running into issues where, you know, if you're recruiting for a position for six months, and you don't have it filled, that's also pretty inefficient, too. So there's kind of a trade off, you know, do you make a few concessions on the front end and hire somebody that's maybe not a 10 out of 10, perfect technical match, and then just train the rest? Or, you know, do you spend six, nine months trying to find that perfect fit, my preference is always for the former.

11:00

So you bring up a really good point, talking about, you know, building the right must haves and the intangibles, and the technical skills and all that. What's one of the challenges that I find in this whole idea between HR Recruiter CISOs, department heads in the job candidate, is what ends up happening to a proper job description. And we're going to get to the job description here in just a little bit. And we're we're gonna spend some time talking about that. But oftentimes, HR, I found it are adding stuff in there that I don't want, like, I could care less about a college degree, I could care less, I don't care for it, you got it? I don't have it. I don't really care. College tells me nothing about a person.

11:42

Yeah, you know, I think it's mainly an issue in larger organizations where, you know, it's it's an organization wide requirement to have a degree, for instance, I think where a lot of organizations fail in recruiting people is that they, they treat InfoSec candidates just like any other candidate that they need to hire, it's a completely different animal, hiring security people over even it, it's just, it's a different world, it's a different way of hiring, it's a different process, even you know, you really have to spend time selling candidates on the opportunity and security where you might not need to do that in it or administrative type of roles. So anything that you can do really to bypass those administrative sort of requirements. And I know in large organizations, that's very hard to do. But trying to find those exceptions, and make a business case for you know, security, hiring being different than other hiring that your organization might be doing.

12:44

Yeah, again, great point, I think the challenge remains for a lot of people is InfoSec candidates are not like your typical. And I think that's why for November, I'm highlighting veterans, oftentimes veterans finish their service, they may or may not have a college degree, but they have years of of keyboard experience, they have years of critical thinking experience that you can't earn in any college degree. I don't care what people say, there's no equivalent to being in cyber commander, NSA, or CIA or FBI. None of that exists. There's no university that can teach you that kind of experience. And so I often find that struggle. Luckily, in my current role, I don't have that issue. But in previous roles, I can tell you, things would get lost, like weeks and months would get wasted over a bachelor degree requirement on a job description.

13:39

Yeah, and in, I mean, honestly, veterans are some of the best employees you could possibly have. In fact, back when I was with my previous company, we hired a guy through the campus recruiting program, he was about 30. At the time, he ended up being like the best possible recruit we could have ever wanted. A super hard working discipline work long hours, you know, very motivated, very structured, organized. So yeah, flexibility on things like degree and considering people from non traditional backgrounds, you know, maybe they don't have a corporate or commercial background, and they're coming from the government space. That's certainly a good way to attract a broader range of people. That may be a fit than, you know, traditionally what you've considered that might be a one to one match for, you know, that perfect 10 out of 10. Candidate.

14:32

So I want to take us into a debate. And I want to take us into the debate that I get a lot of feedback on on LinkedIn and a lot of different podcasts I do and all kinds of stuff where job applicants often complain about recruiters. You don't say sorry, Pete, you're in the hot seat. You're getting the questions that these guys bring to me. You signed up for this I didn't know and put a gun to your head and made you Come on the show. So, with that being said, this isn't about ghosting, it's about, I get this all the time in LinkedIn, by the way, I get recruiters that'll send me like a message like, hey, this company's got a perfect role just for you. And I go, Okay, what's the role? And then I get director of InfoSec. And I'm like, I'm a Cisco. Like, I'm not going down a director level. Right? So there's, there's one, there's that. And the second thing is, what should can let me ask you this. So what should candidates be asking a recruiter when they're approached? For a role? I think beyond so let me stop this, beyond the role specifications, meaning, like, what's the job? What's the company? How much does it pay? Those are typical questions that recruits ask, but what should you ask the recruiter even before you go down that road to vet that recruiter and know that you can work with them successfully?

16:04

I would say, Well, I guess to focus on the role or the company, one thing that you can ask that most people don't is who does this role report to? You know, so if it's a director, and it reports, the seaso, then that gives you a better idea of, you know, what level the position is actually at. But, you know, I think in vetting a recruiter and knowing how experienced they are, or how well acquainted they are with InfoSec, ask them about that specific sub discipline that you're in, and ask them to explain how many roles they worked on in that space. So say, you know, I was I was contacted about an IT auditor job, I would ask them, you know, how many IT auditors do you usually hire in a given year? You know, what would you say? Are the core technical skill sets that are needed for this one? Is that are there any certification requirements? And oftentimes, that certification requirement question will be pretty telling, you know, if it's a two year, type of job, Jr, type of position, they say that you need to CISSP. And they don't mention anything about? Well, I know, that's kind of an unrealistic requirement, but it's what corporate has given me, that's a good sign. But if they just list the requirement without any further explanation, that might be a red flag.

