Rapid7 Blog

Career Development  

Opportunity Now Means Success Later: Q&A with Rapid7 Sales

This post is a Q&A with John O'Donnell, Director of Sales at Rapid7. For more information about career opportunities with Rapid7, visit https://www.rapid7.com/company/careers.jsp. Q: What separates Rapid7 from other security or software companies in the area? A:…

This post is a Q&A with John O'Donnell, Director of Sales at Rapid7. For more information about career opportunities with Rapid7, visit https://www.rapid7.com/company/careers.jsp. Q: What separates Rapid7 from other security or software companies in the area? A: The diversity we have here separates us from the competition. Our teams are created by integrating people from all walks of life and then submerging them in the ever-changing and exciting cybersecurity industry. The belief is that you will change your career five times in life and once you move into your second career your goals often shift to loftier financial goals. However, without the proper experience it can be hard to make that transition and achieve those goals. Rather than focusing on direct experience, Rapid7 has created a work environment where people create a mosaic. So no matter what dream you were following before, we help our employees grow together to create success together. Unlike other companies that are challenged by slower growth, Rapid7 has more opportunities for its employees to grow and further their careers. We have a 90 percent promotion rate from the Business Development Representative (BDR) program to Account Executive roles and are proud to say that nine out of 10 current managers started as either an AE or in the BDR program. Q: What kind of advantage can someone expect to have starting in Q4 or the end of the year at Rapid7? A: By starting in Q4, you can be in a position to ramp up more quickly and experience more volume of activity during the busiest time of the year. While some may be reluctant to start at the end of the year because of the anticipated learning curve, by starting in Q4 you have the opportunity to hit the ground running, go through the enablement program and be part of the excitement during a peak time of year. Essentially, you'll be able to shadow and align with peer members of the Rapid7 sales team and collaborate on many opportunities as businesses close out the year and finalize their investment in cybersecurity software. Additionally, you'll get more exposure as the team builds out the strategy and sets goals for the new year. This will allow you to understand the expectations for Q1 while also having gone through training and being exposed to the busier time of year. By the time you attend the global sales kickoff in Q1, you're already trained and have the opportunity to make the most of a full year. By investing your time to training during Q4 you're really investing in your career and creating the opportunity to have a significant financial impact at the end of the sales year. The possibility of something happening (like a bonus or a deal coming in) could have someone waiting forever, but there comes a time when you need to close the door, open a new window and look forward. Q: What can a new Account Executive expect during the initial ramp up period? A: The enablement program at Rapid7 is split into a few weeks of training. The first two weeks are classroom training where Rapid7 specialists from other departments give lessons that focus on sales methodology to product line information to the overall competitive and industry market. The next few weeks are meant to expand on the classroom training by focusing on heavy collaboration and role playing to get comfortable speaking to products and services. The final two weeks are spent getting involved in day to day tasks with managers, directors and team leads. However, training is ongoing at Rapid7 with leaders providing industry updates, marketplace trends and skills sharing. Q: How does Rapid7 support new AE's to help ensure success? A: In addition to ongoing enablement and training, each new hire is assigned a mentor – someone that's separate from the enablement team, manager or director. Your mentor will meet with you throughout the day and have an end of day meeting to review overall successes, challenges and outlook for the next day. Outside of the daily mentor meetings, there are scheduled one-on-one meetings with managers or team leads for coaching sessions as well as regular team meetings to talk through successes and challenges. Because we focus on getting new AEs ramped up quickly and efficiently, most new hires are able to close their first deal within 60 days. Q: How are territories broken out for new AE's and what does a typical day look like? A: We've developed a scoring system to make sure territories are properly defined based on the number of prospects and past experiences with Rapid7. Territories can be entire states or cities within, but the scoring metric makes it fair for all team members. On a typical day, the team starts with either a team meeting, training or industry perspective during the morning session. After that, the team goes into reviews with security engineers for meetings or calls scheduled for the day. The rest of the day consists of following up with current customers, prospects and opportunities they are currently engaged. The focus is to help our clients understand the technology, industry and making sure they are comfortable with creating a meaningful partnership with Rapid7. Q: What attributes do the top performing AE's at Rapid7 have? A: Our top performers have an entrepreneur mentality and approach their territory as their own individual business within Rapid7. The most successful people here get submerged within the security community. They attend networking events and focus on understanding the industry to provide clients with cutting edge insight on what the bad guys are doing to influence the space and how Rapid7 technology and services can provide value to their business. The top performers are the true definition of a rock star: they are able to perform, have a huge fan base and their dedication and passion to keep that fan base happy is second to none. In my opinion, the most successful AEs at Rapid7 have the drive not to fail. They are passionate about their career and their lifestyle. They are looking to work hard and have the understanding that through that hard work they will advance their career and achieve their goals.

Joining a Startup within an Industry Leader

In November of 2013, I got an email from a Rapid7 Talent Scout saying she thought I'd be a great fit for a “unique opportunity” they had.  It had many of the same elements as other recruiting emails you receive and promptly ignore. I didn't…

In November of 2013, I got an email from a Rapid7 Talent Scout saying she thought I'd be a great fit for a “unique opportunity” they had.  It had many of the same elements as other recruiting emails you receive and promptly ignore. I didn't ignore it, however, despite the fact that I actually loved my current job, boss, and co-workers. Maybe it's because her email was well-written and hinted at something big that was coming soon from Rapid7 (but forced me to take a call with her learn more).  Maybe it's because, working in Boston, I knew Rapid7 was always ranked as a “Top Place to Work” every year.  Maybe it's because, working in the cybersecurity industry for many years, I knew Rapid7 was the rare combination of well-established but still enjoying hyper-growth – and considered one of the “cool kids” in a cybersecurity market that's exploding (projected to be $170b by 2020). I'm not sure of the exact reason why I took the initial call to learn more, but I can tell you exactly why I took the job; I've never met so many smart, competitive, well-qualified, and fun-loving leaders as I did during my interview process. The fact that I was going to be on the team that would become the tip of the spear for the most important thing Rapid7 was working on – entering a new market within security which is projected to become 60% of the average company's security spend – was icing on the cake. Three years later, we're a real force in this critical emerging market within cybersecurity – Incident Detection and Response.  We're already seeing massive growth, yet we've only begun.  The plan is to build on our early successes and amplify it, in large part by making major investments in people. How often do you find a startup that's growing within an extremely well-funded and established company? Somewhere between hardly ever and never. Enjoying the benefits of startup culture and earnings without the risk is rare indeed. If you want to be a part of this truly “unique opportunity,” please feel free to reach out to me! Ready to learn more now?  Visit our careers page to check out opportunities now and be sure to check out the video below.

