Looking to hire at Defcon

Lots of people get jobs through people they know or meet at DEF CON, but the DEF CON Forums is not a place to advertise or recruit. We do not support sales or ads on the DEF CON forums.

A huge majority of people that get job through contacts they know at DEF CON are as a result of getting to know other people, and naturally coming up in normal conversation at parties or over technical discussions,or with a team-mate working to win a contest or other similar things, not any kind of active recruiting where anyone sits at a table trying to get interviews. It isn't any kind of "Job Faire."

People do not advertise where they work. Is the person you are talking to running a department of red-team? Are they a federal employee with blue team testing and defense? It is not like BlackHat or what COMDEX was like, where people walk around with badges that show where they work, and what their role is where they work.

​
First, attendees presently employed with reliable paychecks from employers and long-term commitments to remain employed with excellent job security and compensation packages likely won't see much value in an opportunity for side jobs for up to one year.



The rest is for the general question of "is there value in recruiting at DEF CON?"



That is a complicated question which would require me to be omniscient. I do not know about your business, your plans or your goals. These are none of my business.
A better consideration would be trying to give you information which might help you decide on your own.

Any skilled recruiter can learn a lot about people through regular conversation. Are they able to explain complex issues to someone with little knowledge of the topic? An ability to verbally communicate complex issues to people is a VERY good skill, and often maps to the same skill when things are explained in writing. Are they easy-going, or aggressively unsocial?


Are you a manager or director with little technical experience? There are several parts of DEF CON which have little to do with tech, or coding.

There has been a part dedicated to social engineering, in being able to try to detect when someone is trying to social engineer you, and social engineer others. Exploiting human weaknesses or desires to get-along, or not be rude, or compassion or other element are risks to nearly any business. It is good to be informed. Many people with few technical skills have found social engineering related village content to be educational and useful.

There has been a Lock Pick village, where you can learn how to pick locks, and about physical security bypass, as well as how to improve physical security.

There are contests like the new "Phish Stories" which can be educational on how email messages can be crafted to lure your employees to work against your business plans and security.

There are contests which arguable have little technical skill requirements, but have players that push really hard to reach their goals. The Scavenger Hunt has a long-standing history of players that focus on just one thing the whole weekend, and drive that to completion. They also have people attempting to exploit the rules, and judges to convince them their submission satisfied something on the list through clever arguments or other methods.

Octopus games is new, but expected to be similar on concept to the Netflix show "Squid Games" : people looking to plays that will probably also be committed to achieving a goal.

Check out the many contests, events, villages, and more:
https://forum.defcon.org/node/243392

If there are talks being presented on topics related to your goals, you can attend those and attempt to engage with the speaker on the topic, and get to know them. Some may have suggestions for you. A large percent are already happily employed and being paid by their employer to attend DEF CON. However, most main track talks are made available online a few months after DEF CON. The real value in seeing these talks in-person is being able to meet with the speaker and possibly ask them questions near the end of their talk if that is allowed.

On average, employees of security in tech with a boss that understands tech, security, and building quality and not taking short-cuts, tend to get meaningful sympathy from these employers and understanding with rational resolution when an employee expresses security concerns with an approach a manager or director is proposing. It is best when the manager/director know how to create code, as managers with such experience can better communicate with the technically skilled people, and estimate deadline to achieve goals.

There are many personality types at DEF CON. There are some brilliant people who are closer to what many would describe as introverts. Their idea of fun can be solving a puzzle, reading a compelling story, or "day dreaming" about "what if?" scenarios meaningful to very few others. These people tend to not congregate in social settings. Some might join in a team to solve a very complex puzzle which can't be solved by any one person in ~2 days, but these tend to be teams spending a short time discussing a problem, and possible solutions, then each person focusing on their thing most of the time, only entering back into team communication when a solution or new proposal is found. These people tend to be the most difficult to engage with, as they often prefer to not socialize much, but they can be very skilled. When focused on an item that interests them, and distraction from that focus can be very annoying. They often think about things, and re-think about things, and re-think about things, trying to find better and better solutions. I've known many who would spend days working on different kinds of math problems with basis in applied mathematics, all to save maybe a few minutes of time each day in a task, or reduce distance they need to travel, or most cost-efficiently solve a problem at home. Many know they are spending more time finding solutions than they will recover once they have a solution, but it is a puzzle.

