# The applying post

Posted on 06.05.2016

If the title of this post looks familiar, that is because it is deliberate. Thomas Ptacek, Matasano founder and infosec expert has written at length about hiring both there on his blog and elsewhere on the internet. I am going to write about the same subject, but as an applicant for jobs in both the information security and developer fields.

I didn't necessarily intend to work in IT. I learnt to program as a teenager and eventually gravitated towards Linux, but I never really set out with the intention of becoming a programmer. My first real job was in statistics. However, for various reasons I gravitated towards software engineering as I realized I could solve some of the limitations of our statistical packages by writing a solver - and since my internship was essentially based on concaternating datasets I upset a lot of people by writing a program to do this automatically, because who wants to copy and paste a 50,000 column dataset and call it work experience? For more complex and involved reasons I started a maths degree at a brick university but this didn't work out and I got a job writing software while doing my degree via distance learning. Incidentally thank you to The Open University for making doing a degree like this possible.

However, I was always interested in Mathematics and cryptography and it didn't take me long to discover other areas of computer security. One of the very first programs I wrote was a terrible caesar cipher in pascal (I know better now, but the average 10 year old does not). So you can see why I might decide it would make sense to combine my interests in both areas.

Applying to jobs as a software engineer is luck, much like any other job application, but there are some interesting caveats:

• Some jobs will demand a degree and will not consider you without one. These tend to be large-ish organizations such as IBM, who will hire almost anyone with a 2.1 regardless of prior knowledge of computing or demonstrated expertise. Indeed, such large organizations and much of UK government have precisely two application paths: (very) experienced and graduate.

• Many jobs contain a huge wishlist of critera, which you must match as closely as possible regardless of your ability to learn. It is fairly commonplace for jobs to list a ton of critera. The top item on careers.stackoverflow.com for my homepage right now requires:

• Experience in Java application development.
• Experience of web application frameworks development in languages such as Javascript, node.js, angular.js, HTML5/CSS3
• Experience of application development using Java orientated middleware, for example, J2EE, Spring, Hibernate, Apache Camel
• Experience of software application development utilizing RDBMS (e.g. Oracle/MySQL) and/or unstructured persistence layers, e.g. ElasticSearch, MongoDB
• Proficient in Linux as a development and deployment platform
• Experience in secure development techniques and tools that produce secure systems.
• An understanding of virtualisation (e.g. VMWare and Hyper-V).
• Experience of scripting languages; Perl, Python, ruby
• Experience of PKI and encryption techniques.
• Experience of Big Data Analytics and Visualization
• Working in an Agile / SCRUM /Devops delivery model,

Finding a developer that matches these requirements exactly is likely to be difficult and I would argue it would be impossible to find someone with expertise in all of those, particularly PKI/Encryption techniques, ElasticSearch/MongoDB. I would for example match the scripting language Python but my Ruby/Perl knowledge would not immediately be sufficient to write quality software using it tomorrow.

• Having filtered out all the available candidates using the above two criteria, the company will then do an interview where they ask you questions like "what is the $O(n)$ runtime of a quicksort?" because obviously the ability to regurgitate first year computer science knowledge makes you a good programmer. If you're lucky you might get to whiteboard a solution. If you are not, you will be asked to "think of a time". None of these are a good predictor of whether you'll be the right person for the job, but, these hoops can be jumped through if needed.

• In startup land it is common to replace salary with vague promises of future wealth, or create a cult of personality where those you deign to employ are special because you "only hire the best" and that you are a "dream company", or attempt to distract from the fact that work is work with nerf guns and table tennis. Or maybe all three. At my last interview I was asked "do you want to be a millionnaire?"

Needless to say, I have been employed as a software engineer, so the lack of degree hasn't held me back. The downsides and difficulties of such employment we can leave for another time, but it also had its upsides.

During this time, however, I have also applied for jobs in the infosec industry. The most common jobs in such an industry are to my mind web application penetration testing and as someone who does not usually develop web applications I am not necessarily surprised by the results. However it is worth breaking down my experiences.

