Welcome to Season 2 and Episode 17 of the Building a Life and Career in Security Podcast.
Today’s guest is security recruiter Matt Decker.
My goal in bringing Matt on is to give us all a couple of tips on interviewing and getting a job from the recruiter point of view. You may agree or disagree with Matt, but it all comes from many years of recruiting.
Links Mentioned In This Episode:
Matt Decker: Build a relationship with companies. Don’t always think, “Hey, the first time I meet them, I’m going to blow them away.” They want to get to know you. They want to understand who you are, what the value is that you bring to the table that is different than the people that they’ve already been speaking with.
Speaker 2: From the jayschulman.com studio, this is the Building a Life and Career in Security Podcast. Now your host, Jay Schulman.
Jay Schulman: Hey it’s Jay. Welcome to season two of the Building a Life and Career in Security Podcast. The podcast where you get to hear other information security professional’s career journey.
Last week in episode fifteen, we had Bryan and Brian, from the Brakeing Down Security Podcast, on the podcast talking about their career journeys, which led them to meet and create the podcast. I really like telling about how two people work together to grow their career, and I’ll to do something like that again in the future.
If you would like to keep up-to-date with the podcast, text “security to 33444” to be added to the podcast mailing list. Remember, we’re not going to text you in the middle of the night.
This week on the podcast, we switch gears to talking to Matt Decker, a security recruiter. My goal in bringing Matt is to give us all a couple of tips on interviewing and getting a job from the recruiter point of view. You may agree or disagree with Matt, but it all comes from many years of recruiting. Here is Matt’s journey.
Matt Decker: As you know, I’m in Chicago. I’ve been in the recruiting industry for eighteen years total, at this point. I am currently the president of SevenSource. We’re a cloud infrastructure, software and professional services, talent consulting group. We help organizations shape up their recruiting processes as well as recruit actively for many different technology companies.
I became active in information security to begin with in 2011, when I was hired to rebuild and scale the internal and external recruiting functions at Halock Security Labs. If you’re in Chicago, you probably recognize that name, a great company and great people. I was really drawn to the information security industry after doing quite a bit of research, a lot of differences in the approaching complexity of effectively staff security teams versus standard IT teams.
Even today as I talk with CIOs and CISOs about staffing teams, I’m seeing a lot are behind the curve due to constantly change in threats or exploits. It’s an ever changing landscape, whether it would be cloud, modern or tech or infrastructural software. I really loved the industry quite a bit.
I have noticed that knowing throughout the industry that many of the exact were practitioners in the ’90s and early 2000s, and became accustomed to hiring a certain way. They would determine an event, kind of what was needed based on whether they were a Microsoft shop, an Oracle shop or SAP. Then they would build a bench of every skill set that they could possibly need and simply change release numbers with upgrade, when they are doing recruiting. It’s very, very static.
What excited me about information security is it’s very dynamic. I will kind of dovetail this around to how a job seeker can benefit from this industry and how they can best prepare. An example of that static environment was knowing, five years ago, when the company decided to launch a large scale Microsoft implementation for example, the skill sets they would need really are not theoretically different from what they would need today. Whether it would be SQL or dotnet, or mail SharePoint, all these things were exchangeable as five years system maturity of Office 365.
Candidates would simply buy the library, work with it, get certified as an MCSD, an MCSE. Now they’ve added of plus security to all those titles and they would get a job. Hopefully in those days, it wasn’t even necessary really to have a degree. Hiring for security is very different and dynamic, as the technology is always moving, because of the threat actors that are never a moving target.
It’s very different in that intelligently assembled security teams are going to contain very, very different aspects if you will. That was what got me excited about information security to begin with. I noticed that when we started to recruit, the companies that we were recruiting for were very, very in great immediate need of talent.
There is definitely a shortage out there, although I don’t believe that there is a shortage of bodies. I believe there is a shortage in preparation to advance and accelerate the career at the same pace that’s needed to keep up with the market. Hopefully that gives you a little bit of introduction into what I’m all about, and what’s excited me about being in information security.
Jay Schulman: Yeah, it absolutely is a dynamic environment. You kind of brought up a really interesting point there at the end, that there is no shortage of people, but there is a shortage of people who kind of know where they want to go and are preparing for that. Thinking back to the people that you talk to on a regular basis in the security field, what’s missing? If you can make a couple of bullet points of things that are really setting people back broadly, what would they be?