17:26

So let's just all agree that CISSP is not an entry level cert.

17:32

Yeah. Yeah, of course, you know, LinkedIn has been abuzz with, you know, talk about that. You know, it's just, I think that's one of those things, get

17:42

that expectation to your client, when they tell you, hey, we want to junior person, and they're required to have a CISSP?

17:51

Well, I never see that, personally, because I'm working with clients that don't ask for those types of things. But you know, in working with an experienced recruiter in the field, they'll be able to push back on you a little bit and say, you know, that's, that's really not realistic. And here's why. So it's just as important the why I think, is the what, and a lot of cases and working through recruiters.

18:15

So let's talk a little bit more about this whole idea of employees and recruiters, recruiters, obviously, sometimes in the Cisco community, I can tell you, they have a similar name to snake oil salesman. Right, very, very, like similar reputation, like a very similar viewpoint. Like, I love it, like, you know, because I see it coming, by the way. And I'm always hoping to be not disappointed, and it always happens. And I'll share a personal story. So I got a request on LinkedIn, from someone and in their title, you know, they'll say, information security hero, and I'm like, Okay, here's the sales guy. And I go, do I approve or deny? Do I approve or deny and I try to approve almost everyone, the only people that don't approve is people from nations where I don't want to have any connections to and stuff like that. Like if someone from China reaches out, they're not, they're never getting approved. If someone's from Russia, or you know, Ukraine, I avoid them like the plague if I don't know, and so forth. And so, I x gladly accept the connection. And then 10 minutes later, I get the mile long Declaration of Independence. You know, we hold these truths to be self evidence that I am the greatest cyber person on the planet and I can solve all your problems. And I get the same from recruiters. Literally similar, like I'll get a recruiter who will ask me to, you know, come on, to connect, and a minute later, I get a message and they go like, I've got the perfect role for you and you know, whatnot. And when asked for more information, always get the same disappointing aspect. How do we change that behavior?

19:57

I think it's about incentivizing The folks that don't operate that way. So there's, well, I guess then systemically, there's there's an issue with though that behavior isn't ideal, it actually gets results. So that's why people do it. You know, at the end of the day salespeople wouldn't be successful unless they were operating on a volume driven model. Same thing with recruiters, you know, it's a numbers game, I always tell my recruiters, you really have to get in front of as many people as you can. I'm a big proponent of quality over quantity, in general, but at the end of the day, the more people that you can contact, the better your chances are of making a placement. So I would say, you know, as as a hiring manager, as somebody who works with security vendors, give credence to the folks that that do it right. Pay attention to what they're saying, and extol the virtues of the right sort of outreach. You know, I hear a lot of folks complaining about how they're approached by recruiters or how they're approached by security salespeople. And, you know, it always rings sort of hollow, I guess, to me, because I always see it as Okay, well, then what can they do to improve work, we can't stop selling. You know, that's our job we have to get in front of people. Just tell us how you'd prefer to be approached. And for the folks that do make a genuine effort and do their research and reach out to you with a customized approach, things like that, here. Now. I know that's hard to do when you're so busy again, and working those crazy hours. But even just a quick note, hey, this isn't right for me right now. But I like your approach, keep doing what you're doing. Little stuff like that goes a long way. Audio cut out.

21:54

I know why my audio cut out, I was on mute. So that's, that's a fun. So I will say this, I try as much as possible to reward good behavior. And what I mean by try it as much as possible, meaning, you know, there's a limited amount of time a day. And I can often give everyone the same amount of time, I just it's impossible, upgraded accounted littling that gives people 15 minutes, and I try to hold them true to that 15 minute, you know, kind of like introduction meeting and whatnot. But but at the end of the day, it's it's it's extremely difficult to give everyone time because then I wouldn't do my job. Sure, right. But but let's talk a little bit about job description. I kind of want to dig into that here real quick. The challenge of job description, and I started saying that earlier, you know, when we talked about the intersection of HR and the recruiter and the Cisco and the job candidate, that job description, which I can write, which can maybe have, you know, seven bullets for you know what the job brilla requires, and maybe four or five bullets of what my requirements are of a candidate by the time it clears HR. It's got 10 and 10. And then by the time it clears the recruiter, it's got 14 and 12. So how do we how do we break down this job description challenge within the hiring process?

