What to Expect When Interviewing at Dragos: Lessons Learned for You and Other Employers

In this blog, I outline Dragos values and the choices the company has made in hiring and compensation to help you better evaluate our open roles and know what to expect once you apply. We’ve made some choices in hiring that aren’t common and we hope by sharing our approach and the logic behind these choices, other employers and cybersecurity community members can appreciate our decisions and potentially learn from and apply them.

Our Mission

Dragos’s mission and vision statement is simply stated as: Safeguarding Civilization. It’s an ambitious statement, but also easily understood. I started my career in the military, and we tended to have multiple sentence mission statements and vision statements — I personally cannot recall any of them. I understood the overall purpose, but the longer statements simply weren’t memorable.

When you think of our mission of Safeguarding Civilization, for us not to be hypocrites, we have to care about more than just growing a business. It’s not “safeguard the companies that are the largest and can drive the company’s revenues the fastest.” It’s “civilization.” That implies we need to come up with answers for all elements of our community including the smallest and most underserved companies. It also means that our focus is on people. We can’t just position our technology to companies based on how valuable that is for us, but to instead partner with these companies, help them on their journeys, and make sure their people and ours share in knowledge transfer. We are our customers’ ally in their OT security journey.

Our Core Values

Many people talk about culture as if it is a monolithic thing. Culture changes and that’s a good thing. Adding new people, expanding our presence internationally, opening new markets, etc., should all be additive to the culture. In that additive process though, core values act as a guide to note what cannot change. Our core values are:

1 | Candidness

We are protecting people and infrastructures against state adversaries and criminals that mean them harm. Quite literally there are some adversaries who are trying to kill people. We do not have the luxury to pull punches or otherwise not speak candidly. We want everyone to speak their mind and be candid so we can achieve our mission.

2 | Transparency

This company revolves around transparency. I’ll highlight this later in the blog, but transparency deals with everything from transparency about pay and leveling for each job track, to my briefing the company on what I tell the board of directors, explaining decision-making processes, or otherwise sharing what we’re doing and why. There are topics that are privileged, confidential, or sensitive (think conversations with lawyers and personnel matters, for example) that can’t be shared broadly, but those are the exceptions. Transparency opens and invites commentary from across the company that can reveal new insights or help make better decisions. It is both helpful to the company and owed to the employees. This is your company.

3 | Respect

Along with being very candid and transparent comes a requirement to be respectful. In a very tangible and important mission, we must act like adults, be trustworthy, and show respect to everyone internal and external to Dragos. This also maps to the #1 policy at Dragos: Don’t be an asshole. It’s simply stated, but we all know what an asshole is when we see one. I think back to my time in the military where one person would make a mistake but everyone would get punished, or someone did something awful that wasn’t technically against the rules, launching a bureaucratic process that hurt the broader team and morale. Everyone deserves respect on the way in and out of Dragos, and we follow processes to ensure folks get a fair chance – but for those that break policy #1, we part ways. Respect is demanded.

4 | Assume No Malicious Intent

It can be easy as analysts and security practitioners to try to look at all the angles. Sometimes this can lead to believing that something was done maliciously, there was a hidden intent, or some other form of distrust exists in the actions. We focus on assuming no malicious intent with people. Instead, if we have a question, we ask it candidly, transparently, and respectfully, trusting in the response we get as a team unless there is a concrete reason not to. Especially as a team that’s always been remote-work-friendly, it is incredibly important not to assume malicious intent when Zoom meetings and Slack conversations comprise so many of our interactions.

What We Value in the Hiring Process

We value a focus on Skills and Culture. That means, we focus on what you can do in the job we’re hiring for to set the team and you up for success. We also want to understand what you can add to our culture. We look for passionate people who have a real interest in our mission. If you don’t have every skill listed on the job posting, that doesn’t mean you’re not a good candidate, particularly if you’re able to fulfill the essential duties of that position. For example, many of our services team members didn’t have a background in ICS/OT, due to the limited pool of practitioners with this background. We’re happy to train and cross-train people, but you must show the ability to succeed in that environment.

We don’t require certifications or degrees unless they are required to do the job (yes, our lawyers each passed a bar exam). We certainly appreciate the hard work to achieve these accomplishments, but we don’t search and consider them when they’re not directly required for the job. We believe a focus on certificates and degrees can serve as a gatekeeping experience to many. Not everyone has had the same opportunity or privilege to get the college degree or the GIAC certification. And, if we considered those things, as impressive as they might be, we would filter out a diversity of candidates and skilled professionals we would greatly benefit from teaming up with.

Pay Transparency

We are transparent with pay and compensation in our job postings. If you apply for a job at Dragos, you’ll notice that the compensation is listed. We list the pay itself and how we value the benefits (401k/health care/etc.) and equity (stock). Thus, every candidate sees the prospective pay rate for a position and the total compensation. This allows you to make the best choice possible for you and understand if the interview process is worth your time.