Matt Decker: I think it starts in school for people. They are conditioned to … They are conditioned in some cases to the wrong environment in that they are taught well, go out and understand IDS, understand IPS, understand monitoring, understand these following tools. These tools are hard. Then they get out and they’ve got, even in some cases, a masters in information security and get into the industry. It’s the deal in the headlights, because you’ve got so many moving parts.
Let’s face it, the attackers are well funded groups of people or individuals, it’s a highly lucrative industry to steal data. We’re going from PCI breaches to distributed denial service attacks, to blind SQL injection. Then all that it’s off the table now, it’s [inaudible 00 = 06 = 22], because they’ve caught up with us. Let’s completely re-engineer things.
They are more well funded than we are. They’re a lot more than … Certainly the result there are a lot of moving parts on the teams. You’ve got red teams. You’ve got blue teams. You’ve got operations. You’ve got leadership, the software people, infrastructure people, IDS, IPS people, malware people, [splung 00 = 06 = 43] people, on and on and on.
You’ve got all these different verticals, to banking financial service and insurance faces different attacks than medical. You’ve got all these different compliance requirements are constant changing. You’ve got PCI. You’ve got HIPAA. Who will even know what’s going to change in HIPAA? It’s constantly changing. They’re constantly kind of holding it over folk’s heads if they had a HIPAA breach. You can do jail time, all these other different things.
There are a lot of different variables that folks will face when they get into information security, and/or they decide to kind of move their career along. What I think is missing, and if there are a few bullet points, is I’m a bird hunter and that may offend somebody, it’s worth the analogy here. You need to … When you’re bird hunting, when you’re duck hunting, if you shoot directly at the bird, you’re going to miss the bird, because the bird is moving too fast.
You have to get a head of the bird, and you have to lead the bird when you take your shot. Why do I say that? The same thing is true in information security career. If you go to school and you prepare with one tool or one approach and that approach is your comfort. You’re going to get into field and it’s going to be great and fantastic and everything, you’re going to be behind the bird. Technology threats, attacks, will have already moved on from there.
My recommendations to people is to make sure that you have a focus on what is coming in future, prepare yourself for that. What are the trends, find out and analyze things. I think that analytical approach rather than taking someone’s word for it, particularly if they’re outside the industry, is point number one.
The second thing I would say is get into contact with recruiters. Build a relationship. Build a relationship with companies. Don’t always think, “Hey, the first time I meet them I’m going to blow them away.” They want to get to know you. They want to understand who you are, what the value is that you bring to the table that is different than the people that they’ve already been speaking with.
Who do you know that they know? Build those relationships there. Any industry is a people industry, and you can’t just focus on the bits and bites of it all. That’s point number two. The last thing that I would say is there are a lot of … people talk in the industry, so make sure you get to know the peers in the industry.
Most of the people that I talk to that want to get into information security, I ask them, have you ever gone to any of the meetups? Have you ever gone to any of the networking events? Have you ever gone to … I know here in Chicago we’ve got several cons, small cons, and maybe one large con every year.
Then we’ve got quarterly if not monthly meetups, where in all of the different areas they are getting together and just talking sharp, talking about real world experiences. It’s very telling to be able to get together with folks that think like you do, and work like you do, and understand how it is that they are doing things. Only when you’d have a firm grasp of those things can you really prepare for the evolution in the fast pace that the information security industry brings.
Jay Schulman: I want to jump back to a point too that you just made about talking to recruiters. There is a terminology in the recruiting space, having recruited a lot of people myself into roles, called the passive candidate. The person that’s not looking for a job and trying to get them interested.
You make a great point on talking to recruiters and certainly it’s something that I firmly believe in. Anybody who ever calls you to just have the conversation, have it today so that if something were to happen in the future that you would already, as you pointed out, have those relationships.
What advice would you give to the passive candidate? I know a lot of them don’t have an updated resume. They’re not thinking about leaving, all of these things are kind of going against you. I don’t know. Maybe there is some fear in talking to somebody, and finding out it’s a great job. What advice do you have for that truly passive candidate?
Matt Decker: The advice that I would have is this, I understand the concern with speaking with recruiters when you’re not actively looking. What if your boss finds out? What if … Word travels in the industry in the industry. You don’t understand or you don’t necessarily know this person. They don’t understand what’s important to you yet, and they may not be as … that you think they may not be as committed to your things being discreet.
What I would day is the opportunity, because we hear it all the time, “I’m sorry, I’m not looking at this point in time,” well I understand. As a recruiter I can tell you that the greatest opportunities are not going to come along when you’re looking. You will have a certain slate of opportunities when you’re looking, that’s going to be dependent upon whether you fall within their prime hiring cycle or not.
