Unusual Journeys Into Infosec featuring Rose Farrell

Part Twelve of the Unusual Journeys Into Infosec series by CyberSecStu of The Many Hats Club, who talks to Rose Farrel about her journey.

Unusual Journeys Into Infosec featuring Rose Farrell

Time to dust off your CV, polish your shoes, and put on that suit and tie, because we’re going interviewing!!

In this chapter of the Unusual Journeys Into Infosec series, I wanted to get the perspective from a professional recruiter, and there are very few out there who’s opinion I respect. Rose Farrell is definitely one of those people, she has a dark sense of humour, excellent technical knowledge and insight.

As an ex-recruiter (well over 11 years ago mind), myself I wanted to uncover the current challenges and perspectives from someone who speaks to Infosec professionals and noobs everyday.

So headsets on, fingers at the ready to speed dial, and Linkedin OSINT skills at the ready, as we’re about to embark into the wonderful world of Recruitment- and learn about Rose Farrell’s Unusual Journey into Infosec Recruitment!

1_9SnB4dzqiibh5b-a4c1L-w

CyberSecStu (CSS): So as you know I’m writing about journeys into infosec, I really wanted to get opinions from employers and recruiters. Firstly can you tell me a little about you and the firm you work for?

Rose Farrell (RF): I work for a smallish recruitment consultancy. I started off by doing Zoology in college. I really wanted to be a museum curator so I got a job in the Natural History Museum working on a large documentation project.

I did a MSc in Museum Studies but realised that I actually did not want to do this for the rest of my life. It was too slow for me and too bureaucratic.

I honestly just wasn’t good at sitting quietly carefully writing out labels for dead animals all day! I was getting sick at the same time so I decided to quit, get better, and see what I might do with my life.

I was off work for 2 years, during which I did loads of charity work, was heavily involved in running several anime & games conventions in Dublin, ran assorted other events, learned to write really terrible Python, learned a bunch of miscellaneous tech bits and pieces.

When I was ready to work again, I looked for jobs that let me help people, solve problems, keep me busy, and in some way use all this tech knowledge I had built up. Recruitment appealed to me partly because of how terrible the reputation recruiters have. I wanted to be the one who wasn’t like that — to rehabilitate the reputation and to show that you can do the job right!

I wanted to really focus on building candidate relationships and candidate experience so not just typical recruitment through cold outbound mails.

CSS: Amazing. It’s really great to hear someone taking pride in being a recruiter! Recruiters seem to get a lot of bad PR from us Infosec folks — how do you feel about that?

RF: Ha, yes. I go to a good few tech events and hang out in lots of tech channels on line. Even when I’m there socially, as soon as anyone finds out I’m a recruiter it’s like:

“WHY ARE RECRUITERS SO ST, THIS ONE TIME A RECRUITER DID THIS AWFUL THING DDFGDFGDDFG”

It is frustrating sometimes that you feel you have to work twice as hard to compensate for the reputations of people who leave a swathe of damage behind them.

My first recruitment job was with a large agency and there are lots of recruiters who genuinely do not care about anything except making commission. They’re excellent at the core part of the job — getting money in the door but the human part of the job passes them by. It’s much harder in infosec.

These people tend to stay off places like LinkedIn and other traditional sourcing hubs. So reputation is absolutely central. You have to get out there and make connections and find people through your network. You have to get referrals from people who trust you. If you’re the type of recruiter who lies about job specs, randomly sends CV’s off to companies without permission, sets up interviews with 24 hours’ notice — good luck to you, you ain’t getting referrals from pen testers…

I’ve had people come back to me — I’ve placed people in a job and they’ve come back two years later for their next move or if I didn’t succeed in placing them, they’ve come back because they remembered me. For me, that’s what I want from the job. Repeat business and referrals! (and money) unfortunately, not many people rush off to talk about the really good recruiter they had.

If you have a great recruiter you probably didn’t really notice because the experience was smooth and friction-less. All the work goes on in the background as we flail around finding candidates, herding the hiring managers around to get interview arranged, and negotiating salaries to the right level.

“When you do things right, people won’t be sure you’ve done anything at all.”

All you can do is be your best self. I can’t control the actions of all other recruiters. Also, if people only trust me and no other recruiters… that works too. ;)

CSS: Yes I couldn’t agree more on this, when I was a Recruiter, I spent many, many years building a strong reputation, also having a solid technical understanding certainly helped build credibility. So what do you see as the biggest challenge for people trying to break into Infosec?