23:19

Like I said, I think first off, it's important to put a control in place where you're reviewing job descriptions after they've been assembled by all those different parties, before the recruiter start using that to go find people. Because if you end up with something that has 10 or 14 Extra requirements on top of what you had listed, inevitably you're going to get a bunch of people that aren't qualified. So you know, it may take a little bit more work upfront time up front to review those things and make sure that they're on target, that person might actually exist. But in the end, it's gonna save you hours and hours and hours that time. Again, specifics are key, you know, making sure that you're educating the recruiters exactly what you need and getting very specific with that helping them understand the terminology. And that's something I see often is that, you know, especially recruiters that are generalists, they simply don't understand security terminology because they haven't worked on security roles. So really helping them understand okay, what is the F IR? What is it audit? What other keywords might you be looking for beyond what's just listed on the job description? Going a little bit deeper helps.

24:32

Yeah, I mean, but but that's not always the case, right? You don't always get recruiters that specialize in InfoSec. Large organizations often work with large recruiter, recruiting firms, right, where they're kind of like nationwide and they've got a team of generalist and dustiness of generalist are used to working with your HR people, because they also hire operations and finance and marketing and sales and in DevOps and all these other engineers and architects and designers and all these other The roles and so you end up in a place where a job description I like to call it gets a signature. Right. And that's what I literally call it because I can create a job description. And then HR and recruiters will add a signature to it. And that signature could be a college requirement, it could be a cert requirement, like I, I very rarely when I'm hiring for junior levels, put in high insert, so I'll put like a Certified Ethical Hacker or a security plus, you know, I don't use all the different, you know, certs that are out there, I try to keep it very general, because a lot of times these generalist in InfoSec have a lot more cross knowledge than then, you know, the, the three or four letters behind their name offers. And so how do you kind of break down? And how do you as a recruiter kind of look at this, because while I in an ideal world, as we started talking, you know, you'd have a discovery call, and you'd have all the process, but that doesn't discover calls always happen. But then the follow ups thereafter, it's typically done by email, things get lost in translation by email, how do you solve some of these challenges and unlock some of your best practices?

26:17

I think really constant communication is key. Correcting course, quickly, if something starts to go wrong. So you know, one, one thing that I'll see often is I'll submit a candidate, and I'll just not hear anything at all on I assume, it's just because the hiring manager is not interested in the candidate, but I have no idea why, again, the why is super important. So even if it's, again, just a few quick words to say, not the right background, need this instead of this, you know, that takes a few seconds to type. And it's something that can quickly help the recruiter narrow down or correct course, where maybe they veered off a little bit through something lost in translation or something. So I'm just a big proponent of constant communication in general, I tend to over communicate for personally, I'm just making sure that, you know, hiring managers know exactly the way that I'm approaching a search at all times, even if it wasn't asked for. So I'm almost managing up a little bit, you know, thinking about things that they might need to be more successful at finding you the right person, if maybe, you know, you hadn't discussed it before, or if anything has changed, that's super important. If your requirements have changed, if the team has changed a little bit, just that constant communication, even if it just takes a couple of seconds to send a quick email, that's, that's definitely gonna help. Once a recruiter starts going down a certain path, they may send out, you know, 100, LinkedIn messages or something, before they'll hear anything from the hiring manager, about them being on the wrong path. So constant communication, I guess, system.

28:01

So that's a really great point, constant communication. I feel like a lot of times, and I'm going to advocate the system position here, we're so busy, right? We're so swamped, and we're getting hundreds. I mean, if it wasn't for spam filters, I probably would never leave my inbox. Because purely, I get so much email every single day. So much email. And so it's very hard sometimes to send an email or review a candidate thorough, right, a lot of times, and I'm guilty of this myself, what I'll end up doing is I'll get a CV, I'll call up the candidate, and I'll spend, you know, 1520 minutes talking to them unavailable, that was a disaster. Right? And, and when I finished that conversation I reach, you know, I'll send the recruiter and be like, you know, wasn't the right person, or I'll go internally to our HR and just tell HR, like, Hey, I've spoken to the three candidates we've gotten so far. They're all crap. And I'll communicate something to HR, because HR may be down to down the office from me, they could be, you know, on a slack channel, that it's easy for me to communicate with them, or sometimes with an external recruiter, I'm unable to do that. And so, do you often have to go through HR and does that, you know, we all know that things get lost in translation when they're getting passed on. But how often does that happen? And then how does that affect your role when you're trying to recruit people?

