An Open Letter To IT Recruiters

An Open Letter To IT Recruiters

So maybe this is not a letter per se, but the title fits as I hope many IT Recruiters read this. I have been around the information technology/information security industry for a while, actually almost a decade. Before that, I spend almost a decade navigating submarines in the U.S. Navy. I have spoken with HR and recruiters for more positions than the number that I have accepted. I would venture to say that it is at least a 1 to 10 ratio of positions offered and accepted versus those discussed or for which I interviewed.

Types of IT Recruiters

When it comes to IT Recruiters, I have worked with some of the best and some that I would consider the worst. To set the tone, I want to point out the employment and pay models for most recruiters:

Note: These are broad generalizations and will not completely describe all recruiters. Some companies will have different pay models and the quality of the interaction may be uncharacteristic (for better or worse) of what I summarize.

  1. Permanent Internal Employee: These recruiters are permanent employees of the company for which they are hiring. They may have quotas or incentives such as bonuses, but they are typically invested in the long-term success of the company and its employees. Many of these recruiters have tenures of 5 or more years.
  2. Contracted Recruiters: They work as internal employees for a contracted duration – 3, 6, or 12 or months. These employees are typically paid for the number of potential employees contacted and interviews set up. Many have less interest that the permanent employees but more than the next category.
  3. Placement Firms: These are often known as “headhunters.” These are paid a single fee if the potential employee that they put forward to the company is hired by the company. For the placement firm, the employee will be employed by the firm as a contractor of the acquiring company for a set time – 2, 3, 6, 9, 12 months. After this period, the employee may be hired by the company or the position made available again. While some people like the short-term engagements, those who are seeking something more permanent, this becomes a perverse incentive for the firms to act unethically or the company to avoid paying benefits to an employee and routinely turn over at the end of the contracted period.

My Experiences

I would like to share scenarios of my experience with each of the three types that I outlined.

As you may assume, your mileage may vary and your experiences are likely different (for better, worse, or otherwise).

The Good

1. Permanent Internal Employee: This has been my best experience. In some positions, it was HR or the COO of the company that handled this. For others, it was the dedicated recruiter that was on a different team in the HR Directorate than actual HR.

In these scenarios, they communicated often and concisely. I could tell that they were passionate about making the experience good for potential candidates. They were knowledgeable about internal processes and able to answer most questions and did not hesitate to find someone who could if they could not.

The Bad

  1. Contracted Recruiters: I have only worked with this type of recruiter on two occasions with the same company. First was for a position with an elite team within a large security company, the second was an incident response consultant for the same company. The first time, the recruiter was not interested in getting back to me via email or phone. He even missed the agreed upon time for an interview. I called him numerous times within the 30-minute block and got nothing.  I had to call and chase him down for each interview in the process.

Through the process, I went through 5 of the 6 interviews in a 10 day period. I felt like I was being fast-tracked to be hired. I never got the 6th interview. A friend that is an internal employee found out that because the contracted recruiter never followed up with the hiring manager, they had to close the job requisition. He never called me back or returned my calls.

Fast forward a few months, I apply for an IR consultant position. They contact me for an interview. I explained my past experience with the company, to which the recruiter apologizes. I ask him to commit that the experience will be more open and better for all. He agrees reluctantly. After my initial screening, I never hear back. My friend that works there inquires and does not get a response either.

The Ugly

  1. Placement Firms: The worst experience in my professional career in terms of trying to get hired was with a placement firm. I provided them my resume. They told me that they would make formatting changes and put their logo on it for the client. I understood and agreed. They call me back and say that the company wants to interview me. I am ecstatic. They coach me in ways to vaguely answer questions to over embellish my experience or lie about it.

During the interview, they start asking advanced questions about networking. I had no background in networking. I admit that I do not know then offer an educated guess and insight into my thought process. The interviewer made a comment about a CCNP should know this as it was CCENT/CCNA knowledge. I quickly reply that I do not have a CCENT, much less a CCNA or CCNP. They say that my resume has a CCNP and certification number on it. I explain that it is false and tell them about the coaching.

I give the interviewers my email address and ask them to send me what was submitted and that I would forward the email containing what I sent to the headhunter. Night and day may be an understatement of the differences between the two. I explained that I was unemployed and just trying to get a position, that I typically did not work with such firms and expressed my embarrassment. I offered to stop the interview to stop wasting their time or mine. They were appreciative and said that they were not holding any prejudice against me, only the placement firm.

LinkedIn and Social Media

Most of us have probably been randomly messaged on LinkedIn or emailed for a position outside our experience or interests. I used to get solicited for Java developer positions, yet I do not even mention Java or JavaScript in my resume or social media. I try to vet connections before I add them. If they seem to be from a headhunter, I typically do not accept. I am currently in a permanent position and uninterested in giving that up for a 37 minutes contract to hire position on a help desk. (Note: The 37 minutes is exaggerated satire and I have nothing against help desk positions, but I am not interested in those positions nor does my resume reflect that I would be a good fit). 

