American View: Résumés can’t tell you what a candidate brings to your organisation
A colleague once asked me how I take the measure of a candidate during a job interview. I told her the truth: I try to learn what the candidate is passionate about. What excites them and leaves them feeling fulfilled.
A colleague once asked me how I take the measure of a candidate during a job interview. I told her the truth: I try to learn what the candidate is passionate about. What excites them and leaves them feeling fulfilled. That’s not always a strong indicator of technical ability, but it does communicate a candidate’s passion(s), intellectual curiosity, and acquirements. That is, what is the candidate internally compelled to do?
As an example, I get a kick out of teaching people how to recognize and evade scams. I feel compelled to interject whenever the subject comes up. I like to repurpose scams and phish that were sent to me to create graphic training aids. This is because of something my father – a lifelong teacher – explained to me: “Ninety percent of learning,” he said, “is knowing where to look.” I’ve found that GTAs (as the Army calls them) can be excellent tools for conditioning people where and why to focus. Telling is one thing; showing is significantly more effective.
That’s why I got excited this week when I received a barrage of Fear of Missing Out (a.k.a., FOMO) scam emails all claiming to be from the Amerian retail giant CostCo. As phish go, these are decent. They’re not spearphish by any stretch, but they’re good enough to fool an untrained consumer into giving up their banking info. I screen grabbed this one to use as my primary GTA:
This a basic phish. It doesn’t use any CostCo branding content like logos or standard fonts. Enough work went in to making it look official; it’s not making any effort to mimic real Costco communications. Still, while it’s obviously a scam to a security professional, it could fool a normal user. The FOMO factor and the greed trigger (i.e., gaining around $100) should motivate a lot of victims to click that glaring blood-red button and at least checking out the “survey” page. Most importantly to me, it’s “tells” are easy to highlight. That’s why I felt compelled to GTA-ifiy it [1] and share it. Here’s what I threw together:
Does my GTA look professional? Eh … no. Not really. Sure, it would be cooler with branding, cool graphics, and tighter language … But I reckon it’s good enough for its intended purpose. I whipped this up in ten minutes using PowerPoint. In security awareness, warning speed often trumps aesthetic perfection. Put another way, getting a warning in front of potential targets quickly is better than delaying publication for quality improvements! Human risk is not a corporate communications function; we don’t need to impress anyone with slick design, just like the corpcomm folks don’t need to combat scams. Different production standards for different missions.
More importantly, the amateur feel of my GTA enhances its appeal. It’s unpretentious. It clearly wasn’t focus grouped and polished for maximum appeal. It was obviously something thrown together to serve a purpose, not to burnish the company’s image. That function-over-form approach resonates with users below the director level; everything produced for the brass must be polished, ergo this GTA was crafted for the people! Therefore, our targeted audience is more likely to read it. That credibility leads to lowered defensiveness which in turn leads to greater retention.
Back when I was running a security awareness program, I’d slap together GTAs like this between meetings and post them to our internal social media channel. Users would them chime in about variations of the scam they’d encountered and offer screenshots of their own. Not for clout, but to help protect the community. Some users ignored us, but that was their prerogative; our GTAs were optional, “pull” content. Despite not getting 100% coverage, our approach worked well.
Over time, our team’s constant social media presence allowed us to build on our prior work through additions and callbacks. For example, if I’d posted my CostCo scam GTA on Monday, I’d likely follow up Tuesday with this “variations on a theme” comparison graphic:
The second GTA reinforces the first one. I chose two other examples from a pool of eight to show how the same attack can be assembled with different templates. More importantly, these side-by-side comparisons also subtly train a user how to focus on the three “telling” indicators of this phish (i.e., the context violation, the appeal to emotion, and the call to action). That builds skill in such a way that’s transferable to all other phish.
Then there was the entertainment factor. I chose the example offering the free “meat box” lure because that was guarantied to titillate some of our more users, thereby making the lesson more memorable … and significantly increasing the likelihood that those amused users would share it with their equally amusable pals. Those sharers lent their professional credibility to our effort, getting more eyes on the content than we’d managed on our own, and conveying their endorsement of our efforts.
In keeping with the additions tactic, now that we’d established the different flavours of Costco FOMO scams, I’d probably post a third GTA that demonstrated how scammers apply the same formula to other popular brands, like this:
You see – pun intended! – I’m trying to do here? The first GTA introduced the phish. The second GTA showed variation on design, but all examples featuring the same visual “tells.” The third GTA showed how the same phish design is implemented across different impersonated brands. If ninety percent of learning is knowing where to look, then I’ve just put seven examples of my phish detection advice in front of users’ eyeballs … not all at once, so as not to overwhelm, but coming swiftly enough that the first GTA’s lessons are still fresh in the users’ minds so they’ll reinforce the first’s lessons.
This is something I love to do, both in- and outside of work. I enjoy showing other people how the “magic trick” of a scam really works so they can see through future iterations of the attack for themselves. Hopefully I can get people excited about the topic, too. Sharpen their perception so they’ll be better protected and building their confidence so they’re more likely to evangelise the lessons with their colleagues, friends, and family members.
More importantly for the sake of this column’s premise, this sort of teaching is something I find myself compelled to do. Teaching, empowering, and encouraging others is my professional passion. I cheerfully express this when I interview, since it conveys that I’ll be a strong fit for roles involving human risk, cybersecurity, leadership, and communications.
In that vein, learning what candidates are passionate about and understanding what compels them tells me not only what they’re interested in, but where else they might fit well in our organisation. I’ve spoken with lots of folks who’d applied to roles in our department based on misunderstandings about the role and the work. Those candidates’ desperation (and, sometimes, disappointment) was clear early on. Both the hiring board and the candidate were sure they wouldn’t work out, but that didn’t mean the interview was a failure! Many times, by diving into a candidate’s passions and experiences, we learned how the candidate could contribute well in a different open role ... and then we advocated for them for that other role. I’ve always been happy to introduce a strong contender for positions outside my own outfit. The company benefits, the candidate gets hired, and I sidestep filling a position with someone who would be unhappy failing at it.
I strongly recommend treating applicants as wonders to be discovered, not as machinery to be tested. Most corpo job definitions are nebulous anyway, and the nature of work for any given field is always evolving. Quality people, though, can be trained. Passionate people will eagerly take on the challenge of learning something new. When you find someone who has the raw potential, give them a chance! Find a role where they can leverage their interests and values to grow into what you need.
[1] There should be a dedicated word for this in either MilSpeak or Corporate English.
Keil Hubert
Related Articles
Related Articles
Most Viewed
Winston House, 3rd Floor, Units 306-309, 2-4 Dollis Park, London, N3 1HF
23-29 Hendon Lane, London, N3 1RT
020 8349 4363
© 2025, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543