Scaling Under Pressure: 5 Focus Areas for Talent Acquisition Leaders

Over the past few weeks I've had the pleasure of spending some time with several recently promoted recruiting leaders who are asking the big question: “Where do I start?” Those of us who have answered the call of a new talent acquisition opportunity…

Over the past few weeks I've had the pleasure of spending some time with several recently promoted recruiting leaders who are asking the big question: “Where do I start?” Those of us who have answered the call of a new talent acquisition opportunity can attest that once you are hired and in your new seat, the pressure to produce results is enormous.Any credible plan must include input from stakeholders – partners need to see that their feedback is included if you expect to have their ongoing buy in. That being said, as you gather this feedback and think about how to build your team/organization for the longer term, consider the following to ensure your delivery is on track and moving the business forward:Engage with your existing employee baseReferrals are the most stable and robust source of talent, so make sure this is clear from day one and confirm that employees know how to navigate the referral process. “I didn't know how to refer someone,” is a talent scout's worst nightmare and an unacceptable answer. Make sure your referral process is both easy to understand and engage with. A great metric to chart progress is hiring speed – set a goal stating that referred candidates will get through the process in five days or less, and share it so that everyone is held accountable.Stabilize execution of the basicsKeep an eye on core processes and systems, to ensure that simple things aren't tripping you up. You don't have to roll out a 500 page manual, but you should make sure that hiring managers and candidate experience processes are closely aligned. Rally your hiring teams around guiding principles that describe the experience you want all candidates to have. Coach managers SPECIFICALLY as to what will happen for candidates and when. Organize and align – but don't orchestrate! It needs to be organic. Progress is difficult to measure – in this case, a quick survey with a few questions for candidates such as, “please rate your experience,” and hiring managers, “please rate your overall satisfaction with the hiring process,” coupled with opportunities for free form feedback, should offer the insight you need to learn, adjust and improve.Be honest with capability gaps and address them…quicklyNot every team is capable of delivering talent for every function. Be honest with yourself. If you are strong in hiring engineers but not having the same impact with sales, have a candid conversation with partners in those weaker areas. Talk through strategies for bridging that gap. Third party vendors can be expensive, but working with the right vendors who know your business and are personally invested in helping you achieve your goals are worth five times their fee. The worst thing you can do is wait and deny the obvious – that road will land you in a place of unfilled requirements, no plan for success, and angry partners. Be decisive and be smart. Look at candidate ratios...sometimes difficult requirements need a lot of activity, and high applicant-to-hire rates aren't a good indicator. Instead, look for inefficiencies and determine where to improve.Refine what makes your company stand out to prospectsForget selling against your competitors. What is the value prop you are offering a prospect? Company values? Career growth? How are you sharing this message with candidates, and who is doing so? Do you want a third party site such as Glassdoor to exclusively define your company and culture? My guess is no – so refine the message and delivery. A quick NPS survey is a great way to measure progress in this area. If you are already to scale, several of the leading applicant tracking systems (Greenhouse is a terrific example) offer a robust surveying feature which allows for automation of large question sets.Think about the future…early on!You've got to work the open requirements that are in front of you now. However, having the discipline to think longer term by engaging and tracking future interest candidates is a characteristic of world-class talent acquisition organizations. Whether it's just you or a team of recruiters – build in talent pool development from the start. Eventually, you need to be able to start conversations with your leaders by saying, “here are the five best profiles of people I have spoken with in the past.” To track whether your team is balancing working requirements with being proactive, look at candidates introduced in the first week of a role opening. Are they all applicants, or were they matched by your team?You can't be everything to everyone and the hard reality is that certain strategies, although important for the longer term, may not be rolled out as part of your initial plan. It's important that you communicate a vision: here is where we are, here are the steps we are taking to achieve our goals, here are the mid and long term areas of focus - then solicit feedback.These key focus areas have provided me with great results in the past, and I would love to have your feedback on my recommendations.

Job Seekers: Advice on Long Term Career Planning

David Muller is the Sr. Director of Global Talent Acquisition at Rapid7. When you're networking for a job, don't just focus on your next career move – think longer term. With hundreds of open jobs and talent scouts actively recruiting, both passive and active candidates in…

David Muller is the Sr. Director of Global Talent Acquisition at Rapid7. When you're networking for a job, don't just focus on your next career move – think longer term. With hundreds of open jobs and talent scouts actively recruiting, both passive and active candidates in today's market have no shortage of options. This incredible talent demand can have huge benefits to your career, but if you aren't thoughtful about your approach to job seeking, you can adversely impact your future jobs searches in a large, unintended way. Job seekers I speak with often share stories of being on the receiving end of countless LinkedIn messages, promises of huge salary ranges, amazing office perks, flexible work options and of the prospect of doing exciting work at amazing companies. How can that not sound appealing?! And yet, if you focus on those superficial (and yes, also important) elements, you'll often miss out on the bigger picture. Many people admit they rarely reflect on how their searches were planned, executed and nurtured. This concerns me. Boom times like today don't just offer opportunity for roles; they also provide the chance to build your job search infrastructure for the future. Let me explain. Those of us who've been in the workforce through several downturns can tell you that even people with the most marketable skills will struggle when job supply is down. Usually those with the best networks get access to jobs, period. When I say “networks,” I am not speaking about the 2,500 virtually anonymous “connections" you have in various social media channels. I mean the networks you have invested in, spent time with, solicited and offered advice and feedback - the personal and professional relationships and connections you have nurtured. I am not suggesting a downturn is coming. However, I am suggesting that how you approach the inquires made of you - starting today - can pay off in a big way down the line. Consider these three scenarios, in which maintaining a relationship can pay off down the line: 1. You interviewed with a hiring manager but chose not to pursue the role. The hiring manager you interviewed with could be hiring at a company for a role you do want down the road, OR could be someone you want to recruit yourself. Did you handle the interaction in a way that would make a future email or call seem natural? 2. An Agency Recruiter reached out multiple times. Did you thank them for their outreach, or just ignore the messages? This agency recruiter could be the lead recruiter at the next hot start up - are they going to consider you for a job or even return your call? 3. A former coworker reaches out for help in their search and asks for an informational interview with your boss. Do you blow them off or help facilitate? The shoe could be on the other foot down the road, so how would you want to be treated? Now, I totally get that this goes both ways. There are likely examples of companies and talent scouts not owning their side of this equation by not following up with meaningful feedback (or any feedback at all). This represents a massive candidate experience fail that will have a substantive impact on future candidate flows…but that is an entirely separate discussion. What I am saying is that a thoughtful, measured approach can set the tone for those you interact with and build a network of relationships that if nurtured, will grow stronger over time. And that's what will produce better career opportunities in the long run.