29:40

It happens quite often, especially larger organizations. You know, hiring managers are so busy, they want to have somebody else spearhead the communication service, primarily primary point of contact for that external recruiter contact. So yeah, I mean, oftentimes we'll work with with HR managers or you know, maybe lead recruiters, recruiting managers stuff like that, in certainly things do get lost in translation. That's why, you know, my preference is always to work directly with the hiring manager because that way nothing does get lost in translation. Obviously, I understand that's not always possible. But, you know, again, it comes back to saving your time, and spending a little bit of time on the front end is going to save you way more time on the back. And I know sometimes it's, you're so operationally saturated, it's hard to see it that way. And it's just hard to, you know, respond all requests and inquiries. But, you know, potentially spending 30 seconds educating either the HR manager or the or the external recruiter, if you can work with them directly. That's, again, always best case scenario, I think. But, you know, it may save you an hour a week just in reviewing resumes and profiles, and talking could be multiple hours a week, you know, if you're talking to multiple candidates in a given week that aren't fits, you know, so just spending that few minutes up front. But yeah, I mean, working through HR, it's possible. We've made placements that way. But it's always more challenging. You know, I like to ask questions, like, you know, what's the hiring manager's recruiting style or management style? How do they view their team, stuff like that. And oftentimes, you don't necessarily get a clear picture from the HR person of what the hiring manager is actually, like, they may try to tiptoe around something or, you know, they, they may give you a canned answer. And it's little details like that, that can make it so much more difficult to find good people, because they want to know all those specifics. And if I'm not able to share those with somebody, then I'm kind of kneecapped, and trying to find somebody.

31:51

So, great point there. HR is problematic sometimes. I'm not a fan of HR. In fact, a funny, funny, interesting story is when I had my own company, before I sold it, I never had a chart. Never had HR hiring was done through an outside recruiting firm that we worked with, that had direct contact with the managers. And all issues went through legal. I had three lawyers on payroll, why do I need HR every department had dubbed the HR budget for their own team, so they can plan activities, training developments, and so forth. And I never had to never needed someone to spearhead at all. I found that to be a very, by the way, a very, very, very effective way of running the organization, we had a 90 we had like a 7% attrition rate, meaning every year we'd lose 7% of our people. Like, that's unheard of. Those are numbers that don't exist, simply because we eliminated intermediaries. And to me, HR is like the ultimate intermediary, sometimes in a hiring process. And it, especially in a manager, not saying we don't need HR, but I'm saying like, you can fill those roles through better hierarchy, and so forth. And with good department managers, like to me hiring a good department manager, a good leader, was really, really those were the roles where I spent a lot of time vetting the people, all the lower end positions, I let the department manager, you hire someone with management, so that you don't have to manage them. Right. And a lot of times we see that to be the complete opposite. And people go well, I don't have enough time. And I'm like, Well, you should make time.

33:44

Or delegate, you know, like you said, Yeah, hire a hiring manager hired a director that, you know, they've had experience recruiting in, you know, interviewing people. That's sometimes oddly a very specific requirement from the clients that we work with is we need somebody who's recruited and onboard at people who's, you know, been a part of the hiring process. Not every person, even with a manager title is necessarily involved in that they may have, you know, their senior level technical folks doing most of that, or they may have HR doing all of that. So yeah, I think delegating super important. It becomes easier when you when you hire the right people up front. So kind of almost a top down approach where if you hire the folks right underneath you, and they have the right skills, it becomes easier to delegate everything else down that down the chain.