• I applied to a well known testing agency in Manchester, to which I was told "we only hire experienced people". The same company now has a ninja mini-ctf for applying, which we'll come to later.
• I applied to another, smaller testing agency and was given an offer! There was a catch, however, the salary offer was less than 2/3rds of my salary at the time.
• This experience was later repeated in Geneva. I practically bullied a testing agency there into giving me an interview, which they did, but the problem again was pay. I came in with a low offer (in Switzerland) of 70,000CHF p/a and was told they could not meet that with my lack of experience. The average salary for software engineers in Switzerland is just over 100,000 CHF, so I hope this puts the figure of my offer in perspective.
• I applied to a UK civil service department that does some "cyber" (no, not that one in Cheltenham, this one does defence only). I passed the interview and got an offer subject to clearance. A couple of months went by and I received a letter informing me that they would no longer be taking my application forward, no confirmation of what happened and my request for clarification was met with "can't tell you, national security". Oh.
• I applied to a role doing development for a professor at EPFL. He seemed like a really nice guy and set me a coding task, which I did and submitted. Nothing. No answer, no "sorry we're not hiring you", no nothing.
• I applied to another role at EPFL and was set a four-hour timed coding test. I was having a very bad day and I flunked it. On a good day I would have known how to do the first part (I finished it the very next morning) but the second part I wouldn't have known how to do (could I have learned, though? Yes but not in four hours).

There are others, but they are repeats of the above, or complete silence. Am I "that good"? that I should get a role? Well, I am nowhere near project zero material and I won't be speaking at blackhat any time soon, but I am convinced with a bit of ramp-up I have the ability to test webapps and I have already reverse engineered a fair amount. Needless to say I can structure extended text in English (and in French, but I'd need a native-speaking proofreader to iron out issues).

Companies (and many governments) are aware they have problems hiring "talent" and you'll hear an awful lot in the press about how we have a shortage of talent in the "cybersecurity" world. Talking to people I know in this area, they believe we lack a shortgage of difference-making talent, i.e. talent-talent and not just grunts. But difference-making talent only rarely turns up and you can nuture it in the right environment, too.

These companies have started to believe that the solution to this problem is to take the CTF concept and make games the new job application. For example, now games are being run nationally in the UK and by individual companies with appropriately stupid names and graphics (grow up please). This form of recruitment is a little more promising in terms of the technical evaluation for potential but it is otherwise catastrophic, because it selects for people with an abundance of free time and the inclination to spend it playing games. Who has the most free time? Young people probably at university or having not long finished. Who is inclined to play games? Males. So, a game like this will attract exactly the sort of people who will likely apply anyway... and only those who have the free time to do so. Do I have the time for this? Between a job and a degree, not at all.

I do not doubt hiring is a difficult, time consuming process. I have heard it said that a job interview is really a coworker interview - I would agree and I don't see this as necessarily problematic as you do not want someone who antagonizes an entire team, but sometimes you also need people who bring fresh views and perspectives and (constructively) challenge dogma. Technically, demanding an exact list of skills needed and rejecting people who do not meet that list (in general, I am not accusing anyone directly) sends a very clear message: you are here to solve our problem right now, but your personal development is of no interest to us. There are many posts on google about software engineering being a dead end career and to get out by 40. If you hire only exact matches, this creates an artificial expiry of skills. Software engineers can and should re-skill frequently and it would be helpful if they can. Yet, the advice of a 40+ developer in Switzerland is that (at least european) software engineering companies offer no career path whatsoever. This is my experience too. How dumb is this? Similarly, infosec's tendency to believe that developer skills equate to no skills at all in infosec is equally as dumb, not not surprising. As for money, this is a contentious topic, but, if you're going to offer an absolute pittance you also rule out people who simply cannot afford the career change. Sure, a small company might have a constrained budget and might not be able to offer much, I understand this. However, as an applicant I have my own self interest at heart.

So, in closing, every time I hear we have a shortage of cybersecurity talent I feel the need to write this post, which I have now done. I disagree. We do not have a talent problem, we have a hiring problem.