7 Reasons Rapid7 Is A Great Place to Start Your Career

Katherine A. Hayes is an Inbound Marketing Intern. Starting out in your career is daunting. It seems as though every decision you make is going to impact the rest of your life. I've been lucky enough to find a company dedicated to my future and…

Katherine A. Hayes is an Inbound Marketing Intern. Starting out in your career is daunting. It seems as though every decision you make is going to impact the rest of your life. I've been lucky enough to find a company dedicated to my future and wants to see me grow: Rapid7. Starting my career out here is a decision I'm proud of, because working here has really pushed me to try new things and to do my utmost to succeed at what I do. For anyone else thinking about starting your career here -- you should! -- below are my top seven reasons why Rapid7 is such a fantastic place to work. 1. LEARNING OPPORTUNITIES What I am most happy about with my job at Rapid7 is that it isn't a typical first job. I am not filing papers or fetching coffee for my bosses. Instead I am contributing valuable work that makes me feel as though I am making a difference. When Rapid7 says they value continuous learning it is truly demonstrated. Walking into my job as an inbound marketer I didn't know much about marketing beyond what I had been taught in school and what I had done at short summer internships. After a few months of working here I can say that I am pleasantly surprised by how much I have been taught. I have been taught how to code, design website pages, run extensive keyword research, use video making software, and so much more. 2. INDUSTRY When I was job hunting the idea of being in cyber security seemed intimidating—I had never worked in tech and knew next to nothing about cyber security. I have since realized how amazing working in the technology industry is—I'm working in an environment that is focused on constantly innovating. This means that I have to consistently push myself to innovate, and think outside of my comfort zone. I have learned so much about the technology field in general, and cyber security in particular. The mindset tech forces me to adopt has changed the way I view problems, and I know that it is a skill set that I apply in my personal life and will forever use in my professional life as well. 3. CULTURE While we all work hard, we also know how to have fun. I have been able to participate in Flannel Friday, I am learning the art of ping pong from my boss, and I am writing this blog post while sitting on a purple medicine ball. Rapid7 knows that people are what make a company great, and because of this they treat their people well. We have a kitchen fully stocked with snacks, we have fun office events, and we are encouraged to form meaningful relationships with one another that will last for years. Rapid7 treats their employees well, and because of this employees are dedicated to making great work for the company in return. 4. VALUES The company's values—teamwork, meaningful customer partnerships, disciplined risk taking, continuous learning, and individual excellence—are at the core of what we do every day. First-hand I've seen these values in action, whether it's by giving the green light to ideas very different than what we usually do (such as Rapid7's Threat Hunt video game/webcast series), encouraging all employees to attend monthly management training sessions, or hosting events for employees to interact outside of work, whether it be bowling, happy hour, or a Celtics game. The fact that Rapid7 commits so much to their values shows that it is a company that truly cares, which is a great company to work for. 5. PEOPLE Part of the reason I love my job so much is because I get to interact with people who are not only interesting, funny, and kind, but truly passionate about the work they are doing. The people I've been lucky enough to work with bring so many different experiences to Rapid7. People on my marketing team have intense digital backgrounds, have worked in different agencies, and have extensive consulting experience. On top of this many are from all over the world. I interact daily with our teams in Singapore, Reading, and Austin, and have the opportunity to meet people from all over. Having such a diverse group of people with such enriching life stories is one of my favorite parts of working here. 6. PROFESSIONAL DEVELOPMENT There are ample opportunities here around every corner. This past January we had our Global Kickoff conference, where employees came together to learn about the different aspects of our business, emerging trends in 2016, and to hear amazing speakers share their expertise. Another example is the book club in the marketing team, where we focus on a different business book each month and discuss themes relevant to how we operate, and marketing in general.  Even in my initial interview it was apparent that people here like to share knowledge and help others grow. I was discussing with my now-coworker how I had my own blog, but was unclear how to set up analytics tracking. The next day he had emailed me a long message detailing what steps I should take, and let me know that if I had any questions he would be more than happy to help, even if I decided to work elsewhere. 7. LOCATION I work at the Boston office, right in the heart of downtown Boston. I love being in Boston, and enjoy working at an office that is so immersed within the city, a quick walk to Chinatown, South Station, Faneuil Hall, and the Boston Common. But Rapid7 doesn't end at 100 Summer Street. We have offices all over the world, in cities like Singapore, Reading, Austin, Belfast, Seoul, and Los Angeles, just to name a few. I love knowing that I have the opportunity to work with people all over the world, and knowing that because of this Rapid7 offers an opportunity to work, if only for a few days, in many parts of the world. Being an avid fan of travel, the opportunity this presents is exciting to me. I could not have asked for a better company to jumpstart my future with than Rapid7. Between the people and the experience, the culture and the values, and everything else that makes Rapid7 the company it is, I have had opportunities I never even imagined, and know that I am on a path that will lead me to success.

Never Underestimate the Power of Relationships in IT & InfoSec

This is a guest post from our frequent contributor Kevin Beaver. You can read all of his previous guest posts here. 2016 marks the 15th year that I have been working for myself as an independent information security consultant. People who are interested in working…

This is a guest post from our frequent contributor Kevin Beaver. You can read all of his previous guest posts here. 2016 marks the 15th year that I have been working for myself as an independent information security consultant. People who are interested in working for themselves often ask for my thoughts on what it takes to go out - and stay out - on your own. Early on, I thought it was about business cards and marketing slicks. In fact, I spent so much time, effort, and money on company tchotchkes that I'm confident I could have earned twice as much money in my first year alone had I focused on what was truly important. I soon found out that starting my information security consulting practice wasn't about "things". Instead, I saw the value of networking and surrounding myself with successful people – people that I could learn not only about information security but, more importantly, what it takes to be successful in business. In what ways does this apply to your career in IT and information security? Every way! If you look at the essence of what it takes to be successful in our field, it's not about being a master of the technical stuff. Anyone can learn those things. Sure, some are better than others, but at the end of the day, the technical challenges are not our real challenges. Instead, it's about being able to master emotional intelligence including, among other things, the relationships we have with people who are in a position to both help us and hurt us. The relationships you have with others has an enormous impact on how effective you can be in your job and how far you can go in your career. You certainly don't have to work for yourself to benefit from this. Whether you work for a large corporation, a small startup, a government agency or a nonprofit, think about who you currently know and who you should get to know that can have a positive influence on your IT/security career. It might be a current executive in your own organization. It might be a fellow IT pro, auditor, or entrepreneur you meet at a security conference. It might be the parent of your child's friend who's an attorney or a doctor. It might be someone else in the information security field who you could reach out to on LinkedIn to start having a dialog with. There are a lot of people – many of which you probably haven't thought about – who can help you out in tremendous ways. Not to make money off of but to learn from and collaborate. This leads me to an important point: whenever you are reaching out and meeting new people, make sure that you are also giving to this person in some capacity. The last thing anyone wants is a user of their relationship with nothing in return. Looking back, the first few years of starting my business I should have spent surrounding myself with people in/around IT as well as those who were in a position to coach and mentor me along to be a better business person. This would've created more opportunities for me earlier on than anything else. As recently as a few weeks ago, I interacted with a young salesman who was more concerned about whether I had a marketing brochure rather than getting to know me and understanding how I might be able to help him with his information security needs (he was hoping to sell my services to his clients). This is a common approach to one's career: have a beautiful marketing slick or website and they will come, and buy. If it were that simple, countless people would be super successful in every field. Instead, it takes persistence, year after year. Work on building and maintaining your relationships both inside and outside of your organization as that's what will help you succeed the most in your IT and security endeavors long-term.