Here is my recommendation to passive job seekers. If you want to find the best opportunities, if you want to be proactive, be interested in looking during the prime hiring seasons. When are those? January and September are the two time frames when organizations look to add talent.
Why is that? It’s the beginning of a quarter. In some cases it could be the mid part of the quarter, and they’re trying to staff up for the following year. Beginning and the end of the year are typically the best times to be looking. What if you don’t feel like looking at that point in time? Look, because those are times that you would have an opportunity to find the very best, the widest variety of opportunities to be available.
There may very well be that a passive job seeker will say, “Well, it’s June I want to look for a job now.” What if they are only four opportunities in June, then you’re going to take one of those four? How about if they are fifteen or twenty to choose from in January or September? That’s the one recommendation I would make.
The other recommendation I would make is recruiters are always just trying to get a good understanding of what’s out there. If you tell them in advance, I am not looking actively with the understanding that of course I will look at something if it’s exceptional at any time, don’t be closed to opportunities at any time. The reason for that is, as I said before, you may not line up with the industry as far as availability.
Jay Schulman: That’s fantastic advice. I want to transition a little bit away from that initial conversation piece and kind of talk a little bit about some of the good things that you’ve seen and that you’re looking for. Certainly it’s always fun to tell some bad examples as well.
The two or three key pieces I want to talk about is most people start with a phone screen, so talk a little bit about that. Then I’ll jump back in and ask you the in-person interview, and then I want to talk a little bit about negotiation at the end. Do you want to talk a little bit about the preparation, and the good and the bad things to do on that first phone screen?
Matt Decker: Absolutely. Keep in mind that phone screen is always going to be the first impression. If you peel back to the email interaction and phone interaction to schedule the interview, that could also be considered a first impression. The first official on the record impression is going to be in that phone screen.
I’ve never been asked for find someone who has poor communication skills. Make sure that your communication skills are strong, relevant and concise. Somebody asked, “Well, jeez, I talk how I talk. If they don’t like that, they don’t have to hire me,” well they will find someone else, but you may not have a chance or another opportunity like this.
Here is what I recommend and this is very, very uncommon advice that someone who I trust gave me a long time ago. You may or may not take this, but it will work for you and you will thank me if you do this. That is read out loud for fifteen to twenty minutes from an intelligently written book, every day, for two or three weeks. It will do so much for your annunciation, your communication skills and your ability to articulate.
That’s the first way I would recommend that you prepare yourself is make sure that your communication skills are strong. The second is research that company thoroughly, make sure when you’re doing so that you understand also the group or the division that you’re being interviewed for. Understand the players, go out on LinkedIn, find out who the person you’re interviewing with is their background. Do you have any common connections you can refer to?
Now that can be obnoxious if you start the name drops. You don’t want to do that, but you want to make sure that if the opportunity present itself that you, “I see you worked at this company. I’m familiar with this person.” You never know they may know that person as well. It is a people business. That’s the other way that I would recommend that you prepare.
The last way that I would suggest that you prepare is come up with a list of questions, four or five questions. Why is this? They want to make sure that you are engaged and prepared for that phone interview. Make sure that you are coming up with three to four or five questions that are relevant to the division, the person, the position.
The only ones that you want to make sure that you stay away from are going to be money, benefits, those types of questions. Those are going to be … It’s going to be too early in the interview process to do that.
Jay Schulman: I love the reading advice. I think I would a lot of people … My advice in general is you should be out speaking as much as you can and people get very nervous about that.
Matt Decker: Absolutely.
Jay Schulman: I like that suggestion where you can kind do it yourself at home. Read to yourself and kind of improve your skills without having to stand up in front of the room and talk to a bunch of people. Let’s just say everything goes well in the phone screen. You call them back and you say, “Hey, they want to bring you in.”
I want to make sure, as we talk about this, because dress in the security industry is such a interesting topic, so kind of make sure you talk a little bit about that. Kind of what again are the dos and don’ts for that in-person portion of the interview?
Matt Decker: One thing that some candidates deal with is kind of an immediate feeling of, oh boy, they want me. Now I’m going to start to turn the tables on the interview and start to kind of set the tone. I would suggest that you don’t do that. Be flexible, if they propose to you, two or three times, to interview in a face to face capacity, I would recommend you tell them, “I will make myself available according to your calendar.” Make sure that you follow through on that. Don’t cancel that interview.