On the other end, you have people which might be described as extroverts. These are often easier to find. The often attend parties, join in active team events, are often happy to brag about things they have done if asked. Many are very good with telling stories which are engaging and entertaining. They use creativity with the communications to maintain long-term relationships. Some may be self-promoters that engage in claims of accomplishments which may exceed actual historical events. Some of these are genuine with their claims, and work many hours to meet their obligations. A problem with these is some of the most skilled and talented get invites to exclusive invite only parties. If you have never been to DEF CON, you might have a difficult time getting to those parties. Another issue is most DEF CON parties have really loud music, meant to encourage dancing or appreciating the music, NOT socializing. You may have to yell in order to be heard. Louder parties are often not a great place to try to get to talk with people to learn about them.

DEF CON has a huge mix of people attending it. Some people attend for just one village, or one contest, or all the parties they can attend. Many 100% avoid any main track talks because they expect they can watch them a few months after DEF CON. Some only attend DEF CON talks in main tracks, and/or villages.

As a manager/director over technical people, learning about how the technical people produce their technical work is probably the most important for a good manager/director to work with technical people. This is important in being able to technically know when something is "good enough" to move to a fork without new features and only focused on fixing bugs. Next most important where security is concerned is getting (at minimum) a general understanding of many kinds of risk in tech for a product, or your business. Consider some of the "DC101" talks which are not meant to be for technically inexperienced people, but instead as topics for people with no experience in that topic, to see a summary of that topic and how it might help them.

A person without experience in the discipline they want to manage often suffers from a kind of vertical depth perception where they are unable to differentiate between a person that has 1 year of training on a topic, and a person that has hacked that same topic to bend to their will, making it do things it was never meant to do. A person without experience can also suffer a horizontal or "depth perception" problem, where they imagine, "a hacker is a hacker" and a person that can make an exploit on an iPhone to execute arbitrary code with zero user tap/click, might also be a hacker of network services or malware, or lock picking and physical security bypass. Nobody is "elite" (the best and most skilled in every single discipline.) Without technical skills, not being able to see limits in skills of would-be hires and be able to tell the difference between a very competent technical person and a super-skilled technical person all work against your ability to manage these technical people. (Like a workman with a tool box of tools (people) to choose from, but they don't know which tool (person) to use for a specific job, and even if they did know which tool (person) was right, they don't know how best to use the tool (person), which can make a problem worse, or create new problems.)

Approaches:
I've heard of recruiters from *BIG* companies throwing parties to recruit people, but those were much more common at Black Hat. At one time, corps throwing money around for a "Free" party was a big no-no at DEF CON, but demographics have changed a lot over many years. Maybe some attendees might like that. Open bars are expensive in Las Vegas. Sure, a small amount of alcohol can allow people to relax and talk about things easier, but once a person is drunk, having a meaningful conversation may be impossible. It is difficult to throw a party that "everyone wants to attend" but allows you to have conversation without yelling.

An approach I've heard that has worked for people that were hired at DEF CON were having a drink at a bar, one-on-one, or in a small group, with the person wanting to hire them, buying the booze, or taking them out to dinner. This requires you to have a candidate which can fit your expectations, or maybe know someone who would be willing and able to meet them. That is difficult if you have little technical skill and cannot estimate skill sets or skill experience through conversation or observation.

A more common approach has been through normal conversation, like if they ask what you do, explain you are working for a company and looking to hire people with (list of specific skills) and then as the person if they know anyone with those skills that wants a job. This allows them to express interest if they want, or possibly relay an opportunity to someone they know. Many new opportunities happen because "a friend of a friend" kinds of networking. If this happens, then maybe they can introduce you to the person they think that might be interested.

What you manage to get from DEF CON tends to follow the old statement: you get what you put into it.

I hope this helps you to understand some of the advantages and problems you might face when trying to recruit at DEF CON.

Good luck!