34:36

It absolutely does. And I think that's one of those where when I talked to my Cisco peers, I was go like, why do you not have some of these challenges? And I go, Well, HR is really not involved in my department. I keep them at bay. I'm like, stay away, stay far and if we need you will call you. The reason for it is because every team and every department had has a crew in their crew has a specific set of energies and to have a management style and to have a either a family feel or a company feel or a platoon feel, you know what I mean? Like, they're just different teams and they know what to do best. Right? If I told you the department had, hey, here's five grand do something for, you know, use this to really do you know, a team builder? What's your, what's your department, and let me know what it is, and I'll show up, I find that those tend to brings much, much better results than something that I charged us company. Why? Because I see my team, when HR does something company wide. They're bored out of their minds, they're like, this is so cheesy. But when they do something as a team, you know, if they go to top golf, or they go bowling, or they go hunting, or they go fishing, or, you know, they go throwing axes, or whatever the case may be, and they go and they spend two, three hours outside of the office, I see a completely different set of energy. And I also see the performance and everything thereafter. They're just way more motivated than when HR does stuff. And I've actually taking that to the board several times, letting them know like, why do we stay away from HR. And I've showed like, here's the HR team builder that everyone was required to attend. Here's our performance in the two weeks after. Here's one team, that same team that attended that event, they did their own little thing as a group came back. And here's their performance thereafter, here's their productivity levels. Here's, you know, the stuff that they were doing. And it's night and day. And I don't know, I mean, I think outside the box to me, you know, I find HR to be, you know, needed but useless when it comes to most, most most of the stuff I feel like direct management has with Open Door communication with the upper managers tends to tends to deliver more for the staff than anything else.

37:00

Yeah, I think there's certainly something to be said for different functional units kind of governing themselves and in, you know, operating as their own little mini culture or microcosm. You know, that's not necessarily representative of the overall organization. I'll tell you that in my ideal client is one that I asked them questions about their company about their group and, and how they would describe their group, if they do any sort of team building events, you know, what their benefits are like, and things like that. When I hear a client say, Yeah, we do paintball tournaments, every quarter, or we do a quarterly dinner, I just brought on a new client that does dinners, he cooks Wagyu beef for his employees, every quarter, you know, little things like that, those little stories, those are so powerful in finding the right people. So again, it comes down to details really making sure the recruiter understands what sets your group apart, maybe even within the overall organization, what sets you apart from competitors standpoint, what sets you apart from maybe a technology stack perspective, people want to know all those little details. And it's really the details that sell people and attract people to specific positions in my experience. So when I'm spending so much time on, you know, motivators with candidates,

38:26

I dig into, you know, what exactly is it that you're looking for in your next position?

38:32

You know, they're, they might say, Oh, well, I'm looking for more interesting work. I'm like, Okay, well, what does that look like? Or? Yeah, you know, I'm just not a fan of my boss, you know, I'm looking for a tighter knit culture, that sort of thing. And all those questions, those probing questions are super telling. And when you're able to, you know, ask a candidate, those questions and they tell you what they're looking for. If you have a good answer for that, a good little detail or an anecdote, something like that, that you're able to match up with that motivator for them. Super powerful and getting them interested all the way through the interview process towards the very end.

39:08

Yeah, I think one tip I'll share is when I ran my company, and even now as I run InfoSec departments, I run them like our Constitution, three branches of power, the presidency, Congress, Senate, the judiciary, the legislative branch, and so forth. And it's funny I, I, I have it on a PowerPoint because I gave a talk about it at a HR conference. And I found it to be very fascinating because people looked at me and they said, why, and I go, Well, you know, people in Texas are different from people in California and people from New York and people from Florida, people from Georgia and people from Pennsylvania, like, every state is different. Hell, SoCal and NorCal are like two different states. Same Diego is like its own freakin country. So I always try to, to argue that point in the fact that, you know, generalized, I try to push teams in my staff, and people who work with me to think not only outside the box, but also feel comfortable enough. And I learned this in my time in Israel. So when I moved to Israel in 2009, you know, coming out of the US military, I'm used to orders and structure of command. And I was invited on base to a meeting of an Israeli unit. And their Lieutenant comes up and is doing the briefing. And while he's doing the briefing is constantly interrupted by sergeants, and even you know, like, like, privates. And I'm like, What's going on here? Where's the discipline? And part of something that in Israel they do, it's it's in, we talked about, I talked about this on a podcast with Chris Roberts. In Israel, there's a mentality of constant debate, no matter rank, debate, debate, debate, debate, debate. And so I actually enacted that, and I enact it today, within my team. So once a week, we get together for an hour. And now thanks to COVID, we do it on Zoom. And we do debates. And the debate is around strategy around overall security posture around some of the challenges we're having with either patch management, vulnerability, management, threat, Intel, all these different things, so that we can have a debate and we are everyone everyone's entitled to speak. And no one's out of rank, like, just because you're a sock analyst doesn't mean you can't recommend something on our cloud security architecture, we, we want to hear from everyone, right? And over the last several months have actually brought in our mssps to these hours. And I have to say, It's been unbelievable what's done what it has done to the team from an energy perspective, from a thinking perspective, from a performance perspective. And I haven't needed a recruiter to recruit during this time, because I'm getting friends of people reaching out to me going like, hey, you know, my buddy, Darrell works on your team, and I'm looking for a job, this is what I do. Keep in mind, I really want to work for you. And I think that's one thing that CISOs need to do better with recruiters is communicate this culture. It's let you know, like, Hey, this is my culture, this is what I do with and this is how I run my organization. And I don't care about technical skills, right? Because I can teach technical skills. Right? You can tell someone, hey, we'd love to have you on board, go get the cert and come on in. And some people will go do it and others won't. And that's just attitude and culture is everything for a successful security program. And I think oftentimes, my challenge with recruiters is, don't get that, like everything I've just explained to you I do on a discovery call.