RF: Exciting field but people having been hacking away (legally!), for years. It has blossomed in the last decade though. Entering Infosec is easier in some ways than other industries because is SO varied. We’ve seen it in this series I’ve heard of…

“unusual journeys into… something…?”

You can start in software testing, or IT support, or network admin. However, as I’m being asked to name a barrier — I’ll go with a general lack of understanding of what the industry is.

I see lots of job specs and roles open where the hiring manager or HR person in charge of the role isn’t 100% sure what the job entails. So, when CV’s come in with the wonderful varied paths into Infosec detailed on them, it’s hard for them to see the connections between that and an excellent Security Engineer.

In the Irish market, out of all the Infosec peeps I know, I would say about 40% of them hold degrees but 100% of job specs request a degree. It adds a layer of annoyance when you’re applying to a job — to have to explain WHY everything you have done is important and amazing.

CSS: So how do you (and candidates) overcome this?

RF: Think it through when you’re applying to jobs. I see lots of job applications that are clearly templated. I know that recruiters are the spirit animals of templates but listen to my advice anyway!

Each application should be targeted. Look at the job and see what the most important factors are for the role. Do some research on LinkedIn and see who is doing that job currently and where they came from — it’ll give you an idea of what level they expect from applicants and what skills those people had.

If you see that literally all of their current employees in Infosec roles had Python scripting, make sure to mention that on your CV if you know it. Focus on the job you’re applying for and target that with projects that will make the company want to talk to you. What did you achieve in each company that makes you interesting for that hiring manager?

If you just list your duties, there’s no difference between that list and literally the worst person on your team. Look at the careers page and see what the company is most proud of. Do they talk about the amazing learning opportunities or their insane technologies?

If you talk about what they’re proud of in your cover letter, they’ll be attracted to your application because you’ll be showing that you’re one of them. One of the things I do as a recruiter is learn as much as I can about a company’s culture by getting to know the hiring manager and other staff so I can find people who they’ll have a good buzz with and who will appreciate what the company has to offer them. Basically, you want to contextualise your experience.

If someone isn’t going to read your CV and think “perfect!”, you need to make them see why you’re a fit. When I’m doing it, I also use the info I have on the hiring managers / client to help me out. If I know the hiring manager is obsessed with AWS, everyone I send will have AWS on their CV.

One of my clients is super into electronics. If I have a candidate who does a bit of Raspberry pi stuff in their spare time, I know they’re going to get on well because that little bit of extra chat will help in their interview.

They still need all of the skill and talent but having a little extra insight is the benefit of working with a recruiter;) Attitude and the drive to learn will get you a long way in Infosec.

CSS: I think you are a credit to your industry, if only more showed the same levels of professionalism and integrity I think those PR issues would surely fade into insignificance.

So let’s turn this on it’s head — do you think employers are doing enough to look outside of standard job specs? I.e to quote a previous article “only looking for unicorns”?

RF: I do think companies have to do more to sell jobs rather than demand applicants. I read job specs and have NO idea what this person will be doing day to day.

Lots of specs are written by HR or are written by some madly stressed senior manager who is trying to plan the next 5 years for this role. Or you have some monster job spec created because to replace someone who has been doing the job of 3 people. The relationship has changed.

I like to see a job ad that says why someone might want the job instead of a demanding shopping list. What’s also important is more open language to attract more female applicants. There’s research out there (Research Here), to show that you can attract more female applicants to your jobs just by changing the language you use in your job ad.

Tell us why people who work there are excited. Tell us what the person in this job could be doing in month 6. There’s a company I’m fond of that advertises their job by saying that you’ll ship code to production on day 1.

I think that’s great because it immediately makes you picture yourself there and think

“what do I need to get myself into that job?”

What got me into it initially is that my partner works in the Infosec industry. However, I’ve always been into technology in general. I was in MSN Groups talking about computers in 1999/2000. I love finding out new things. Infosec is such an amazing blend of every area of technology.

It’s got a bit of coding, networking, everything. I love the mind of a hacker — that psychology of

“what’s that? I want to break it! And then fix it again!!”

I feel like that myself. I can’t look at anything without wanting to know more about it. The internet has probably saved my sanity in that regard because I can Google things now instead of disappearing into a library for days.

