Monday, 29 August 2016

When Two Worlds Collide: Why InfoSec Professionals Hate Recruiters

In honesty, I’ve never been overly fond of recruiters, stemming from my early days in the industry being duped into long journeys for interviews that were totally inappropriate, so the recruiter could make their number. However, it’s obviously unfair to tar all recruiters with the same brush, they’re just doing their job (to varying ethical and moral levels). I’m starting to see more and more posts from recruiters on LinkedIn, showing frustration at rude or terse reactions from the InfoSec community (especially Pen testers). I decided to write a post on the subject to discuss some of my thoughts on the topic and outline some of the key points on both sides, having used recruiters in my own career and also been on the hiring manager side.

What candidates need to remember is that recruiters are salespeople, they just sell people. What recruiters need to remember, is that they’re selling people and lifestyles, not things. A job is something that most of us spend a huge part of our lives doing and is therefore closely aligned to satisfying our various needs and wants. If you took the rather grim view of your life as a commodity, where you could buy and sell the hours within it, would you entrust a proportion of that to a middle-man (or woman) who is quite obviously dishonest, unethical and lazy?

Where Recruiters Go Wrong

As I start writing this section, I’m already pretty sure this is going to be the bulk of this post. I’ve experienced most of these gripes; a few on a daily basis. Some items on this list I’ve seen as a candidate and some are as a hiring manager – I don’t believe my experience is unique. I’m often pretty blunt with people who manage to reach me in these ways, mostly because I don’t agree with the approach on an ethical basis. I don’t think I’m alone.
  • Inappropriate Job Suggestions
This is really common; I think most people in InfoSec get these 2-3 times per week (if not daily). I think the thing that frustrates me most, is that it’s so obviously lazy. Our industry is obviously very security and tech savvy, we know the recruiter has done a LinkedIn keyword search and we’re one of the lucky people that popped up. Thusly follows a boiler plate email asking for a call about a role that is in no way close to what we do. The expectant chaser emails (also boiler plate) are always a nice touch.
  • Calling People in their office, often via generic or switchboard numbers
This is totally unprofessional and often leads to trouble for the candidate the recruiter is targeting – a few years ago a recruiter actually came to my desk phone via my boss, posing as a candidate, he thought he was pretty smart when he revealed his Ocean’s Eleven-esque scheme to me.
  • Sending CVs before getting permission
Again, this is totally unprofessional, not to mention in breach of the Data Protection Act. I’d recommend that if anyone discovers this is the case, that they report this as a serious matter to the agency concerned and possibly to the ICO. Moreover, part of me feels that individuals should be more cautious about who they send their CV to also. The recruiter will often try “I can’t tell you who the company is until you send me your CV”, this strict stipulation doesn’t often last long after you say you’re not interested in that case and then they spill the beans. The amusing part is that as the industry is so small, you usually know the key contact at the company and drop them a note to advise what’s happened – I’ve done this with candidates in some cases where their CV has hit my inbox in a suspicious or unsolicited fashion. I know many others who kindly do the same.
  • Cut and Paste exploratory emails
As a hiring manager I get these pretty frequently. A cut and pasted boiler plate introduction on LinkedIn about how successful the recruiter has been and how I should consider using them. They obviously really want my business and to build a relationship THAT much, they took the time to change the name at the top. If I tried to work with clients at Director level and above with this approach, I’d not last long. We’re not short of networking events, conferences etc. In my view there’s no excuse for the junk and scattergun approach.
  • Pretending they’ve spoken to you before or know you
This drives me nuts. Normally, the email (or InMail) starts “I just tried to call you” or “We spoke some time ago”, neither of which is true. It’s often a subtle reference, but for some reason some recruiters think you won’t realise. It’s such an obvious trick and for pen testers (who spend their whole day trying to think like a sneaky criminal) we spot this a mile off. Let’s at least try and start with honesty.
  • Pretending they know someone you do
Another really silly and dishonest mistake is thinking that people don’t talk to their friends. If someone says “I got your name from Ben, we’ve worked together and he told me to call you”, the first thing I’m going to do is send a message to Ben along the lines of “wtf” or “orly”. Lies and deceit are not the way to form long lasting business relationships.
  • The recruiter explains the industry to you
It’s always great to have someone with a couple of years’ experience in recruitment tell you how your job works and what people are looking for. General coaching is really useful when you’re quite junior, but a lot of people find this strange and somewhat embarrassing.
  • The recruiters job title is “Information Security Consultant” or similarly misleading
I’ve seen a few threads online where people complain about this, I tend to agree that this is a poor practice and is largely perpetuated to trick people into connecting with a recruiter, thinking they are a peer within the industry. It can be quickly remedied by viewing the person’s profile before connecting, but that doesn’t negate the dishonesty.
  • General Shenanigans
<insert horror story or anecdote>

The Other Side

Not all recruiters are bad. I’d say the good ones are certainly in the minority from my experience, but we should remember that they’re people who’re just trying to make a living too. The reality is, that recruiters aren’t going anywhere anytime soon, so we should grow thicker skins and work on solutions, rather than complaining all the time. Companies are always going to use recruiters to find talent, whether it’s to obscure their hiring activity from the public eye, save money or they just like to troll us. We can either help improve the situation or watch as it gets worse. There is actually an ombudsman in the UK for recruiting firms, called REC (https://www.rec.uk.com/membership/compliance/code-of-practice), but it requires agencies to join before they’re subject to the rules and it’s not widely mandated. I’ve also seen a recent effort from CERIS (https://www.getfeedback.com/r/1V16FODf) to create an industry body dedicated to recruitment practices within InfoSec, however, they are yet to get a proper website and talks of alignment with industry bodies such as CREST appear to have fallen down.

Room for Recruiters in InfoSec?

In smaller niches of the industry, such as penetration testing, it’s easy to think that everybody knows everybody else – so why do we need recruiters, right? Yet out of the ~1500 testers there are floating around, probably half are vaguely good (I’m being generous), then maybe a fifth of those may be open to a move at any one time. Then, there are multiple levels of seniority – and that’s only counting experienced hires. So, how do you find the good ones? Most organisations don’t have the resources or relevant skills (in their HR dept.) to search for these types of people and anecdotally speaking, they rely on  internal recommendations. As a Director (and hiring manager) of a rapidly growing large consultancy, I’d put recruiting as one of the top two priorities for me (probably only second to culture). I probably attend more than ten conferences per year (technical ones such as 44con, Kiwicon, ZeroNights, Brucon, Ruxcon, HITB, DerbyCon, BlackHat, Defcon) with one of the key goals being finding talent. I’d say that this (combined with trawling blogs / github) gets me about 75% of the way there and costs me a lot of time and my travel budget. The other 25% takes me hours of trawling LinkedIn (I don’t use external recruiters right now). For smaller organisations or more corporate ones, this simply isn’t an option, and I can see how the typical ‘pay for results’ model is appealing.

I feel there is a place for recruiters in our industry, but for nowhere near as many as there are now and they should try a lot harder to understand the different disciplines, qualifications and experience levels as well as exercising a basic level of ethics and honesty. However, I feel a lot more could be done by industry bodies to assist in this area, providing job boards and independent mechanisms for candidates to find roles.