43:14

Nice. Yeah, I mean, I think if in general, the industry went towards that more, it would be helpful. In general, I'm a big proponent of, you know, like I said, continuous feedback, but also, you know, pushing back when something doesn't make sense or, you know, having open lines of communication where you feel like you can speak up especially like you said, if you're a soccer analyst or something lower level and you have a great idea, you don't need to feel like you can't bring that up because of you know, the hierarchy or, you know, something like that. And, and people want to work in those types of organizations building that employer brand that culture is so so important. You know, you don't have to pay a recruiter like me to go find you people if they're coming to you already. Because word on the street is you know, your organization is awesome, or your team specifically is awesome to work for. So that certainly goes a long way and I talked a lot of folks especially in more junior entry level positions where that's one of the common complaints I hear is I don't feel like my voice is heard there's you know, there's too much red tape. I can't get anything done. Nobody takes me seriously. You know, I'm just kind of told stay in my place and you know, no, no my place

44:30

Yeah. And and it's I don't know I disagree with that so much P like, never let people stay in your lane and I think people who are working in an organization where everyone is in a lane. Those are an organization's you typically salad see challenges and high turnover? Because people don't. Don't feel valued, right and I attribute I attribute my 7% attrition to the fact that you train people so well, and they reach a point where you don't have anywhere to push them in your organization's and they start looking elsewhere to go and excel Right? Like, if you look at sports, right, all the great head coaches of the 90s and 2000s, were all Bill Walsh people. Right? They all came out of the bill Walsh 49 program. And now in 2010. And now this, this decade, they all come out of the Bill Belichick New England Patriots program, right? You train people, you empower the people who work for you to reach a point where they have to leave you because they're not going to replace you. But they're ready to move forward.

45:42

Yeah, I mean, that's a fundamentally different mindset. And it's one that's kind of hard to accept, if you think about it, if you're, if you're training people so well, or, you know, if you're developing them so well as a professional, that they're ultimately going to go leave you at some point. It's hard to accept that. But the simple fact of the matter is, is it happens, and you'd rather spend four or five years with you,

46:04

Pete, why is it hard to accept it?

46:07

I think, in working with a lot of hiring managers, the thought is often you know, we're great. Why don't Why would people ever want to leave us? Why don't they want to come work for us? And something I've thought a lot about, you know, there's almost an arrogance where our team is great, our company is great, why doesn't everyone to come? Everyone want to come work for us. So it goes down to you know, really making sure that that culture is good, I think once a, once an organization gets large enough that it reaches critical mass, and there's a psychologist that I've been watching a lot of YouTube videos on, and he was saying how basically, you know, once you get large enough, there's so much red tape, no matter what type of organization you started with, when you were small. Eventually, once you get large enough, you have to have, you know, functions like HR, and, and all the different administrative, you know, hoops and things that you need to jump through. And your culture always suffers as a result. That's just gonna happen. That's why it's important to have the smaller teams that, you know,

47:10

well, that's asking compliance, right? You reach a critical mass where your board says, Hey, we got to have a charter. I mean, that's what happened to me. Right? We were, we were getting ready to sell the company. And the people who wanted to buy the company were like, well, you guys need to have HR in place. And I'm like, No, we don't, and you're buying the company, you break your head on HR, I'm not hiring HR. I hate HR. I really do. I despise HR. I'll say it loud and proud. I don't like HR. I think HR is one of the biggest challenges to get things done in an organization, whether it be hiring, whether it be dismissing someone, HR always slows down the process of getting rid of someone who's not functioning in your team, when you just need to cut the cord. And, you know, when you're an at will employment position, it's really easy to let someone go, but HR will make you keep someone on for another month, month and a half. Just so that you can you know, in your like we're wasting time, company resources, money projects are getting sent back. Things are are bad, it's a bad precedent for other employees.