How can we build great security teams?

Building a reliable security team is tough; there is no defined approach nor silver bullet.  The people we are defending against are intelligent, dedicated, and have a distinct asymmetrical advantage, with nearly unlimited time to find the one thing we miss.  This past…

Building a reliable security team is tough; there is no defined approach nor silver bullet.  The people we are defending against are intelligent, dedicated, and have a distinct asymmetrical advantage, with nearly unlimited time to find the one thing we miss.  This past decade has taught us that what we have been doing is not working very well. I've been lucky to have latitude for creativity when building the security team at Rapid7.  So when Joan Goodchild asked me to join her for CSO Online's first edition of "security sessions" it felt like the perfect time to start socializing how we've approached building our team.Rapid7, like many high-growth technology companies, has introduced a significant set of SaaS offerings over the past few years. With the introduction of these offerings, we needed to build a platform we believed our customers could trust. Given the current status-quo, we didn't feel like blindly following failed 'best-practices' was the right path, so we decided to forge our own.Head over to CSO to get a glimpse into how we tackle building our team and program.  During this CSO Security Session, I spend several minutes discussing with Joan who we hire, how we hire, my views on certifications, higher education, technology (and its stagnation), and how we measure the progress of our security organization.I hope our discussion stimulates some meaningful conversations for you, and I encourage you to think about the five following items:Have you done the fundamentals? Two-factor authentication, network segmentation, and patch management are all far more tactically important than nearly anything else your program could do.Do you need that security engineer with 7-10 years of experience? What about a more junior engineer that can write code, automate, and solve problems (not just identify them)?  Do you measure success with practical indicators? Don't try and fit into someone else's mold of 'metrics.' Take a look at what areas of your program you want to focus on, and use something like CMMI to measure the maturity (opposed to effectiveness) of those operations.  You can take a look at something like BSIMM to see how this can be done effectively in some security verticals.  Is a college degree, or a security certification something that should disqualify a candidate?  If you let your HR system automatically weed out people that don't have certifications or degrees, you are going to miss out on great resources.Do you understand what makes your company tick? If you can't become part of the success of your business, you will always be viewed as a problem.The landscape we deal with is constantly changing and we need to adapt with it.  While I don't presume anything we've done is the silver bullet, the more we all push the envelope and approach our challenges creatively, the more likely we are to start shifting that asymmetrical balance into a more reasonable equilibrium.I'd be interested to hear your thoughts on building out an effective security team. Share them in the comments or on Twitter -- I'm @TheCustos.

Recruiters and Mission-Driven Hiring

I've spent the better part of the last ten years interviewing talent scouts across the globe. I continue to be amazed at how many of them market themselves as having found the “secret sauce” for recruiting success through their vast knowledge and discipline…

I've spent the better part of the last ten years interviewing talent scouts across the globe. I continue to be amazed at how many of them market themselves as having found the “secret sauce” for recruiting success through their vast knowledge and discipline demonstrated via use of the tools and tricks. Most of the time, I come away from interviews having learned something new or insightful. That said, I rarely hire a candidate who frames their skill set in this way.  Why? It doesn't align with my vision for the team nor where my partners see value.So what's the “secret sauce?” Mission-driven hiring.Very few recruiting tools are collaboration based. This creates the need for a requirements session (to review necessary skills, key words, competitors) between the talent scout and the hiring manager.  It's then followed by resumes to review, interviews, calibration and so on.  In addition to cheapening the value a professional recruiting organization can bring, this tools-driven, process-heavy approach actually makes the recruiting team's role more difficult. It doesn't adequately involve the people with the most relevant networks for the job the hiring manager and their team.We've all seen it; top talent is elusive and becoming increasingly passive in their job search. The reality is that even the most capable recruiting organizations can't reach every qualified candidate for every role. Acknowledging this fact isn't a sign of weakness, but rather the first step in becoming a practitioner of mission-driven hiring. This approach positions the talent scout to become a true business partner.In mission-driven hiring, managers are considered a de facto member of the recruiting team; engaging through social networks, calling former colleagues, pushing their teams to view recruiting as a vital part of their roles.  Strong hiring managers, partnered with a talent scout, keep their teams focused on the candidate's experience.  With talent scouts managing the process, hiring managers can operate with the confidence that their hiring partners are taking ownership of talent rather than just passively waiting for a magic recruiting machine to push out an endless stream of top-tier candidates.On the surface, this notion of partnership might seem obvious, but getting results isn't easy.  It takes discipline and consistent attention to get hiring manager support, buy-in and participation.Want to cultivate a Mission-Driven Hiring mentality within your organization?  Here are a few steps:Know Your Business.  You become a credible advisor and effective partner when you understand the products, services and competitive factors that drive your business. Hiring managers will pay attention when they know you are paying attention and looking at the bigger picture.Understand What Top Talent Looks Like. Make sure it is clearly understood by all, and be relentless about keeping your hiring teams focused.Communicate Honestly and Effectively.  Operate with transparency and integrity about status and results.  Hunting for unicorns is hard work.  If a search is taking longer than expected, be honest with yourself and your partners, take accountability. Managers will respond positively to your openness, and in turn build a partnership based on trust.Creating an organization with exceptional talent is tough work.  Even the most seasoned talent scouts can't go it alone.  Creating high functioning partnerships with hiring managers and teams doesn't just foster solid teamwork.  It creates the foundation for an exceptional company.

CISO Guidance on Building the Team: Part II

Haven't read part one of this blog? TL;DR:The security talent gap is real.Creating and promoting strong company culture attracts and retains top performers.Security professionals should always be actively recruiting – both internally and externally.With that gross oversimplification under our belts,…