From my analysis, it seems that many recruiters (mostly headhunters) are mostly interested in what I call “spray and pray” meaning that they want to send the position to as many people as possible without any concern as to whether they are good fits. This is certainly annoying. Below is an example of a non-recruiting message that I received ahead of RSA Conference from a salesperson. The amount of false and incorrect information is astounding. (I do not have an assistant).

Emails from IT Recruiters

Have you ever wondered by you get email blasts for irrelevant jobs via email? I have been researching this and I think I have an answer. From what I can tell and from what recruiters who have sent me repetitive emails and I confronted have told me, it is because I uploaded my resume to a career site with my contact information on it. Career Builder, Monster, Indeed, etc. allow recruiters to pull job seekers’ contact information. After all, this relies on this model to work for the most part.

How can a recruiter place anyone in a position if they cannot contact them? I wish there were more scrutiny in allowing such information to be pulled. It would be more ideal if the job boards required the recruiters to be more specific as opposed to pulling all information down. Since I go by my middle name, I can vet whether recruiters actually read my resume, as they will not use my middle name if they do not. As a professional, my advice to recruiters in this sense, as well as social media, is to take the time to refine the candidates to those with specific keywords to the position they are trying to fill as opposed to the spray and pray.

Poor Social Engineering by Recruiters

If you have ever seen me give a social engineering talk or heard the audio, you will know that I openly admit that sales and social engineering are basically one and the same. They both use influence to attempt to get the person to do what they want. To take this a step further, recruiters are also salespeople. They are selling you to the company and the company to you. Like social engineers and salespeople, they need to build rapport with those they work with to attempt to influence the outcome in their favor. Below is an email that I received that displays manipulation (malicious influence), poor ethics, and downright dirty tactics.

The major red flag for me was that the “referral” from “another cybersecurity professional that they are engaged in a job search with referred me but wanted to remain private.” Who would do that? There is likely a referral bonus. Who would turn that down? It just does not make sense.

Advice to Recruiters

  1. As Jim Nitterauer says, you have twice as many ears as you do mouths, use them proportionately. As a recruiter, you should listen to the concerns of the employee and what they are telling you about themselves beyond just selling the company to them. Listen to their experiences, concerns, and ambitions then respond. Don’t try to force feed them everything and have a one-way conversation.
  2. As a recruiter, you are the first representative of a company that an employee will meet. The reputation of the company rides on your actions and how you treat people. I will admit to having a sour taste in my mouth based on the actions of a couple of recruiters or less than ethical experiences.
  3. Take the time to ensure that the person you are reaching out to is a good fit. Make sure that if you are approaching them to be a developer, that they are actually a developer, have interest in it, or have been one. People are not inherently programmers or developers just because they are an information security or cybersecurity professional or a hacker.
  4. Stop pushing for what we make. As a job seeker, I typically dodge the question by telling them my range that is based on the level of and quality of benefits. If you want to know what I am making (a ballpark estimate), do the same thing I do when researching your salaries (since you “can’t” tell me) and go to GlassDoor.
  5. Stop acting like you are doing us a favor. The favor is symbiotic. We are helping you and the company and the company will be helping us.
  6. Learn what IT certification goes to what and stop vetting everyone based on CISSP. I have the CISSP (and the ISSMP concentration) in addition to other certifications. People should not be turned down for DFIR or penetration testing positions for not having CISSP. Take the same advice that I give salespeople working for consulting firms and work with the professionals to properly understand what they do.
  7. Be the enabler, not the roadblock or gatekeeper. I remember reading a book about getting a job just before I got out of the Navy. They called HR the “Hiring Roadblock.” It’s sad but true. (Enter Metallica song). I am not telling you to not vet candidates, but use common sense beyond the acronyms and how you feel about a person based on your interactions.
  8. Always have a good attitude. This will reflect more positively about your company and excite candidates about working there. Your attitude will drive their attitude.
  9. If a candidate asks for feedback, provide it. If a candidate is not selected, let them know. You expect them to do the same if they do not accept the position.
  10. Most importantly: BE HONEST. No one wants smoke blown or sugar coating. Tell them the truth and do not string them along.


In conclusion, I did not expect this to be a 2,000+ word post. I have many friends that are in the job market right now and they have been venting to me. To a degree, this brought back my experiences and in talking to Ben, he recommended me to write this, so here we are. I do not intend on this being a recruiter bashing post, but rather an open discussion between those seeking and those hiring. Hopefully, this post helps both sides of the aisle to learn how to communicate more effectively with the other and to understand the motivations of each.

By the way, check out my new OSINT articles on Forbes:

About Joe Gray

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading.