Unusual Journeys Into Infosec featuring Rose Farrell
Part Twelve of the Unusual Journeys Into Infosec series by CyberSecStu of The Many Hats Club, who talks to Rose Farrel about her journey.
Time to dust off your CV, polish your shoes, and put on that suit and tie, because weâre going interviewing!!
In this chapter of the Unusual Journeys Into Infosec series, I wanted to get the perspective from a professional recruiter, and there are very few out there whoâs opinion I respect. Rose Farrell is definitely one of those people, she has a dark sense of humour, excellent technical knowledge and insight.
As an ex-recruiter (well over 11 years ago mind), myself I wanted to uncover the current challenges and perspectives from someone who speaks to Infosec professionals and noobs everyday.
So headsets on, fingers at the ready to speed dial, and Linkedin OSINT skills at the ready, as weâre about to embark into the wonderful world of Recruitment- and learn about Rose Farrellâs Unusual Journey into Infosec Recruitment!
CyberSecStu (CSS): So as you know Iâm writing about journeys into infosec, I really wanted to get opinions from employers and recruiters. Firstly can you tell me a little about you and the firm you work for?
Rose Farrell (RF): I work for a smallish recruitment consultancy. I started off by doing Zoology in college. I really wanted to be a museum curator so I got a job in the Natural History Museum working on a large documentation project.
I did a MSc in Museum Studies but realised that I actually did not want to do this for the rest of my life. It was too slow for me and too bureaucratic.
I honestly just wasnât good at sitting quietly carefully writing out labels for dead animals all day! I was getting sick at the same time so I decided to quit, get better, and see what I might do with my life.
I was off work for 2 years, during which I did loads of charity work, was heavily involved in running several anime & games conventions in Dublin, ran assorted other events, learned to write really terrible Python, learned a bunch of miscellaneous tech bits and pieces.
When I was ready to work again, I looked for jobs that let me help people, solve problems, keep me busy, and in some way use all this tech knowledge I had built up. Recruitment appealed to me partly because of how terrible the reputation recruiters have. I wanted to be the one who wasnât like thatâââto rehabilitate the reputation and to show that you can do the job right!
I wanted to really focus on building candidate relationships and candidate experience so not just typical recruitment through cold outbound mails.
CSS: Amazing. Itâs really great to hear someone taking pride in being a recruiter! Recruiters seem to get a lot of bad PR from us Infosec folksâââhow do you feel about that?
RF: Ha, yes. I go to a good few tech events and hang out in lots of tech channels on line. Even when Iâm there socially, as soon as anyone finds out Iâm a recruiter itâs like:
âWHY ARE RECRUITERS SO ST, THIS ONE TIME A RECRUITER DID THIS AWFUL THING DDFGDFGDDFGâ
It is frustrating sometimes that you feel you have to work twice as hard to compensate for the reputations of people who leave a swathe of damage behind them.
My first recruitment job was with a large agency and there are lots of recruiters who genuinely do not care about anything except making commission. Theyâre excellent at the core part of the jobâââgetting money in the door but the human part of the job passes them by. Itâs much harder in infosec.
These people tend to stay off places like LinkedIn and other traditional sourcing hubs. So reputation is absolutely central. You have to get out there and make connections and find people through your network. You have to get referrals from people who trust you. If youâre the type of recruiter who lies about job specs, randomly sends CVâs off to companies without permission, sets up interviews with 24 hoursâ noticeâââgood luck to you, you ainât getting referrals from pen testersâŚ
Iâve had people come back to meâââIâve placed people in a job and theyâve come back two years later for their next move or if I didnât succeed in placing them, theyâve come back because they remembered me. For me, thatâs what I want from the job. Repeat business and referrals! (and money) unfortunately, not many people rush off to talk about the really good recruiter they had.
If you have a great recruiter you probably didnât really notice because the experience was smooth and friction-less. All the work goes on in the background as we flail around finding candidates, herding the hiring managers around to get interview arranged, and negotiating salaries to the right level.
âWhen you do things right, people wonât be sure youâve done anything at all.â
All you can do is be your best self. I canât control the actions of all other recruiters. Also, if people only trust me and no other recruiters⌠that works too. ;)
CSS: Yes I couldnât agree more on this, when I was a Recruiter, I spent many, many years building a strong reputation, also having a solid technical understanding certainly helped build credibility. So what do you see as the biggest challenge for people trying to break into Infosec?
RF: Exciting field but people having been hacking away (legally!), for years. It has blossomed in the last decade though. Entering Infosec is easier in some ways than other industries because is SO varied. Weâve seen it in this series Iâve heard ofâŚ
âunusual journeys into⌠somethingâŚ?â
You can start in software testing, or IT support, or network admin. However, as Iâm being asked to name a barrierâââIâll go with a general lack of understanding of what the industry is.
I see lots of job specs and roles open where the hiring manager or HR person in charge of the role isnât 100% sure what the job entails. So, when CVâs come in with the wonderful varied paths into Infosec detailed on them, itâs hard for them to see the connections between that and an excellent Security Engineer.
In the Irish market, out of all the Infosec peeps I know, I would say about 40% of them hold degrees but 100% of job specs request a degree. It adds a layer of annoyance when youâre applying to a jobâââto have to explain WHY everything you have done is important and amazing.
CSS: So how do you (and candidates) overcome this?
RF: Think it through when youâre applying to jobs. I see lots of job applications that are clearly templated. I know that recruiters are the spirit animals of templates but listen to my advice anyway!
Each application should be targeted. Look at the job and see what the most important factors are for the role. Do some research on LinkedIn and see who is doing that job currently and where they came fromâââitâll give you an idea of what level they expect from applicants and what skills those people had.
If you see that literally all of their current employees in Infosec roles had Python scripting, make sure to mention that on your CV if you know it. Focus on the job youâre applying for and target that with projects that will make the company want to talk to you. What did you achieve in each company that makes you interesting for that hiring manager?
If you just list your duties, thereâs no difference between that list and literally the worst person on your team. Look at the careers page and see what the company is most proud of. Do they talk about the amazing learning opportunities or their insane technologies?
If you talk about what theyâre proud of in your cover letter, theyâll be attracted to your application because youâll be showing that youâre one of them. One of the things I do as a recruiter is learn as much as I can about a companyâs culture by getting to know the hiring manager and other staff so I can find people who theyâll have a good buzz with and who will appreciate what the company has to offer them. Basically, you want to contextualise your experience.
If someone isnât going to read your CV and think âperfect!â, you need to make them see why youâre a fit. When Iâm doing it, I also use the info I have on the hiring managers / client to help me out. If I know the hiring manager is obsessed with AWS, everyone I send will have AWS on their CV.
One of my clients is super into electronics. If I have a candidate who does a bit of Raspberry pi stuff in their spare time, I know theyâre going to get on well because that little bit of extra chat will help in their interview.
They still need all of the skill and talent but having a little extra insight is the benefit of working with a recruiter;) Attitude and the drive to learn will get you a long way in Infosec.
CSS: I think you are a credit to your industry, if only more showed the same levels of professionalism and integrity I think those PR issues would surely fade into insignificance.
So letâs turn this on itâs headâââdo you think employers are doing enough to look outside of standard job specs? I.e to quote a previous article âonly looking for unicornsâ?
RF: I do think companies have to do more to sell jobs rather than demand applicants. I read job specs and have NO idea what this person will be doing day to day.
Lots of specs are written by HR or are written by some madly stressed senior manager who is trying to plan the next 5 years for this role. Or you have some monster job spec created because to replace someone who has been doing the job of 3 people. The relationship has changed.
I like to see a job ad that says why someone might want the job instead of a demanding shopping list. Whatâs also important is more open language to attract more female applicants. Thereâs research out there (Research Here), to show that you can attract more female applicants to your jobs just by changing the language you use in your job ad.
Tell us why people who work there are excited. Tell us what the person in this job could be doing in month 6. Thereâs a company Iâm fond of that advertises their job by saying that youâll ship code to production on day 1.
I think thatâs great because it immediately makes you picture yourself there and think
âwhat do I need to get myself into that job?â
What got me into it initially is that my partner works in the Infosec industry. However, Iâve always been into technology in general. I was in MSN Groups talking about computers in 1999/2000. I love finding out new things. Infosec is such an amazing blend of every area of technology.
Itâs got a bit of coding, networking, everything. I love the mind of a hackerâââthat psychology of
âwhatâs that? I want to break it! And then fix it again!!â
I feel like that myself. I canât look at anything without wanting to know more about it. The internet has probably saved my sanity in that regard because I can Google things now instead of disappearing into a library for days.