Haven't read part one of this blog? TL;DR:The security talent gap is real.Creating and promoting strong company culture attracts and retains top performers.Security professionals should always be actively recruiting – both internally and externally.With that gross oversimplification under our belts, let's start into the next set of takeaways…The job description – it matters.Job descriptions don't just ensure that qualified candidates are finding your organization in the course of their job search. Knowing the key functions, responsibilities, and daily duties helps to lay the groundwork for a satisfying and rewarding career path by setting expectations at the outset. This may sound obvious, but too often organizations rely on generic job descriptions without being specific about what the role entails, the required skills, and the work to be undertaken.Help your business partner on the HR team out – be very clear in the minimums you seek for each role, as we face a situation where there isn't enough expertise to cover our needs. Focus your minimums on what is required to get the newbie to a point where they are contributing in a meaningful way, and be realistic with how much energy and patience you (and the team!) have for getting the new hire up to speed.I asked CISOs about their strategies for finding the right people. “Not everyone needs a security background, in the beginning,” one told me. “I try to write job descriptions that reflect this. If you want a first line analyst, you don't necessarily need someone straight out of school with an infosec degree. You need someone who is passionate about solving puzzles. Maybe they did game theory, or something else that's completely outside of security. Let that come through in the job listing, so you're casting a wider net at the get go.”Another CISO echoed the concept that innate personality traits can sometimes be more important than learned skills: “I want people who like to experiment. Programming backgrounds are great, but you can't advise programmers on how to fix a problem if they don't understand how it got there in the first place.”“The job description is key,” another agreed. “Some are just awful – they don't talk about how success will be measured for that particular role. First off, know what your company pays, because that will determine whether you're looking for talent in the right places. In my case, the company has a mandate that security is important and so we don't want to under-invest; that means we're aiming for the top people. I've had experiences in my career where I've had to put ego aside and acknowledge that the business isn't in the market for the cream of the crop.”But here's my favorite summary of what to look for in candidate: “You want to find someone with the right kind of insanity.”Remember when I wrote about soft skills? Yeah, they still count.If you're a CISO, you'd better be good at playing the politics game – time and again, interviewees proved that interpersonal relationships are a core part of the gig. Hiring and retention is no exception. Whether you're best buds with HR or have developed a grudging respect over the years, you'll need to have a good working relationship if you want to attract and keep strong players.“Salary is tough to go to bat for,” said a CISO, “but I will do it for someone who I want to keep very badly. Things like out-of-cycle raises aren't easy to get, either. You have to know how to negotiate for one.”There was also a shared sentiment around how quickly talent can grow and improve, “It's not impossible to find fundamentally strong people that you can train up,” said another. “In those cases it's a question of starting low and then accelerating funding by maybe 10k each year. You can't always follow the 3-5% uptick that most organizations adhere to. So I'll work with HR and finance to explain that to them, and get them on board with the fact that otherwise we won't be able to hang on to these people.”Another iterated the same frustration, “I have had people get on the phone, entirely disinterested in the position, but the quick conversation helped re-calibrate HR's expectation of what someone with that skillset brings home.”`“Most of my guys have an appsec background and strong pentesting skills. HR will look at a candidate and say, ‘They have 15 years of knowledge, and as a security architect here is what their salary would be.' But no way will I get a 15-year veteran with the right skillset at that price point. I'm having issues finding good data that I can show to my organization that will demonstrate what someone in the role should actually get paid.”Budgeting, which I've explored in more depth separately, remains an exhausting process. “I always fight the budget battle. You have to pick and choose what you'll fight for; in some cases budget constraints aren't worth making a stink about. If I can, to avoid adding headcount I'll outsource the work to another organization with the right capabilities, so I don't have to reproduce them internally.” Another CISO gets creative with HR: “Sometimes we can sweeten the pot with a work from home program, or by encouraging employees to go to security conferences. Not everyone will be a rock star, so find a way to reward those who are.”Miscellaneous Sound BitesIn the course of conducting these interviews, I gathered a lot of cool tidbits. Not all of them qualified as top takeaways, but the insight is still valuable and so I've rounded up a few of my favorites, in the hopes that you may still benefit.Of particular note was the fact that many interview subjects expressed frustration about the lack of women in security. Unfortunately, this is a very real problem that doesn't have a simple solution—it will require a concerted amount of focus and investment, the benefit of which may not be seen for many, many years to come. There is a lot of energy being invested in STEM initiatives, pulling a variety of young people toward the security community early on is an excellent way to prime them for an infosec career, but that's a very separate discussion that warrants its own deep dive.“Maybe the talent gap is partly caused by people not wanting to pay [security professionals] enough money. It's like how people say it's impossible to hire a skilled welder for 10 bucks an hour – if you're not paying market wages, then yes you won't find people with the skills you want.”“Wannabe security practitioners who are still in their undergrad should find a local security meetup, like ISSA or BSides, or look to get involved in CTFs. These are great ways to learn the basics of reverse engineering, hacking, etc.”“The security mindset is different from other technology disciplines. ‘The how do I break this?' mentality is something you want to look for.”“I don't have a high attrition rate. My approach is to treat employees like my kids – a little bit of love, a little bit of discipline, lots of accountability, and some fun as well.”“You can't fear stolen talent. Talent will move – accept that. Instead, focus on having an environment that is interactive and engaged. People will always know whether you care or not.”“I don't worry about my people leaving or being stolen – it is *my job* to make the team, the work, the environment, and the opportunities hard to walk away from.”“I strive to make leaving my team a very long, exhausting, and emotionally taxing experience. We are a family.”As always, if you've got thoughts, or would like to join the conversation- comment below, or track me down!~ Trey

3 Things Executives & Boards Should Know About Cybersecurity for 2016

As we ramp down the activities of 2015, the cybersecurity landscape has certainly shaped strategy for the new year and beyond. Effective strategic planning is important and can lower risk and operational costs for organizations. Managers will usually plan for the changing threat landscape, looking…

As we ramp down the activities of 2015, the cybersecurity landscape has certainly shaped strategy for the new year and beyond. Effective strategic planning is important and can lower risk and operational costs for organizations. Managers will usually plan for the changing threat landscape, looking at weaknesses and vulnerabilities internally and make a plan for how to shore up defenses. To plan effectively, you'll want to consider information on the coming changes in the security landscape as well.Developing an effective roadmap should take into account indirect cybersecurity changes too. Several significant announcements happened in the last quarter of 2015 that could potentially impact how companies approach cybersecurity. The TL;DR version is:1) The SEC is changing its position on cybersecurity risk, shifting from a data focus to a market focus2) Insurance companies are looking at cyber risk much more closely and will price it according how companies are prepared to deal with it3) Company credit ratings will start to be influenced by their approach to cyber riskIn April 2015, the SEC division of Investment Management issued cyber security guidance. This guidance “highlights the need for firms to review their cybersecurity measures.” In September 2015, the SEC Office of Compliance Inspections and Examinations (OCIE) issued a cybersecurity risk alert.  Combined with an OCIE Sweep Summary, these three documents may have significant precedential power, akin to law. What is clear is that the SEC is regarding cybersecurity as not just a risk to data, but to the markets themselves.Which takes us to important point number two, Lloyd's of London is requiring syndicates (essentially underwriters) to properly consider cybersecurity risks as an essential component to pricing cybersecurity insurance. Lloyd's is demanding the underwriters have risk-appetite statements signed off by their boards by December of 2015, and estimate their exposures by 2016.  This will have an impact on what companies pay for cyber insurance.Lloyd's also lists Market Crashes as the highest risk in its City Risk Index 2015 – 2025.The third significant announcement came from Moody's Investor Services. They state that rising risks in cyber security could potentially affect company credit ratings.  Moody's said cyber defense, detection, prevention and response will be a higher priority in credit assessments. If you're a Moody's subscriber, you can get the report titled “Cross Sector – Global: Cyber Risk of Growing Importance to Credit Analysis.”Although these announcements mostly pertain to publicly traded corporations, private companies could soon be affected as well. After all, many private companies emulate the rules around public companies to hedge their own risk. The key takeaway for all of us? With the SEC and Lloyd's both identifying market risk as a driving factor for the future, cybersecurity in 2016 can take a much more important role in business planning and strategy. Use this opportunity to educate your executives and boards today.

