Security Engineering Hiring: How We Are Trying To Make It Better
Jul 25, 2022 | By Alex McGlothlin
Have you ever found yourself in an interview, rambling, nervous, and worried you’ve forgotten to answer the original question? Do you even remember the original question? What if they didn’t want you to expand on this but instead on that?
It’s so easy to get lost during interviews, especially technical interviews. Add the complexity of cybersecurity into that mix, and it’s easy to become overwhelmed.
This is the story about how the Security Team at FloQast is working on improving technical security interviews.
So, what’s the trick? Well, let’s first look at the status quo...
Today, most companies follow an interview process consisting of a screening interview by the hiring manager, who then decides whether or not to move forward with the candidate to a so-called “on-site interview” (which by the way is never on-site - it's on zoom!). During the on-site, the candidate will meet more team members from the hiring department and go through an in-depth technical interview. But from here on out, it usually gets blurry…
Technical interviews can be very difficult to navigate, and without a good North Star guiding the conversation, it can feel a bit like stumbling around a dark room looking for the light switch. You know the interviewer is looking for something specific, but you’re not completely sure what it is. Worse, if you get mixed up while thinking through the question, you may lose track of what you were trying to say in the first place.
What’s Different at FQ?
At FloQast, our Security Team knows that interviewing for complex, technical roles can be daunting. As a company, the interview process is not only about us evaluating candidates, we also have to represent FloQast in the best possible way. As an interviewee, this can be tricky because you have to be present, look into the Zoom camera, get eye contact, take notes, glance at the resume, keep track of time, listen to the candidate, be ready with follow-up questions, etc. In other words - executing professional interviews is very hard to do well.
The most noticeable part of our interview process is that we use Slides throughout the entire interview to guide the conversation. This deck includes all of our questions and relevant screenshots to help our candidates stay on track while freeing them up to give detailed answers.
Our interviewers use Slides as a way to set expectations up front. We immediately introduce our interviewer, describe the interview process from screen to offer, and then quickly describe the structure of our team and where the role they are interviewing for falls into the org.
Why Use a Slide Deck?
Using a deck gives our team a lot of advantages. When we decide it’s time to hire for a role, members of the team get together and discuss the plan. The goal of the discussion is to determine what the person hired into this role will ultimately own and drive as part of our security program. Once we know the purpose of this role, we can carefully select our interview questions.
All of our questions for the interview are preselected and entered to the Slides deck, in order, for each interview (more on the interview process below).
We believe having a fixed set of slides is important for many reasons:
- We can compare candidates on an equal playing field
- Fixed questions lead to a more equitable interview process
- Fixed questions reduce the likelihood of bias affecting hiring decisions
- Fixed questions reduce the same questions being asked multiple times
- Fixed questions increase the topics being covered
- We are more likely to fill any gaps that would otherwise be missed
- The candidates will have the chance to showcase more skills! (win/win)
- Anyone on the team can perform the interviews
- Ability to show images, network diagrams, or other scenarios that are difficult to explain
- Everyone processes input differently. Some are better visually than verbally - with Slides, we can offer both and thereby increase the chances of a successful interview
Additionally, using Slides means we can share screenshots of what we are trying to discuss. This is excellent for speeding up the process because a quick screenshot can be used to very quickly get the interviewer/candidate thinking about the same thing, without explicitly explaining what it may be.
A good example of this is something like a screenshot of an HTTP response, where the questions could range from: What is this? What headers do you notice? What does the status code mean? Is there anything unusual about this response? All of this allows the candidate to go explore the scenario and while the interviewer gets a glimpse of how they attack a complex problem.
Without the Slide, the interviewer would be forced to spend more time on explaining the question/scenario with simple questions like “What does an X-XSS-Protection header do?” leaving very little room to go in-depth and “explore”.
Quicker Response to the Candidate
A lot of job descriptions have requirements like: You must be able to work in a fast-paced environment which is a cliché requirement, but when was the last time you experienced this in an interview process?
We can spin up an interview team instantly because our Slides with fixed questions are handy, allowing us to be much more flexible. We can take a candidate through an entire interview process from start to finish within 1-2 days. We've all been ghosted by companies before, and we want to reduce that, so speeding up our hiring process was important for us.
When it comes time to make a decision, having preselected questions makes comparing notes about candidates much easier. At times, we are interviewing several people a day, so it can be very easy to mix up who said what. Preselected questions allow the interviewers to make better notes, leading to better decision-making.
The Interview Process
- Screening Interview
- “On-site” interviews with 2-3 members of the team
Our screening interview takes a “first principles” approach. In this discussion, we will ask broad tech and security questions combined with a few role-specific questions peppered in. It is not uncommon to find candidates that come with a strong developer background, looking to advance into security. They might be very strong on secure coding principles, but that will quickly become a problem if they aren't comfortable with the basics around networking, proxies, databases or the inner workings on how browsers work.
For that reason, we like to ask broad questions that on the surface, might seem irrelevant to the role, but it helps paint a picture of how deep the rabbit holes go.
You can expect very similar conversations, except that our team will be diving into more role/tech-specific questions. Depending on the role, you may interview with someone from another team that we work closely with.
Typically, we aim to get together as a team and make a decision within 1-2 days!
Hopefully, this will shed some light on how our Security Team at FloQast makes hiring decisions. We also regularly stay in touch with candidates we’ve declined, hoping that one day we will have the right role for them. That happens to be how I got on the team initially 😉
If you are interested in learning more, please review our openings at http://FloQast.com/careers.