Knowing When To Walk Away — The Four Hour Interview
A while ago, I received a lead from a startup for a potential contract.
They reached out to me after undergoing a cybersecurity review by a third-party company and had done very poorly.
For example, they lacked even the most basic security measures like multifactor authentication which I’d consider a bare minimum in today’s climate.
Despite this, I was interested as it’s kind of my job to help with something like this. Here is how the interview process went:
The first hour
The interview process began smoothly. The initial interview was online with the person I’d be reporting to. It lasted an hour, and I felt it went well.
The second hour
The next interview was in person with another executive in a related role. Once again, no red flags.
The third hour
By the third interview, I was getting a bit tired. This time, it was with a HR executive. I respected the process, but I’ll admit that after three hours, the thought of charging for my time had crossed my mind.
The fourth hour
After the third interview, they still seemed interested but wanted me to meet with the company that handles their outsourced cybersecurity services, known as a Managed Security Service Provider (MSSP). I was hesitant but agreed. In hindsight, this was a mistake for several reasons:
- Misaligned Priorities: The MSSP doesn’t represent the company, and the interview felt off. Most of the questions revolved around how I’d be funneling work to the MSSP and implied that my role would hold little value in the bigger picture.
- Low Cyber Maturity: Given the organisation’s low cyber maturity, involving an existing solution at this stage seemed counterproductive.
After a very strange 15-minute interview with the MSSP, they informed me that they had decided not to proceed with the role. Looking back, there are a few things I could have done differently:
- Set Boundaries: I should have budgeted no more than four hours of free time for the interview process.
- Decline External Stakeholder Meetings: I should have refused to meet with external stakeholders who are not directly involved in the decision-making process.
I think it’s okay to say no, especially when dealing with startups that are still finding their footing.
What would you do in this situation?
In this case, follow the engineering approach. Identify the problem that needs to be solved and make sure the Startup understands it.
After getting shot down by the MSSP, reengage with the Startup and ask for 10 minutes of the executive’s time you talked to in Hour #2. Have this message passed to the executive with your request for the 10 min.
“$Executive, I appreciate the time you took speaking to me. With my knowledge of Cybersecurity and experience I’ve gained from working for other organizations, I’ve gained some insight on your organization, its current challenges, and most importantly, some information you’ll need for any future candidates you vet for this position. My professional ethics demand I offer to communicate this to you, and I can do so in as little as 10 minutes in a video meeting.”
What you tell $Executive in that meeting is this:
“Your organization has a business and financial risk in its relationship with $MSSP and the conflicting goals between $Startup and $MSSP. While I’ll be the first to say that good Cybersecurity isn’t a ‘point-in-time’ state, but rather an ongoing posture and adherence to behaviors, $MSSP has no desire for you to ever achieve independence from them. They have a vested business interest in forever being your only sounding board for any issues they raise, and solutions they propose, and any price they demand. During the many interviews, I spoke to no Cybersecurity professionals here at $Startup. I gather that is because there are none. Who then is $Startup’s advocate? Who receives the information from $MSSP and makes sure what they are delivering is quality work or even a value to $Startup? Currently no one. Further, your are letting $MSSP be the final word on candidates for your possible advocates you hire. Do you think they have $Startup’s best interest in mind when selecting a candidate if it means few tickets file with $MSSP or less scrutiny of the prior efforts and deliverables when renewal of the MSSP contract comes due? Or perhaps would they prefer you hire someone that doesn’t cast quite such a critical eye and instead continue to simply farm out any Cybersecurity needs $Startup has to $MSSP in the future? Keep in mind, I have little to no exposure to the work $MSSP has done so far for $Startup, and am not accusing them of any kind of bad faith business or malfeasance. They could be performing excellent work for $Startup, but currently, you have no way of knowing. I understand I didn’t get the position with $Startup, and I’m fine with that. I am in conversation with another prospective employer already, but I felt as a Cybersecurity professional, leaving you without this perspective would be unethical on my part. Thank you for your time in the interviews, and this follow up time. I hope $Startup has success going forward. Goodbye!”
There is a decent chance they will hire you. If nothing else, you might get some Cybersecurity consultancy work out of this.