IT turnover and its contribution to security challenges

Turnover in IT isn't something we hear about very often given the demand for such expertise. But it does happen and it often creates unintended consequences for the business in terms of information risks. I've got many colleagues that often jump ship in IT looking…

Turnover in IT isn't something we hear about very often given the demand for such expertise. But it does happen and it often creates unintended consequences for the business in terms of information risks. I've got many colleagues that often jump ship in IT looking for that next gig. This is often in the name of more money but there are other factors such as lack of management support, budget cuts/layoffs, and people growing weary of being overworked. I've witnessed it firsthand. Turnover in IT – regardless of the amount – is bad for information security.IT pros are struggling enough as it is to keep up with the daily fires that must be put out. I worked on that side of IT for years and understand that there's just never enough time in the day to get the urgent stuff done. This is especially true for those working in security roles given the burdens they're carrying, worrying about their jobs while fighting off the threats. Whether it's by choice or by force, any sort of reduction in the size of IT and security teams that leads to fewer resources is no doubt going to create more security risks, at least in the short term, and especially for businesses that don't already have a strong security program. I've also seen situations where security management processes created out of necessity in the short term can lead to long-term security risks. You know the drill – once a security process is put in place, it often stays that way, even if it's bad. Many organizations approach this issue from the wrong perspective. Some in management assume that they can simply replace whoever leaves with someone new and they won't miss a beat. That's hardly the case as there's always a sizable time window required for new IT staff to learn the environment, figure out the politics and culture of the organization and so on. Furthermore, when people in too hurried and overwhelmed in IT, they make mistakes and often fail to see the bigger picture. I don't know of any organization that can afford to take that on. IT turnover is real and so are its consequences. Whether you're in management and wish to ensure a smooth transition when the time comes or you're in IT and want to set your organization up for success, make sure that all of the critical areas are adequately documented and that knowledge is appropriately transferred. The last thing your business needs is for staff members to leave and you end up with a complex environment with no documentation, no passwords, and no direction. Come up with a plan to work through these things – starting this week – so that the impact of any risks that do surface during rough times are kept to a minimum.

Preparing to Crush Every Job Interview

I'm often asked about candidate experience and how Talent Scouts can best prepare candidates for interviews. I view it as a very simple equation:Talent Scout Prep Candidate Prep = Informed, Productive and Hopefully Very Successful Interview.As Talent Scouts, we know what we need to…

I'm often asked about candidate experience and how Talent Scouts can best prepare candidates for interviews. I view it as a very simple equation:Talent Scout Prep Candidate Prep = Informed, Productive and Hopefully Very Successful Interview.As Talent Scouts, we know what we need to do to execute on our piece of this equation.  However, it raises the question: What can candidates do to ensure they are truly prepared before an interview? Here are five things candidates can do ahead of an interview and dramatically increase chances of landing the role they seek. Demonstrate depth around self-awareness: Come prepared with examples not just of your successes, but of times you failed as well. By admitting to one or two of your past mistakes and being able to articulate both what you learned, how you've adapted to move forward in your career, you achieve immediate credibility. Think deeply – missing a deadline, for example, although not something to characterize as a win, demonstrates no depth. Think about behaviors, actions, values you lost focus on and resulted in under-performance versus something you were accountable for.  Think about the HOW and reflect on it.  The point: We all have career missteps.  Interviewers want to know you can take accountability for them, your resilience and how you learned from them.Ask About and Understand The Behaviors The Company Values. Ask how things get done in this organization when it's at its best. How does it act when under pressure?  What are the core behaviors the company expects of you as a leader?  As an individual contributor? Ask about how they celebrate wins, communicate and handle disagreements? Seek to understand, and then ask yourself how these behaviors align with what you know about places/environments you have been successful - and not so successful in. Be honest with yourself (see #5)Create A Strong Set of Questions to Ask Your Interviews.  Ask the things you truly want to know about.  The team, the management style of your potential boss, the future plans for the company.  Be mindful about your questions.  For example, don't ask, “What keeps you up at night” to anyone, EVER:  What keeps most people up at night is paying the bills, their spouses and children, their health… Of course work is often top of mind for any committed employee, but it typically prioritizes after personal life “stuff” so avoid questions like this. If you want to understand about challenges such as potential missed goals, resource needs, and gaps in plans just ask. However, remember to ask the questions thoughtfully. While you might be seeking information, a poorly worded question could offend your interviewer. Getting an impact answer is less likely to come from the question “What has been screwed up” versus “Tell me about the goals that your team and this role are accountable for. Would love to hear your perspective around what is going well and potential areas of opportunity that might impact my work in this role”.Be Prepared To Acknowledge You Are A Work In Progress. Nobody likes a know-it-all, but leaders especially don't like a candidate who comes off like they think they are. It's important to highlight your strengths, but the top employees who deliver the best work tend to be hyper aware of gaps and learning opportunities. Employers want to know you are a high aptitude person with a proven track record, but also understands the importance of continuous learning. In almost every interview I've done with a high aptitude, get it done type people, the candidate has spoken at length about what skills they want to continue to develop, and the proactive steps they are taking to master them. They nail the interview almost every time. You want to be one of these people.And Finally, Be Honest. I'm not referring to egregious lies like claiming to be a director when you were really a manager; that's an integrity issue. Being honest means being candid about your career priorities and goals are, your current and expected compensation expectations, what types of environments you thrive in, etc. These are invaluable experiences you've gathered, which when all added together define your optimal working situation. By sharing these insights and adding color to them, both you AND the interviewers will build an understanding about whether the company and role are in alignment with you and your priorities…all moving you to more quickly determine if this is in fact the IDEAL role for you. This takes courage, you might lose an opportunity due to misalignment, but be honest and you will ultimately end up in the role that suits you best.  These suggestions are done in conjunction with all the standard prep: Take the time to research the company and it's products. Has the company in the press lately, why? Who are the their competitors? Don't feel the pressure to understand each and every nuance but you do want to come prepared with a grasp of the basics. In addition, research the LinkedIn profiles of those you are interviewing with – where did they go to school? What has their career track been like? Any similarities to you? Does their profile offer an insight around the type of manager or partner they might be? There's insightful information out there, you just need to take the time to look.Now go get ‘em.

