Culture is of huge importance to us and finding someone who fits in to our culture, gets along with others and wants to contribute to that culture is essential. Our general hiring policy for a person is, “prefer who they are over what they can do.” The reason for this is that a skill is easier to teach than a mindset or a personality.
This generalist guide explains what we look for in an employee and how we determine if someone is the right fit. It can be used by hiring managers at Volkis, by those applying for a position here and even those applying for positions elsewhere.
The job description
When we put out a job description (JD) for the vacant position, it is important to keep it short and sweet. Describing who we are as a company, the job expectations and employee benefits needs to be succinct and accurate. This will vary from role to role, but the overall company culture should be consistent across all job descriptions.
The goal is to attract people who read the JD and think…
I think this would be a great and fulfilling place to work. I should apply.
It might also be a good idea to include a link to this page in the JD. 🙂
The CV & cover letter
The CV, just like the JD, should be short and sweet. It should describe who the candidate is, their skills, their interests and what they want from the role.
whoami? It is probably the hardest thing for an infosec professional to write about. They are generally not a boastful bunch, but it is important they represent themselves accurately. At Volkis, we take into account the candidate’s personal interests and ambitions whether they are related to infosec or not, so we encourage candidates to include those.
What we look for from this section is to see if the candidate fits into our culture. Candidates should just be themselves. We prefer candid language to corporate language, in CVs and actually most documents.
Skill set / past experience
We need to be convinced that the person we are hiring is not just a nice person, but can do the job. No one person can be the best at everything, so there’s no point for the candidate to pretending or exaggerating on their CV, but they should be realistic about what they can offer.
Examples of work the candidate personally did in past roles goes a long way. It is more than okay for them to brag about accomplishments they are proud of! If parts or all of this section are written specifically to fit our JD, it shows a positive effort to understand the role.
A person is not defined only by their job. We want to hear what candidates have achieved outside of infosec.
The people that are most likely to get to the interview stage are those that stand out from the rest of the candidates. Have they:
- Contributed to the infosec community?
- Written code in their own time?
- Taught others?
- Posted articles in a blog?
- Done bug bounty or CTFs?
If so, we want to know! This is by no means an exhaustive list, so if they’re putting any sort of effort into infosec, we value seeing that in the CV. This is particularly important for those applying for entry level roles or for those without prior experience.
We appreciate a good cover letter. It shows that the candidate is putting effort into this process. A cover letter should be written from scratch for each new job application. If the candidate is using a generic cover letter, it is usually a detriment to them. A cover letter should tell the hiring manager three things:
- Why they think they are suited to the role;
- What they can contribute to the role and to the company;
- What they wish to get from the company.
It should be short. 2-3 paragraphs is plenty.
We do a minimum of 2 interviews for each candidate with an optional 3rd interview before making an offer.
1st interview - The basics
This should be a short interview (roughly 30 minutes) and most likely done over the phone. The purpose is to give a bit more information about Volkis, the role, and to filter out those obviously not suitable. The hiring manager may ask (depending on the role) about:
- What interested the candidate about the role;
- Would they be okay to travel for work;
- What their past work history was like;
- Any legal reasons they may not be suitable (e.g. working rights, criminal history)
- Basic concepts in their skill set.
The hiring manager should also answer any questions the candidate may have.
2nd interview - Technical interview
In this interview we really drill down into the candidate’s skill sets, what they can do and how they go about solving complex problems. The interview should last for about 1:00 - 1:30 hours and will either be face-to-face or via a video conference.
Questions are very specific to the role and the hiring manager should ask a lot of open-ended, scenario based questions. We want to know how the candidate thinks and if they can think outside the box.
We try to avoid memory questions or any questions that can easily be Googled. For example, in a pentesting role, we don’t care if the candidate can remember what port SMB runs on, but we do care if they know what attacks can be performed against SMB.
We have a greater preference for conceptual understanding of the topics rather than any specific process or a specific tool used. If the candidate doesn’t know how to answer, they should step the hiring manager through their thought process and explain how they might go about finding the answer. The interview is a conversation and the candidate should give every question a go.
It is important for the hiring manager to make the candidate feel as comfortable as possible. They will not grill the candidate and should try not to ask questions way above what is expected from the role. We want to see the candidate’s true self, so do try to maintain a relaxed atmosphere.
We don’t care about attire too much, so the candidate can wear whatever they feel comfortable in.
At the end of the interview, we want to know the candidate’s expectations of the role, including salary, so the hiring manager should ask about salary expectations at this point. If the hiring manger didn’t cover one of the candidate’s expectations, the candidate should bring it up.
Candidates who are at this stage have the option to receive feedback. They have given us a lot of their time and, if they were not successful, we don’t want them to leave empty handed. The hiring manager should be willing to offer honest feedback if asked.
3rd interview - Optional meet & greet
We may ask the candidate to come back for a 3rd and final interview to meet the rest of the team. This can be over Friday afternoon drinks (alcoholic or otherwise) or via a group video conference.
This interview should be very casual and just give the team a chance to get to know the candidate and vice versa. We want to make sure they gel well with the team and see if any red flags present themselves.
If that whole process goes well, we give the candidate a formal job offer with a contract.
We perform background checks on all employees. If the candidate is given an offer, it will be conditional on passing their background check. Things that may disqualify them from employment:
- Criminal history relating to their job or Volkis’ moral standards;
- Ineligibility for employment under Australian law;
- Lying about their skill or experience in the CV or in interviews.
We also do a general search of a candidate’s internet presence. We are hackers after all. 😉
If uncertain, the hiring manager should consult with company leaders.
We strive to keep the hiring process as timely and efficient as possible. Hiring managers should strive to respond to candidates within the following timeframes:
|Candidate progressed to
|Result notification timeline
|Up to 2 weeks later if successful only
|Up to 2 days later
|Up to 2 week later
|Up to 1 week later
|Up to 1 week later
Candidates should be aware that although we do our best to stick to the above timelines, there could be special circumstances that prevent the hiring manager from doing so.
If the candidate has made it through, we really look forward to them joining the Volkis family! Hiring managers and candidates are strongly encouraged to celebrate their success and announce it to the company.