Recruitment got me really interested in Social Engineering. I had read about it before tangentially to some reading about marketing and psychology. (I read a lot … about everything). I like figuring out how to turn the cogs in someone’s head. Every time I explain this, it sounds so cold and manipulative, but I really don’t feel like it is! It’s like, if I know someone has young kids — that’s probably a core driver for them.

Getting them a job where they have to work loads of overtime isn’t going be ideal. If I pitch them a job with flexibility and full family healthcare, that’s the one for them. I just love the people in Infosec too.

Every role I have worked in that sector, the people I’ve talked to have been hard to find and challenging to work with (um, do you have that job spec in pdf?). I like the challenge. On a personal level, I’m a huge nerd so I love talking to another nerd.

CSS: So what’s the one valuable piece of advice you’d give to someone Who s looking to break into Infosec?

RF: Um… “run awaaaaay”

No. I’d say get out in the community. It’s OK if it’s the digital community, don’t feel like you have to go out into actual human meat-space.

Infosec is broad and it moves fast. You’ll learn from others. It’s going to be tough if you’re by yourself. Find a friendly Discord or irc channel.

Signup to some online CTF’s. IF there’s a hackerspace in your city, go to an open night. http://Meetup.comhas meetings for basically everything that has ever existed.

Partly because Infosec people tend not to leave an online footprint, this is how you’ll find jobs too. Get to know people, ask stupid questions. Always use a VM. Stay safe, and stay legal! (It’s betraying my entire recruiter species not to tell you to make a LinkedIn account and then immediately email your CV to every recruiter on the planet btw, remember me when they sacrifice me to the LinkedIn gods).

CSS: So you’ve been part of TMHC (The Many Hats Club), for a while. Do you think communities like this help?

RF: Definitely. I’ve seen people in chat bounce ideas off each other, get career advice from people at different levels. I’ve been and am a part of other communities and they’re often a source of inspiration for people.

You can see newbies in channels getting help with learning new topics or experienced Infosec heads talking about malware. Unless you’re at a conference, you’re just not going to get that kind of exposure to that number of varied people in the industry.

It’s incredible. TMHC has been really open too, I’ve found Infosec communities can be..prickley towards newbies and outright hostile to me once they find out I’m a recruiter! I‘ve obviously had to prove myself as not some kind of soul sucking maniac but people have been great!

It’s great for me too because I can passively learn about technology by reading the conversations of others — reading technical blogs doesn’t give me the same kind of insights as watching a bunch of people troll each other’s choice of Linux distro!

CSS: Is there anything else you’d like to add or anyone you’d like to shout out to?

RF: Shout out to anyone who has explained technical terms or concepts to me to help me do my job better!

And — if anyone gets a good recruiter, thank them! Give them a recommendation on LinkedIn or email their boss — that kind of thing goes a long way in this industry and also basically makes our entire year. :) There’s loads of recruiter bashing but there’s definitely loads of great recruiters working hard against the dark side of the force.

CSS: Shameless Plug

RF: (Also, if you’re in Ireland, and you want a job… hit me up, yo…)

Firstly, it is great to see someone who takes pride in their trade craft, and the advice provided by Rose is very insightful.

Getting out into meat space, meeting like minded peers and experienced infosec professionals is really important. I’m not saying that social media is not valuable, but long term relationships and credibility is still formed face to face.

I personally think that working closely with a recruiter who understands the market, key people and had solid relationships is vital to breaking into the industry. Mainly because a good recruiter will help with CV, providing advice and ultimately positioning (and door opening), with their clients.

However there is more we can do as an industry to attract talent, like making job specs stand out, more relevant, and being innovate such as using CTF’s and events to attract a wider range of talent.

For example I was recently presenting to over 200 developers on Security, we hosted a CTF as part of the presentation, the interest and skills in this area were surprising to me as well as all in the room.

What I am trying to say, is that there is alot of hidden and untapped talent which is ready to be uncovered. But we all have to do our part to coax it out, but the only way we are going to do this is by trying a range of techniques to attract this hidden and what is quite valuable talent to join our wonderful community.

This means Recruiters working better with employers and candidates, and employers being more open and clear about what they want.

>RANT END

Main Image Credit : The awesome piece of artwork used to head this article is called 'Abstract Rose' and it was created by graphic designer Alex Tass.