The Secret to a Successful Rapid7 Interview

With over 90 open jobs and hundreds of active candidates, Rapid7 is adding new team members on a daily basis. One of our biggest challenges is making sure the quality of our hires remains high as numbers increase. High volumes of interviews coupled with eager…

With over 90 open jobs and hundreds of active candidates, Rapid7 is adding new team members on a daily basis. One of our biggest challenges is making sure the quality of our hires remains high as numbers increase. High volumes of interviews coupled with eager managers and recruiters, and the business need to move at an accelerated pace, can often result in small, inadvertent concessions in quality. Being mindful of this challenge and helping our organization scale while maintaining an incredibly high bar is the challenge of Rapid7 TA and TA teams everywhere.So how does a TA leader begin to address this challenge?  Do you add bigger and better tools? Skills tests? Behavioral assessments? Do you turn your interviewing managers into robots with standard interview questions and over mechanize the process?  Or is there an alternative which keeps the focus on transparency and candidate experience while hunting for that stellar talent and fit? There are benefits and restrictions to every approach.Here at Rapid7, I try and keep the teams focus on the latter. I do this for the simple fact that if candidates know what to expect and when to expect it they can better prepare for the process. Prospective candidates will be prepared in terms of understanding what we value and the required skills needed to do the job, as well as gain a better understanding of “rewarded behaviors.” As a result, we find they will either passionately connect with us OR say “this isn't for me” and self-select out.  Our goal is that early in the process, prospective new team members know what we understand skills needed and what it truly means to be a culture fit. As a result, they can spend their interviewing time sharing relevant experiences and helping us to get to really know them as people, rather than working through canned responses to our questions. Knowing what to expect lessens interview anxiety and allows the candidates a better opportunity to bring their “A game” to the interview.If you are interviewing with Rapid7, here is what you should know ahead of time: All candidates, no matter how senior or junior– no surprises, no trick questions: prepare, then crush it.Attitude:  Do you demonstrate a high level of collaboration? Do you actively seek constructive feedback to better your game? Do you engage others with good intentions? Are you focused on searching for a solution rather than dwelling on the problem? We are trying to gain an understanding of how you will engage within a team and if you value accountability.Aptitude:  What is your appetite for learning? Do you ask a lot of questions? Do you have the ability to learn things quickly? We look for people who have an interest in continuous learning and growth, and the ability to do so.   We also look for strong leadership Those who have a vision, engage others and are willing to take disciplined risks are highly valued.   Cultural Fit: How do our Core Values resonate with you? Think about how they apply to you. We live by these. If you don't connect with them, chances are Rapid7 isn't a good fit – regardless of your skills and background.  Skills: Of course, we all need to bring some basic skills to the table.  Come prepared to talk us through your background, and help us understand your experiences. Successful candidates come prepared – you have reflected on these key areas and can speak to the relevant parts of your background that might make you a fantastic candidate. Most importantly, you are thoughtful in the examples you share, and areas you choose to highlight to help us get to know each other better.Interviewing is all about understanding skills and the potential capabilities of a prospect. Of course, a rigorous assessment of skills is critical.  However, you'll find at Rapid we place just as much emphasis on your attitude, aptitude and culture fit.  We believe that if you know what to expect before walking in the door, you can better prepare to share without the anxiety of a “trick” question that might be coming down the line.For us, an interview provides the forum for you to share what you are capable of and believe in. We feel our approach allows for a transparent and honest result for both of us.

Employee Referral Event: Networking with a side of beer, hold the BS

If you think about the goal of the interview process, it's about getting to a point somewhere down the road where both sides (candidate and company hiring) can say “this works for me,” and then come to an agreement of terms. That's it,…

If you think about the goal of the interview process, it's about getting to a point somewhere down the road where both sides (candidate and company hiring) can say “this works for me,” and then come to an agreement of terms. That's it, boiled down to its most simple form. And not unlike many Talent Acquisition leaders, I've been spending a lot of time thinking about how to make that simplest form come to life for the majority of our interactions while keeping quality high.It's easier said than done.In the case of Rapid7, we focus more on cultural fit than specific skills, which can take some time to get right. We look for super smart, good attitude/high aptitude, focused, collaborative listeners who connect with our core values and we challenge them daily and move quickly – sugar coat this and you can end up with people who don't fit or worse yet, are caught off guard after starting and realize they've made the wrong choice. DISASTER. We're doing better in this process and continue to look for the right balance, but decided the time try something new was now.(Image above shows the café before everyone showed up – out of respect for our guests' privacy, we didn't want to post photos during the event.)Why not just throw it all out there and see who engages?Okay, that's a little bit dramatic, but it does describe our thinking for the Employee Referral and Networking night, which we had at our Boston office on August 12 – an event all about honesty, conversation, feedback and direct sharing but without the pressure of an interview. Don't be mistaken – you hear some of the terms above, and no doubt an interview comes to mind; however, the event was meant to be anything but that and done so quite deliberately.From the start, participants from the Rapid7 side understood that there was to be no mention of specific roles unless our guest requested, the focus of the interactions was to be driven by what our guests deemed to be important (if that meant jobs, then so be it). Also, if we didn't have the answer, we tracked down someone who did — no bullshitting.In addition, the questions from our speaker panel were meant to share personal stories about how certain leaders connected with the organization and what they did to help others (hires within their org) connect in their own unique way.In my view there are 3 keys to a successful networking event for those of us on the recruiting side:No BS: Your guests are in process or considering a career move and want information – do whatever you can to provide that information, address concerns, and above all be honest about opportunities in your organization's overall offering.Hold on the pushy recruiter routine: There is a time to gather hot buttons and push hard for a close. The Networking event is not it. Recruiters should be facilitators, troubleshooters, seen but heard less than others from the organization who are in attendance. Your time will come – sit back for a bit Lead with your most important resources: Employees with a particularly strong social presence? Industry leader? Leading work that resonates with your target audience – build the event around them, get them sharing their story, get others their with perspectives on their story.I personally learned a lot from holding this event.First, our employees – free of specific talking points and jobs to sell — embraced the opportunity to have a few drinks and chat about their roles, what it is about Rapid7 that they have stuck around for, and most importantly, their view of the talent needed to take this organization forward.Second, our guests shared that the bare minimum of presentations and a formal agenda allowed them to engage as they wished worked for them.We missed an opportunity in not providing a tour of the site – we were trying to be respectful of those working during the event, and this represents a lost opportunity. Next time, we'll start later and offer tours.Otherwise, overall it was an event with good food, great beer, better conversations — all in an attempt to try something different.@dmulls16

The Black Hat Attendee Guide Part 6a: On Job Hunting & Recruiting

If you are just joining us, the series starts here. If you follow LinkedIn alerts, you'll see a clean pattern where the musical chairs, that is InfoSec, pick up and move to the left. The first starts the week after RSAC in SF, the other…