Naturally if you’re sick, if there are some types of … There is some type of unavoidable problem, you want to make sure that you are let them know that in advance as much as possible. Then with regard to dress, showing up to the interview on time or fifteen minutes early is even better. Making sure that … You make sure that if they leave you sitting for a moment, you don’t become agitated.
Sometimes things come up, interview is run over on their time. You want to make sure that it varies. If you go into an environment, where with regard to dress, if you go into an environment and that environment is jeans and t-shirt, broken stocks and little round glasses, you want to know that in advance.
I personally always recommend that you wear a white or blue buttoned up shirt, long sleeve. Have it pressed, make sure it’s clean, have a tie available. I always, I will have a tie available and will slip-over if I need it, and a jacket with slacks at minimum. A suit is always going to be better.
However, you have to be sensitive to the environment. If everyone is full casual going in a suit may stick out. How do you find out? Ask the recruiter, “What is the dress code in your office? How do you recommend that I dress for the interview? Normally I would dress in a suit, I just want to make sure I’m appropriate for the environment.” That is a completely acceptable question that is important to ask.
Jay Schulman: It’s funny, because I always recommend that … I always want to … I say to the recruiter, anybody who is coming into the office, let them know they don’t need to get dressed up for the interview. They are not to wear a suit and a tie. Yet, so many people want to make sure that they have that good impression and still put on a suit and a tie.
Everything has gone on extraordinarily well. You get the phone call, “Hey Jay, Hey Matt, we want to make you an offer.” Give me, give everybody some advice on that offer process. I know that for many people it’s really stressful. They don’t know what they can ask. They don’t know what they can’t, or as you kind of pointed out, even in the impression phase, “Oh my gosh, they want me. I can be super demanding.” Kind of give a couple of tips in that area as well.
Matt Decker: Sure, absolutely. After the face to face interview, you need to team, you think this could be a good place. Go and talk to the people that you trust right at that point. Don’t wait until after the offer is extended to talk to your family or those that you trust. You want to make sure that when they do extend an offer, if you’re interested in the opportunity, you are prepared to accept it.
The reason is if they’ve done … if the recruiter has done their job, they have got a backup or two. That [inaudible 00 = 21 = 23] at that point is going to tell them how interested you are, and this is something that they have a hiring tune skill set there.
What you want to make sure that you do is if they give you an offer, they’ll typically extend it verbally first to try to kind of get a temperature on you. The way that I’ve seen most extended is, “Great, well, we really like you a lot. We’d like to extend you an offer. Let me ask you at this, if we were going to extend you an offer, do you think you’d accept it?” They might ask you ask a question like that.
The reason they would ask whether you would accept an offer without really giving you an offer is that organizations don’t want to extend offers to people who won’t take them. They don’t like rejection as much as any of us. We want to make sure what you’re doing is approaching it from a humble perspective.
“Absolutely, I think that I would accept the offer, if we’re within the financial and the cultural guidelines of what we’ve discussed at this point. Assuming that the role is exactly what we discussed, I think I would be inclined to accept it. As a matter of fact, I’ve already spoken with those that I trust and are on board with me as well. However, what I would like to do is take a look at that offer in writing before I give a final acceptance.” That’s how I would recommend that they deal with the offer.
Now you also indicated kind of not knowing what to do, potentially creating a shift of dominance in the interview cycle. You don’t want to create a shift of dominance in the interview cycle, because the company doesn’t lose either way. The company is going to have one to two backups minimum. If they don’t, then you’d have to ask why. In most cases, eight out of ten cases, they have other people they are looking at as well and they have other options.
You want to make sure that you’re humble. You don’t become dominant in this cycle, always keep your cards close to your chest, as you’re going through the interview process, and remain thankful. I think that’s advice that anyone can take. It doesn’t require someone to be an extrovert. It requires someone only to have a thankful approach to the process and make sure though that you get it in writing before you go and give a final acceptance. That’s what I would as the final piece.
Jay Schulman: I like the advice. Everybody has their, I guess is their [inaudible 00 = 23 = 57], but their one thing that’s really important to them and maybe they don’t want to travel. They want to work from home. They want a particular benefit, or something like that. When is the last time to ask about that. Do you wait until the end of the interview process? Do you right up front, “I want to know how many days I can work from home”? What do you think the best time to ask some of those questions or?
Matt Decker: Avoid completely in the phone interview. I would recommend that when the face to face interview takes place, if you’re interviewing a team that you ask those questions to the person who you’d be reporting directly to.
