Vulnerable by Design

In each interview, I opened with a demonstration of vulnerability. I know that this is a loaded word at a cybersecurity conference, but bear with me :)

Experience has shown me that the security practitioners and humans I most admire and learn from are those who allow themselves to be vulnerable. They allow themselves to not know, to make mistakes, to be wrong. Above all, they do not allow themselves to use emotions to manipulate others when they face the discomfort that finds us in those moments.

I brought a light-touch vulnerability to the table: this is my first time hiring someone who will report to me directly. The delivery was a little different each time, depending on the candidate, but the core message was the same. "If you're a little nervous, you're in good company. I'm new too."

One of the distinguishing features of the candidate I most preferred was that they led with vulnerability, sharing that they felt nervous in response to my programmed, polite "how are you?"

Think with Me

In our conversations, it was clear that each of these candidates had been through interviews before. Each had the canned, practiced responses to commonly asked interview questions. Each was different, unique in their choices of stories to share, but ultimately something they could have recited without much thought or effort in a series of interviews. 

The ultimate reason behind starting with vulnerability was to create an environment in which the candidate had the courage to get uncomfortable; the courage to face a question they had never answered before and think through their response. 

The path I chose will sound familiar: what is a time that you experienced conflict?

The bitter stories of group project planning reigned, and each of our candidates was the savior who came to the rescue. I knew the story well; I am certain I shared more than one exactly like it myself!

After their planned answer had played out, I asked them to then step forward with me and consider: what do you do with complete agreement?

I asked the question without answering it myself in detail. I didn't want to bias myself towards any answers any more than I already was from my own practice and experience. 

No candidate had an immediate answer. In some cases, the candidate practiced problem solving by probing to see what answers I might be looking for. When one candidate came up empty, I encouraged them and offered to think it through together.

The candidate I favored thought through their response. They took the space they needed to think through their answer, and they shared that they would ask whether there were any biases we hadn't considered. It is a moment that I still think on to this day; I am confident that young person will be a valuable addition to any team they join. I didn't deeply consider answers to this question, but this is one that I will never forget.

Technology

Before the first round, I read the notes our recruiter left and did due diligence reading each candidate's resumes and cover letters, if submitted. After the round, I decided to pass each candidate through to my colleagues. I had a favored candidate, but I thought each was capable of and would benefit from joining our team and wanted their take. 

For the first round of interviews, I took notes for each candidate and made sure to provide specific topics or areas that I wanted the team to investigate further in the summaries. Only later did I learn that they could not see my notes in the same way that I saw the recruiter's.

Our first lesson was know thy hiring tech. We reflected that it made sense that we couldn't see one another's notes, as it could introduce bias in the interview and selection process. However, it also means that information I would otherwise have communicated had not reached them. 

Accommodation by Up Front

In our reflection conversation while preparing for Secure360, we also established that the candidate I favored from round one had joined from what seemed to be a mobile device looking straight up. While the candidate chose to join in this less than ideal fashion, we also realized that perhaps life had simply come up and that what had once been a good time for an interview was now not so great. 

Our second lesson was that going forward, if a candidate joins a virtual meeting in a less than ideal way (poor internet, mobile device, etc.) confirm whether the time still works and offer to reschedule the interview, reassuring if necessary that it will have no impact on their candidacy.

Limit People

I admit that I was in the habit of this style of interview rounds from my previous institution. Hiring rounds oscillated between one to one and two to one styles, up to panel interviews for some roles. I thought that be designing a process with a low number of rounds that included the primary "hands on keyboard" team with whom they would work, we'd be efficient with our time and respectful of candidate time. 

While those things may have happened, by choosing a short-time two to one interview, I left no time for my colleagues to really get to know the candidate. The dynamics of two are very different than the dynamics of three in interpersonal relationships, and in the future I plan to be much more mindful when it comes to panel style interviews, even with only two interviewers.

The Right Person

The right person became clear during our reflection. The candidate demonstrated curiosity, interpersonal skills in communication, leadership, and drive to get it done. They were a candidate with no previous internship or cybersecurity experience. We chose this candidate because they met all of our most important criteria. 

I am deeply grateful that this candidate is also the first woman in cybersecurity that I have hired, and I know she will be the first of many.

Learning from my team that my favored candidate was their least preferred actually inspired the submission of this story to Secure360. I was certain that it was a brilliant case study example of how inclusive hiring practices impact candidate choice. Upon reflection, it's clear that I was valuing myself as a person practicing positive discrimination and inclusion and not considering the same of my white male colleagues. This was not a good look; in fact it was blindly, negatively discriminatory against humans that I trust and value as allies and friends.

After having this realization, I took ownership of my actions and unconscious biases, and I invited them to a conversation about their experience in internship hiring. We processed together, shared the ways that we had each sought to reduce bias, and learned from one another through the course of the conversation.

For example, we all agreed that it was important to avoid the "right/wrong" binary questions that some interview processes use. As Jeremy pointed out, "if you need to know the service associated with a port, you're going to Google it until you know it." Rote knowledge can be handy, but thinking through is the Swiss army knife of cybersecurity.

Zach, who was hired full time after his internship at Code42, shared fresh perspective on the process informed by equitable hiring courses he'd taken in college. He also knows several young people entering the workforce, and he emphasized the importance of being realistic with the interview process. Some of his friends had gone to four or five hour-long interviews with a company that did not pan out, in some cases affecting their financial standing due to missed work.

Designing interview processes that respect the lives and livelihoods of candidates is an equitable and positively discriminatory practice.