I am writing this at the time of being a manager of a penetration testing team but also applying to other organizations for a potential change and to gauge my own skill set as a penetration tester. From the recent interviews I have sat through, I have come to realize some things my team may be missing and better ways to try and strengthen our internal processes.
First and foremost interviews suck and so does the entire job hunting process.
The entire process seems diluted and a lot of EXCELLENT candidates are slipping through the cracks because the process is broken. Most of the time the process is too long and you usually have interviewers that are less technically skilled and younger than the potential candidate. Leaving room for missed opportunities and problems in the process.
One of the greatest problems, bias.
A bias is “cause to feel or show inclination or prejudice for or against someone or something.”
“Interviewer bias is where the expectations or opinions of the interviewer interferes with the judgment of the interviewee. This can either affect the outcome positively or negatively and that these preconceptions can both consciously and unconsciously influence judgment.”
“Age discrimination involves treating an applicant or employee less favorably because of his or her age. The Age Discrimination in Employment Act (ADEA) forbids age discrimination against people who are age 40 or older”. I know, no one likes to talk about this subject, but it happens more often than we like to think. “Ageism is one of the last socially acceptable prejudices.” https://www.apa.org/monitor/2023/03/cover-new-concept-of-aging. How can you have an interview, where no one on the panel is over the age of 40? Especially for a Senior role? What are we doing? Are we being ethical?
I have sat in technical interviews, knowing that personally and professionally I did great, but may not have provided super technical answers because the type of questions that were being asked didn’t call for that type of answer. I have sat in interview where the entire interview was supposed to be a technical interview but all questions that were asked, were “gotcha” type questions. Employers may ask “gotcha” questions to see how you react under pressure or to get a sense of your problem-solving abilities. They may also use these questions to assess your critical thinking skills and see how you approach challenges. These types of questions aren’t needed in a technical interview. There is no need to ask these types of questions especially in penetration testing. In this field, we aren’t under the gun and have time to analyze the testing environment and think before we act on a particular vulnerability. If I am sitting in a technical interview for a penetration tester position, why do I need to explain the CIA Triad or the OSI model? These are necessary to understand but have nothing to do with a technical role, such as penetration testing. Education and certifications should show the candidate knows these topics but honestly have nothing to do with the day to day of penetration testing. This is wasting the time of everyone and prolonging the process. Zero substance and show NO technical prowess of the candidate.
If you want to have a technical interview, look at the candidates resume and ask technical questions about the data they provided, or see if they can expand on something they recently did. Their certifications should show you their technical expertise. Certifications such as CRTO, PNPT and OSCP aren’t just give me type certifications, they are difficult and take work to accomplish. There is no way these certifications could be accomplished without technical expertise. If you see certifications without some type of hands-on lab such as CEH and other certifications that are strictly knowledge based, then you should be more technical in your Q&A. So if you have a candidate that has this type of credentialing, WHY are we wasting time with ridiculous technical interview questions?
The hiring process could be sped up if the actual people that hired didn’t just use the certification process to get past HR but look at the certification (or take the certification) and know what it took to get that particular certification. This is the BEST thing about certifications, it can do a lot of the interview process for you. Then you just need to feel out the candidate and see if their personality would fit the organization.
If an organization has more than 2 interviews for a candidate (not to include the initial HR interview or recruiter interviewer) then in my opinion, your process is broken. Having multiple challenges and then face to face interviews and then technical interviews and on and on, is just wasting time and WE can do better. Remember 80% — 90% of penetration testing knowledge can be found on Google, the other 10% — 20% are in the candidates notes, find the right candidate by interviewing the person’s potential skill set, not their rote memorization.
One other important note that I wanted to stress during this draft. We need to remember and understand that there are different types of learners out there. In my opinion, the way a person learns will affect they way they are able to either provide details during an interview or express their knowledge on a particular subject.
Interviews can be a good assessment tool for different types of learners, including visual, auditory, and kinesthetic learners:
Visual learners
- Learn best when information is presented visually, such as through videos, graphics, diagrams, charts, and color-coding. They may also remember what they see by organizing content into visual patterns or sketching designs of concepts.
Auditory learners
- Learn best through hearing or speaking, such as in lectures, discussions, and audiobooks. They may also remember information best after reciting it back to the presenter.
Kinesthetic learners
- Learn through their sense of touch, such as by participating in hands-on activities. They may also process information through experience rather than by being shown or told.
Are we failing to adjust our interview style based on the type of learning style of the candidate? Is this cause for missing out on the right candidate, because they weren’t able to describe in detail an answer we were looking for, rather them allowing the ability to show us…POSSIBLY!
On the final note, to all you interviewee’s, DON’T GIVE UP!
My next blog will go over some Penetration Tester questions that should be reviewed prior to a Penetration Tester interview.
***NOTE*** This is a personal opinion and not the view or hiring process of any employer. This is just an observation of the current penetration testing hiring processes in 2024, from my personal interviews.