You preface it with something like, “Hey, I don’t typically like to bring these things up, however they are an important consideration at this stage. Will it be appropriate for me to ask about benefits?, or would it be appropriate for me to ask about,” whatever it is, “at this point in time.” Let them tell you yes or no.
To come right out the phone interview for example and say, “Hey, I just want to make sure that this is salary is what I need and I want to make sure that the benefits are what I need yadda yadda yadda.” Those are you’re going to waste some time in the process.
If the opportunity overall is the right one, those things can always be negotiated. Chances are you will need to give a little bit, and they will need to give a little bit in that process. The face to face interview is the best time to address it. Address it humbly.
Jay Schulman: I love the advice. Thank you. We ask everybody the same two questions and I’m going to ask you them as well. Thinking back, what is something that you really agonized about but it turned out really well for you?
Matt Decker: I agonized about whether I should take a break from my own company, which I had been running up until 2011, to go and work for a company like Halock Security Labs. It turned out well for me, because not only was it one of the educational experiences of my life, but it was also one of the best professional experiences of my life. I learned a lot from leadership team there about a lot of things.
It turned out well for me, because it kind of gave me a greater level of expertise in other areas of business that I did not possess previously. As a result I have been able to come out and launch a successful profitable business since April of 2014, when I left there. That’s for me personally.
I very much question whether I should look at information security as a recruiting category knowing that it was difficult at that point in time, and not every organization was as committed to information security as I would have liked to see. I came from a Microsoft and IBM kind of host machine and web development recruitment background, so it was an area that wasn’t as familiar to me.
I’m glad that I did that because I found out about a fantastic industry, a group of fantastic people that I’m able to stay in touch with to this day. Hopefully that answers that question.
Jay Schulman: It does, perfect. What is something that you would want to do over, if you had the opportunity?
Matt Decker: I think I probably would have been out meeting with more people and maintaining relationships with more people over my career. The reason is after seventeen or eighteen years of doing this, I’ve realized that it really is about the people. It’s not about the technology. It’s not about the vertical, it’s not the category. It’s about the people. People are designed to interact with other people and that’s what makes the world go around.
There is an interesting story that I heard was a guy that came over from Africa who … This is actually a friend of mine who told me the story. He was a missionary over there. A friend of his came over from Africa. The thing that … All the things in United States, that really excited him, seeing his friend turn on a faucet and water coming out is what blow him away. He had never seen that before.
As the sky is the limit, anything you want, if you could have anything in the United States, what would you want? He said, “I want one thing, I want a faucet, and then have a [inaudible 00 = 28 = 36] and have running water in Africa.” He decided to ask for a faucet, but what he didn’t realize is all of the piping, and all the complex machinery and all the different hand-in-hand work that went on behind the scenes to make that faucet work.
I’m thinking that is a really cheesy story, but that is really a great example of how oftentimes we just want to have a faucet and we want to turn the success on. It doesn’t work that way. People have to serve other people, and those people have to work with other people and on and on. That’s the one thing that I regret in hindsight not doing more of, because now I understand it a bit more than I once did.
Jay Schulman: That’s an absolutely great story. Thank you. You’ve provided just some fantastic advice talking about dates, when job opportunities are hot and interview advice. I really appreciate all that you’ve done and hopefully it benefits everybody. If people want to reach out to you, how can they find you?
Matt Decker: If you want to find out a bit more about my company and kind of what we do and what we don’t do, you can look up my company SevenSource@seven-source S-E-V-E-N dash S-O-U-R-C-E.com, SevenSource@seven-source.com. Certainly feel free to reach out to me at mdecker, M-D-E-C-K-E-R, @Seven S-E-V-E-N dash Source S-O-U-R-C-E.com, email@example.com, once again. I would be happy to have a discussion with anyone.
Jay Schulman: Perfect Matt. Thanks for coming today, and I appreciate all the advice.
Matt Decker: Thank you for the opportunity Jay. Have a great rest of the day.
Jay Schulman: Thanks Matt. I know I’ve picked up a bunch of tips from Matt this week, and hopefully you did too. Thank you for listening. If you would like to keep up to date on the podcast, text “security to 33444” to be added to the podcast mailing list. As always, we will not text you in the middle of the night. Thanks, and talk to you next week.
Speaker 2: Thank you for listening to the Building a Life and Career in Security Podcast with Jay Schulman. For more information, and to subscribe go to jayschulman.com.