If you are just joining us, the series starts here. If you follow LinkedIn alerts, you'll see a clean pattern where the musical chairs, that is InfoSec, pick up and move to the left. The first starts the week after RSAC in SF, the other is after Black Hat. This isn't because recruiting happens, even though it does. It is because people go work for great companies, and leave bad people, circumstances, or have found an opportunity to grow somewhere else (for more coin!) Keep your head on straight No one (in their right mind) likes talking (in public) about a job hunt while they're employed. Obviously it's an uncomfortable subject, and if word gets out you're looking, your day job becomes a little less safe. Like it or not, networking leads to new gigs and a brighter future-- just be aware of how many people know that you're looking or listening. Keys to success in this venture, in my humble opinion, are found in perspective and transparency. Everyone, if honest, can see the gaps between what they dream of, their ideal, and what they have to offer. Searching for where to start? Understand where you are today. Carefully shape what you'd like to be doing in 3-5 years. Keep in mind that growth is part of every job you take, so you won't be 100% qualified, or know how to do everything in your next role JUST YET. Successful candidates grow, and we expect it. Many of you are actively looking, this post breaks down some of the discussions I keep having with folks. “I'm not qualified, I've never done that before” Almost everyone says this at some point, and for good reason, rooted in their humility, impostor syndrome, or Dunning Kruger-type things, and almost everyone worth their salt probably wrestles with these tendencies. I'm going to say it again: Change your perspective. You are not applying for a job where you need to do clearly defined work, like mowing a lawn, running a cash register, manning a post for a specified time—all of which fits nicely onto a timesheet. The work we do in this industry is very fluid, even if job definitions seem pretty straight forward. Remember: People are hired for aptitude. Jobs are chosen for growth potential. If you can already execute the duties in a job description, managers aren't worrying about hiring you—we worry you'll be a pain in the rear as you get bored. You're qualified because you have the potential, the question you need to have is the gap: Is this something you can get up to speed fast enough to be a help to the team? That is the question you need to answer when you look at things on the job description. So let's look harder at that: Reading the Job Description (JD) The JD is not a tool to determine if you are qualified. Read it while asking yourself: “Is this what I want to be doing for the next three years?” and “Is there room to grow into this job?” For those of you who haven't directly managed humans, hiring and firing is a thing, and it is very different than managing systems. Rebooting (err, mis-hiring) hurts people, changing their lives in a painful way. Scaling systems is straightforward, even if tedious—cloud technology has helped dial us in, and configs are pretty structured—but there ‘s no Chef or Puppet config for adding humans to your team, so we use job descriptions. Unlike system and application profiles, we can only attempt to describe the skill sets, attitudes, preferences, and special gifts or traits of what we think a successful candidate might embody. Read that paragraph again. The JD is effectively guesswork. There are bullets that aren't negotiable, and there are bullets that are flexible. You won't know which is which, so tread lightly and read thoughtfully. As a hiring manager, I can't tell you how many times we finished interviewing some people, only to realize there was absolutely NO WAY these people were work out. Moment of clarity, it wasn't them, it was us—and the JD needed a re-write. When you read the job description, try to read between the lines and be quick to ask questions while you have someone F2F at Black Hat. What does the day-to-day workload look like? What does the new hire need to ALREADY know how to do? What can they learn on the job and grow in to? (Another side-note: Even if you know how to do something, you can almost bet a prospective future employer does it differently, so there is always learning, growth, and adaptation required…) You have a great resource available to you at events like RSA and Black Hat -- corporate recruiters and potential future teammates. So while at Black Hat, don't avoid the recruiters—talk to them and find out who is hiring for what roles. Once you do, then talk to the folks on that team. I know a number of hiring managers coming to Black Hat with headcount they are looking to fill—immediately. Seek them out. I promise that you'll learn farmore over coffee or a meal about the team and company than you will in 10 hours scouring their website. Reading your resume Let me state this again, determining if you are qualified is not your job. The hiring manager makes that determination. You really want companies to find the right folks, and sometimes, you really are the right person with all the right attributes. Let's break that down. If the JD is a recipe, and resumes offer a list of available ingredients. Hiring managers know their culture, organization, and the specific needs of the team. A great manager isn't cooking food, they're crafting cuisine. Building a team is tedious, takes considerable investment, and is a lot harder than it looks. Blind applications represents a numbers game, and the challenge you'll face is having zero access to the hiring manager until you've made it past the recruiting/HR filters as they judge you on your resume alone… unless you are meeting them face-to-face at Black Hat or other live industry events. What hiring managers look for in you If you haven't walked a mile in these shoes, think about anyone you've ever interviewed. Meeting face to face at Black Hat allows you to skip an initial resume screen and answer meaningful questions. Questions being asked on both sides of the table might be: Can we work together? Laugh and pull pranks together? Are you an eight-to-fiver, or are you in-it-to-win-it? Would I look forward to lunch with this person several days a week? Are you my particular brand of crazy? Can we collaborate? If things are going well, this evolves from the personal chemistry into a situation where you want to know they can actually do the job. Can you hold a job? Are you a leader or follower? Are you self-directed, or need continual guidance? Will your experience and expertise complement my team? What you (the seeker) are looking for You also need to ask, in earnest, if this is a company you want to work for. What is the reputation of the company, who works there, what are they doing, is the future of the company viable (read: will the company survive)? Some folks prefer smaller companies they can bleed into, where they can stretch their wings and earn sweat equity. There are more unknowns and higher risk, but there may be a possible equity payback. Risk can bring rewards, and many thrive on the instability and flexibility found in these smaller companies. Other folks aren't in a place to take on the culture or the risk of a smaller company for whatever reason, and they find comfort in larger, safer and more established companies. Yes, there might be more bureaucracy and a slower pace, but some people that thrive in this environment  and need the trimmings that come with stability, like benefits, healthcare, and retirement considerations. How would you describe the company's philosophy? You want to know what their ethics and belief system is—if they have one, and hopefully they do!—and what it means to them. Core values are important. If it's just a marketing exercise, find out. Companies I love strive to honor their mission, check out Nike, Delta Airlines, and Zynga core values as examples. My hopes for you First and foremost, be grateful for the work we do: There are other industries hurting right now, and we have no shortage of jobs. For those of you employed and considering a jump, remember that you came here for a reason-- a big part of my income is that sense of purpose. Second, be graceful as you move about the industry. Laugh as you might, and as excited as you may be to leave, don't forget you may wind up working with many of your current team in a few years… so don't burn bridges or bad-mouth people. People make mistakes, people change. Hopefully we all progress and grow from lessons learned. Third, try not to focus on the money. What we do is lucrative, no doubt, but Lennon and McCartney put it best: “You can't buy me love.” Join a team you enjoy, with people you love, at a company you believe in. You'll have Mondays and happy-hour filled Fridays, and the occasional no-sleep work weeks. Warts and all, this is your chosen profession. At the end of the day, you need to believe in what you're doing. Finally, if at all possible, try to negotiate a bullet into your job description focused on community work. Maybe that's focused on an OWASP project, leading a local ISSA chapter, mentoring locally, or organizing a BSides event. Make it something you are incentivized to do and your company supports in writing. We're building this industry together—do your part. As always, your thoughts and comments are most welcome here on the blog, or out in the Twitterverse. ~@treyford Want more? You can catch all the entries in the Black Hat Attendee's Guide series here.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now