Recruitment got me really interested in Social Engineering. I had read about it before tangentially to some reading about marketing and psychology. (I read a lot ⌠about everything). I like figuring out how to turn the cogs in someoneâs head. Every time I explain this, it sounds so cold and manipulative, but I really donât feel like it is! Itâs like, if I know someone has young kidsâââthatâs probably a core driver for them.
Getting them a job where they have to work loads of overtime isnât going be ideal. If I pitch them a job with flexibility and full family healthcare, thatâs the one for them. I just love the people in Infosec too.
Every role I have worked in that sector, the people Iâve talked to have been hard to find and challenging to work with (um, do you have that job spec in pdf?). I like the challenge. On a personal level, Iâm a huge nerd so I love talking to another nerd.
CSS: So whatâs the one valuable piece of advice youâd give to someone Who s looking to break into Infosec?
RF: Um⌠ârun awaaaaayâ
No. Iâd say get out in the community. Itâs OK if itâs the digital community, donât feel like you have to go out into actual human meat-space.
Infosec is broad and it moves fast. Youâll learn from others. Itâs going to be tough if youâre by yourself. Find a friendly Discord or irc channel.
Signup to some online CTFâs. IF thereâs a hackerspace in your city, go to an open night. http://Meetup.comhas meetings for basically everything that has ever existed.
Partly because Infosec people tend not to leave an online footprint, this is how youâll find jobs too. Get to know people, ask stupid questions. Always use a VM. Stay safe, and stay legal! (Itâs betraying my entire recruiter species not to tell you to make a LinkedIn account and then immediately email your CV to every recruiter on the planet btw, remember me when they sacrifice me to the LinkedIn gods).
CSS: So youâve been part of TMHC (The Many Hats Club), for a while. Do you think communities like this help?
RF: Definitely. Iâve seen people in chat bounce ideas off each other, get career advice from people at different levels. Iâve been and am a part of other communities and theyâre often a source of inspiration for people.
You can see newbies in channels getting help with learning new topics or experienced Infosec heads talking about malware. Unless youâre at a conference, youâre just not going to get that kind of exposure to that number of varied people in the industry.
Itâs incredible. TMHC has been really open too, Iâve found Infosec communities can be..prickley towards newbies and outright hostile to me once they find out Iâm a recruiter! Iâve obviously had to prove myself as not some kind of soul sucking maniac but people have been great!
Itâs great for me too because I can passively learn about technology by reading the conversations of othersâââreading technical blogs doesnât give me the same kind of insights as watching a bunch of people troll each otherâs choice of Linux distro!
CSS: Is there anything else youâd like to add or anyone youâd like to shout out to?
RF: Shout out to anyone who has explained technical terms or concepts to me to help me do my job better!
Andâââif anyone gets a good recruiter, thank them! Give them a recommendation on LinkedIn or email their bossâââthat kind of thing goes a long way in this industry and also basically makes our entire year. :) Thereâs loads of recruiter bashing but thereâs definitely loads of great recruiters working hard against the dark side of the force.
CSS: Shameless Plug
RF: (Also, if youâre in Ireland, and you want a job⌠hit me up, yoâŚ)
Firstly, it is great to see someone who takes pride in their trade craft, and the advice provided by Rose is very insightful.
Getting out into meat space, meeting like minded peers and experienced infosec professionals is really important. Iâm not saying that social media is not valuable, but long term relationships and credibility is still formed face to face.
I personally think that working closely with a recruiter who understands the market, key people and had solid relationships is vital to breaking into the industry. Mainly because a good recruiter will help with CV, providing advice and ultimately positioning (and door opening), with their clients.
However there is more we can do as an industry to attract talent, like making job specs stand out, more relevant, and being innovate such as using CTFâs and events to attract a wider range of talent.
For example I was recently presenting to over 200 developers on Security, we hosted a CTF as part of the presentation, the interest and skills in this area were surprising to me as well as all in the room.
What I am trying to say, is that there is alot of hidden and untapped talent which is ready to be uncovered. But we all have to do our part to coax it out, but the only way we are going to do this is by trying a range of techniques to attract this hidden and what is quite valuable talent to join our wonderful community.
This means Recruiters working better with employers and candidates, and employers being more open and clear about what they want.
>RANT END
Main Image Credit : The awesome piece of artwork used to head this article is called 'Abstract Rose' and it was created by graphic designer Alex Tass.