48:23

Well, yeah, I mean, one toxic employee can snowball pretty quickly. And what you end up having is having as the you know, you have one person that's not happy, and you know, they start, basically, you know, poisoning the rest of the team, and it snowballs, and then you end up having 510 People leave at once, just because of that one person just kind of started to slant everything a little bit. So yeah, no, I agree. The red tape is difficult. But you know, that's why, again, just keeping a close eye on that culture so important. You know, if you can realize sooner rather than later that there's an issue, you know, and you know, that it's going to take x y&z amount of time to go through HR to get something done. You know, the sooner you know about it, certainly the better. So that's why I think, you know, regular employee performance reviews, that's a super key thing, you know, at least quarterly performance reviews, and then have more informal sort of touch points. When I used to do HR and recruiting for the IT audit firm that I was with actually did regular touch points I had to quarterly just check in with people. And that was actually a really powerful thing. I would learn pretty quickly. If somebody wasn't happy, I'd be able to kind of filter that and pass it on to the executives in a way that wouldn't train that person poorly. But that would, you know, give them an idea that maybe something needs to change. So I guess that's where HR can kind of be a good thing for you is you know, serve as that person that talks to somebody that provides, you know, that intermediary where you can learn about unhappiness or, you know, any sort of toxicity that's brewing?

50:10

I think so. So I'll counter with this. I prefer to work with recruiters like you who spend a day in my organization, and learn our culture and see how we run things. And then go out and recruit people for us that have internal HR. That's my purpose. Because well,

50:30

we're motivated, because because you pay us. So number one,

50:35

yes, we pay you based on the good people that you bring on board. I think number two, your once a recruiter, the difference between recruiter and HR people is a difference between sales and marketing. Marketing is theory. And that's HR. And sales is doing. And that's hands on person. And recruiters are hands on. And marketing is HR. HR equals marketing, whether it be internal marketing, external marketing anyway, you name it, right. HR wants to put a standard HR wants to protect the brand. And recruiters are like, I want to get you the best person to get this job done. And I want to get them to you as quickly as possible so that you don't have this void in your team anymore, and that they fit your company and I want them to last because that's how I get paid is if they last in your company, I don't want them to wash out.

51:31

I guess its results versus process orientation really? Right. I'm not the same kind of

51:36

person. But not to say you don't need both. Again, not to say you don't need both. But I'm a firm believer that running good department heads and having good team leaders and in letting your teams manage things and hire people based on what fits that team tends to be far more effective than kind of the forest fed. process. And I'm telling you, I see that. So so much with people I speak with every single day, Pete. I mean, every single day I speak to people they go, Yeah, I'm at a dead end place. I've maxed out. And this whole you know, we're talking about earlier, this whole idea of people saying words the best. Yeah, absolutely. But you know what some one thing that people don't understand about InfoSec is we're one large community. At the end of the day, I can spend my morning on a phone call with security folks from visa, and then talk to other security folks from a different company. And they all support my organization. And so when someone good leaves me and goes to work for an organization that I do business with, I've just earned a really good security partner because I know the capabilities of that person. And I think that's the biggest, I think insecurity, which is different from all other aspects. When someone good leaves me to go somewhere. I realize that's the company I'm probably going to want to do business with in six months if um, don't do business with them right now.

53:03

Yeah, I mean, you certainly get almost sort of the inside scoop. If you know, especially if you spent the time and energy developing somebody as a professional and see them go elsewhere. Usually, it's a pretty good indicator, especially if you have a, you know, positive culture where you're at, and they go leave to go somewhere else. It's like that place must be pretty awesome, too. So yeah,

53:25

one tip, I will tell for those listening, who are employees who want to leave a place and think that sometimes ending on a good note is very difficult, because you're part of a really good culture. You're part of a very good team, it feels like a family. And it almost feels like you're cheating on them. Don't feel that way. I think most people, yes, some people may have a sour face, because you know, they've been used to working with you for years, and whatnot. But at the end of the day, I think I'd like to think that most people want to see someone who they work with do well, I believe in the good in humanity. Right. So yeah, it's difficult, but just have that conversation. And I think it's, it's, it's one thing that I'll always tell people, you know, when I hire him, I'm like, It's not about how you come on, it's about all how you leave.

