A case study in bad hiring practice and how to fix it

None of this - none of it at all - is remotely relevant to the actual day-to-day job of a Head of Security Operations. Again, these are questions that cannot be answered appropriately in character-capped text fields. But beyond that, these are questions that should not - ever - be used to screen applicants. Applicants for a role where these requirements are not even remotely relevant. How Their Interview Process Works Having waded through this nonsense, your application finally gets sent. As with many companies, Canonical sends a little follow-up email to let you know what the actual interview process will look like. If the application process didn't put you off, then this will be the final nail in the coffin for your application. First off, your application does not get reviewed by someone from HR, or a hiring manager, or even the line manager for the role. No. "A senior team of managers and leaders from across the company form a virtual team of hiring leads to shepherd every application through our process. They are not recruiters" Your application is going to be reviewed by a random group of people who have nothing whatsoever to do with the role, who will not have relevant expertise to judge what a "good" application looks like, and who are clearly hiring for clique-fit rather than competency. Huge red flag: this hiring-by-committee approach never, ever approves of top candidates. Because a company where someone from a random department gets to review your application is a company that has mediocre chair warmers in senior positions, who want to ensure there are no pockets of excellence in the business that could show them up. Good leaders hire people better than themselves: committees hire mediocrity to cover their arses. The biggest fail, though, the absolute discriminatory process that guarantees neuro-divergent or anyone with mental health issues will be weeded out, is the use of aptitude and personality tests. "Our interview process starts with a written interview, which will be reviewed in an anonymized queue to reduce bias, and a standardised assessment of aptitude and personality, to provide a more objective initial application review." Aptitude and personality tests have been snake oil since they were introduced, and they remain an incredibly stupid and ineffectual way to assess a candidate. There have been decades of research explaining why they suck, and why the people who use them are idiots. Don't just take my word for it, have a look through the detailed investigation the Harvard Business Review did on it - *over a decade ago*. https://archive.ph/p2Frg The other major problem with aptitude and personality tests is that they also immediately disqualify anyone who is neuro-divergent, who are exactly the sort of people any sensible organisation would want to attract to a cybersecurity role. This is not just sabotage of the hiring process: this is demonstrable ignorance and incompetence from everyone involved in the hiring process. If you thought Canonical's statement on Diversity https://canonical.com/careers/company-culture/diversity was just another instance of cloying, corporate bullshit - well, now you have the evidence. In this day and age of increasingly sophisticated phishing and fake hiring scams, it's also good to see that Canonical will openly enable scamming of applications by having a mish-mash of external companies involved: "As you move through the process you will receive a series of communications from us. These will come directly from our Applicant Tracking System (Greenhouse), our partner providers (Thomas International and Devskiller) or as an email from your hiring lead here." Why? Why would you do this? The only communication applicants should be getting is from the nominated HR person or hiring manager who is managing your application. Random emails from three external parties or a random employee are just begging for some social engineering. This is doubly obnoxious when you're trying to hire for a security role. Final Thoughts You may think I'm being overly harsh to Canonical, and that I'm making some indefensible judgements. And you could be right - so don't take my word for it. Something everyone should be doing before even thinking about applying for a role is heading over to Glassdoor, and looking at two things: - what applicants are saying about the hiring process - what employees are saying about the company Glassdoor is a good barometer for company health because essentially the reviews break things down into three main areas: - There's not enough information If there are only 1 or 2 reviews (which we'd expect for a smaller company or a startup), it's hard to get a feel for the company. Someone might have been fired for taking a dump in the microwave, and left a scathing review. Or there might only be 12 employees, and only 1 person could be bothered to write up their thoughts. - There are several reviews, and they're generally positive Everyone likes to whine and complain, so there will always be some negative sentiment, but in general, what we want to see is several balanced reviews, with some positives and negatives, and some good reasons why. Companies with this sort of profile on Glassdoor are generally going to be OK, with nothing more serious than the usual everyday corporate nonsense we all have to endure. - There are a load of very negative reviews, and a load of hugely positive reviews These are the toxic hell-holes. The negative reviews come from the long stream of dissatisfied employees who are venting their frustrations at a toxic workplace. The hugely positive reviews come from the social media, marketing, and HR teams desperately trying to hide the fact that you'll be working for Satan, and spending your days kicking puppies. Have a read through the reviews of working at Canonical here: https://www.glassdoor.co.uk/Reviews/Canonical-Reviews-E230560.htm They are pretty damning, highlighting a clique-y and out-of-touch leadership team with a toxic workplace. There's a clear and consistent message about the company culture and the quality of the leadership team and management, and equally clearly, this feedback is being ignored. The reviews touch on many of the things that I've highlighted just by digging through the application process. It doesn't have to be this way Companies like Canonical are continuing to sabotage their efforts to hire security talent. The galling thing is that none of this is difficult to solve, and none of the solutions are cryptic, or secret esoteric knowledge senior cybersecurity people have been jealously guarding. We've all been talking about this for years. - Stop asking for degrees. The only, ever, acceptable time to ask for a degree is for a senior position, where asking for "a cybersecurity degree, or equivalent professional experience" is the only right way to do it. - Ask for certificates where they are relevant. CISSP for an entry-level analyst role? Do one. CISSP for a senior architect with 8-10 years of experience? Absolutely. - The people responsible for managing the position should write the job description. They know what skills and experience matter. - Keep the hiring pipeline short and simple. 3 interviews, max, run by people who will be managing the position and understand what is involved. Don't let people unrelated to managing the role do anything with the JD apart from adding some boilerplate fluff about how amazing your company is to work for. - Interview candidates properly. None of this "yes/no" nonsense and questions that can easily be Googled. Use case studies, give the candidate a chance to show off their strengths, and have a conversation rather than an interrogation. And, above all, expect difficult questions from candidates, and actually answer them. In Closing No surprise why this role is unfilled almost a year after I first saw it posted. Normally, I'd look at a car crash like this and think "This is a company that isn't just not serious about hiring - they actively hate the sort of people who would apply." But in reality, not only is this masterclass in how not to advertise a role, but this is an example of the current thinking and approach of too many companies. Companies that don't respect applicants, let alone their employees. Companies that don't value people's time. Companies that don't value the unique skills and expertise their employees bring to the table. Ultimately, companies that are going to be in the news in the coming years for inexcusable and wholly avoidable security breaches. I have nothing personally against Canonical - Ubuntu is mediocre but usable, they have had some major privacy slips, and Mark Shuttleworth is a dick - but their whole approach is a perfect example of everything that is currently wrong with hiring security talent. I can only hope that sometime soon, as the breaches pile up, the idiots running companies like this will be held accountable. Until then, have fun in your job hunting.