Knowing When To Walk Away — The Four Hour Interview

A while ago, I received a lead from a startup for a potential contract.

They reached out to me after undergoing a cybersecurity review by a third-party company and had done very poorly.

For example, they lacked even the most basic security measures like multifactor authentication which I’d consider a bare minimum in today’s climate.

Despite this, I was interested as it’s kind of my job to help with something like this. Here is how the interview process went:

The first hour
The interview process began smoothly. The initial interview was online with the person I’d be reporting to. It lasted an hour, and I felt it went well.

The second hour
The next interview was in person with another executive in a related role. Once again, no red flags.

The third hour
By the third interview, I was getting a bit tired. This time, it was with a HR executive. I respected the process, but I’ll admit that after three hours, the thought of charging for my time had crossed my mind.

The fourth hour
After the third interview, they still seemed interested but wanted me to meet with the company that handles their outsourced cybersecurity services, known as a Managed Security Service Provider (MSSP). I was hesitant but agreed. In hindsight, this was a mistake for several reasons:

  1. Misaligned Priorities: The MSSP doesn’t represent the company, and the interview felt off. Most of the questions revolved around how I’d be funneling work to the MSSP and implied that my role would hold little value in the bigger picture.
  2. Low Cyber Maturity: Given the organisation’s low cyber maturity, involving an existing solution at this stage seemed counterproductive.

After a very strange 15-minute interview with the MSSP, they informed me that they had decided not to proceed with the role. Looking back, there are a few things I could have done differently:

  1. Set Boundaries: I should have budgeted no more than four hours of free time for the interview process.
  2. Decline External Stakeholder Meetings: I should have refused to meet with external stakeholders who are not directly involved in the decision-making process.

I think it’s okay to say no, especially when dealing with startups that are still finding their footing.

What would you do in this situation?

@jobs

#macroblog #infosec

  • @satanmat
    link
    English
    33 months ago

    How long were you scheduled for? The add an hour, would have been a red flag But it depends on to what was agreed …

    It sounds also like it was the MSSP who shot you down. And that they are the weak link that needs to be replaced.