54:15

That's a good way to put it. I talked to a lot of folks that just like you said, they're, they're afraid to leave because, you know, they've, they've spent so much time and effort, especially if they're not the type to Job hop, you know, they put in their time they they're loyal, you know, like you said they feel almost kind of guilty, like they're cheating or something to go elsewhere. But, you know, at the end of the day, I think you got to do what's right for you and your career and your family. You know, if somebody approaches you with, you know, double the pay and you know, excellent benefits and it's it's exactly what you want to do and maybe it's an opportunity to do something that you don't have in your current position even though you like where you work. Listen to it. I mean, it's it's not going to hurt you in any way. You know, never burn bridges, obviously, I always tell folks, you know, make sure that you put in plenty of notice, even if you're not satisfied where you're at. And it is a toxic place to work, you know, you just never know who you'll run across and, you know, later stages of your career. So, small, small world insecurity,

55:17

yes, it's a small world in security and people know people. And so you can go and talk to someone and interview for a job, and they end up knowing the person you worked for, and pick up the phone and call them and be like, Hey, I interviewed, you know, Brad, and really like Brad Oh, yeah, you know, he, you know, he left us on really bad terms, you know, barely gave notice was slacking off his last week at work, you know, showing up late leaving early, all kinds of stuff that that reflects really bad. I can't tell you how many people I've interviewed, who in the interview, have shown me amazing sets of skills, and like, really good energy, and I felt like the big part of my team. And I know their previous manager, so I pick up the phone and call them. You know, and I'm like, Hey, unofficially. Right? Let's have a off the docket conversation off the record conversation. What'd you think of this person? Would you hire him again? What was the like, be like, oh, you know, technically, he's great, magnificent. But you know what this is? That was our problem with them. And, and if you don't have fans in that company, like whenever someone comes, and he says, for references at my old company only use this one person. I questioned that so much. Because I'm like, Why'd that one person?

56:35

Yeah, well, and sometimes it could be. And I've seen this pretty often where, you know, it's one person that's maybe the toxic member of the team, and they have one other person that's also a toxic member of the team, and everybody else is very positive. And so they have their little echo chamber. And, you know, that's, that's maybe what

56:54

it feels like Twitter when I see that. And so, Pete, thanks so much for coming on the show. We've gone way over time. I think we're like seven minutes over time. But we're having a great conversation and sharing stories and hope people find this really

57:15

sound cut out. Still can't hear Yeah. Oh, how about now? There we go. Yeah, I got to change the wire on my mic today. So that'll be a good reminder that I wanted to say, can people connect with you on LinkedIn, if I put the link here below in the description? Absolutely. Pete's an amazing recruiter, folks, as you can tell, very level headed kind of guy and the kind of people you want to work with just good hard work and folk. And so so I like to highlight those people. So Pete, thanks for coming on the show. really do appreciate it. Now to you, our listeners, viewers, audience all the great people want make sure you subscribe right now just do right now real quick. Just hit subscribe. If you're watching us on YouTube, turn on the notification bell. If you're listening on your favorite podcast listening platform, make sure to hit subscribe. November's dedicated to veterans. So the entire month of November Monday through Sunday through Friday. Jewish I don't do anything on Saturday, I won't be posting content on Saturday. When I encourage you to spend time with your families on Saturday, folks, like I do. We'll be posting a every single day at 2pm Eastern time an episode highlighting and telling the story of different veterans that are in the InfoSec community. So if you want to take part of that, you can reach out to me directly on LinkedIn or go to our website and fill out one of our Contact Us forms and we'll touch base with you and get you on the show. We have very few spots left folks like literally we're I got to have like 26 episodes, we're have 22 already booked. And several have already been pre recorded and ready to go November 1. So just make sure you tune in. Plug in honoring our veterans. On this month of November the entire month of November is all about honoring our veterans giving them an entire month which they absolutely deserve. So make sure you tune in and share and watch those episodes. You'll be seeing a lot more content in November. That's it for us here today at the cyber hub podcast that corner. Thank you for so much for coming on the show. Thank you all for listening and watching. We'll be back with so much more next week. I've got a great guest next week from no before really good and he's Dutch so you know that he's gonna be tall. And so with that being said, Folks, we'll be back with more until then, stay healthy and stay cyber safe.

59:42

Lesson

Podcast Interviews, Video InterviewsLaw @ Tocoba.gaMarch 2, 2022constant communication, job description, hiring manager, CyberHub Podcast, Tech Corner