Additionally, there are internal career paths for every job at Dragos. We largely use a level system such as L1 – L10 for each career path. In your career path, you will have full view into the compensation given at each level. As an example, if you’re an L1 Software Engineer you can view the entire career path ahead of you and the compensation at each level. This reduces uncertainty so you can make the best choices for you based on factors like potential career progression.

We’ve heard arguments against this approach. As an example, pay and compensation aren’t the only things to consider in a job. Work-life balance, mission, progression opportunities, etc. all matter. So, there is a school of thought out there to withhold pay information until the recruiter can explain the overall package so you can make the most informed choice. However, that doesn’t resonate with us. It’s possible that some people opt out of our interviews because they don’t see the full value yet, but that’s their choice to make. Our goal, which aligns with our culture, is to arm you with as much information as early and transparently as possible, and you can make whatever choices are best for you.

Another argument we’ve heard against being transparent about pay is that other employers and recruiters will know what an employee’s compensation is and just offer more than that number to recruit them away. Good. It sounds like a negative thing from an employer perspective, but it’s a wonderful thing. I’ve heard “you’re poaching my people!” from employers before. There are right and wrong ways to do things – but the employer must understand that employees aren’t “your people.” They’re your teammates, but you have no ownership over people or their choices. We want our employees to be met with the most opportunities possible. I want other companies to recruit our people away with higher offers. What an amazing benefit to our team to have options, potentially with their work at Dragos as a steppingstone they are proud to have in their resume, providing a path to achieve better outcomes down the road. Simply put, we like that we’re more Dragos dot edu than Dragos dot com in some respects. And ideally, with the mission, our culture, the opportunities we create for employees, they’ll stay because sometimes earning more isn’t the most important thing in the calculation.

No Negotiations

Because of how we’ve modeled our pay and compensation structure, what you see listed on the job description and internally maintained in the career paths is one number. There is no range to consider, and there is no room for negotiations.

Our recruiters, HR team, and hiring managers are constantly evaluating the market, using available datasets and conferring with outside consultants to set and reset salaries. We aim to not pay what’s market rate or average, but above average. And we also aim to do the same for our equity packages. In a startup, the equity is the significant upside opportunity, so we work to provide the best packages. Because we have done our homework and are confident in what we compensate, we set one salary number and do not entertain negotiations or changes to that number unless the market changes. As a result, every candidate who interviews at Dragos knows up front what we’re offering, can make an appropriate decision based on their situation, and need not worry about whether they got a better or worse deal than someone else.

Simply paying everyone the same does not in itself eliminate biases. We still must constantly work at creating a more diverse and inclusive work environment and holding ourselves accountable to that goal. However, removing differences in pay between employees in the same position helps tremendously in avoiding pay gaps and differences between employees with different backgrounds. It ensures a sense of fairness that everyone can value.

And if the market changes for any reason (which it does fairly often for some career paths) and we’re not getting the candidates as a result, we adjust the compensation higher based on our market research. And, we do that across the board for anyone holding that position – whether they’re being recruited or they’ve already been hired. For example, if we are looking for a product marketing role and find we are under-compensating compared to candidate expectations, our HR and Marketing team hiring managers do the research to propose new compensation for that role. That gets approved and goes into effect immediately for the posted job, and the very next pay period for the people in the same role internally. Often, these adjustments lead to other adjustments to the levels in that career path even if there are no open positions for the role(s).
We strive to be fair and equitable across the board. And, our adjustments are only positive, and we don’t make adjustments that reduce salary regardless of how the market corrects.

Same Pay Everywhere

Many companies have different pay scales for different places. For example, the pay scale in California is higher than in Kentucky. The pay in the US is higher than in India. And so forth and so on. At Dragos, we do not follow that.

When assigning pay, we benchmark at the top end of the market to be competitive almost anywhere. We then apply that to every location we hire in. If you’re working in a specific role, the value to the company is the same regardless of where you live. In some regions of the world, there are other benefits some employees may get, such as school considerations for expats in the United Arab Emirates, but this is a net positive effect. This helps avoid regional biases and abuse. There are plenty of companies that increase their company and product margins by taking advantage of talent elsewhere in the world at extremely low rates. We refuse to do that.

As a result, our costs are higher. Salaries and benefits are the significant majority of all expenses at Dragos. This also means it’s more expensive to make our product and provide the services we offer than it is for others. As a result, Dragos will never be the cheapest option on the market, but we don’t strive to be. We strive to show more value than anyone else and recruit and retain the best talent by being a fair employer.

Box Car Equity Plan

We try to index on being one of the best employers in the world on our equity plan. We all believe not only in the mission but in performing that mission long term. Since we’re not looking for an “exit” to the company such as an acquisition, we strive to be around a long time. That means the value of our equity should consistently increase over the years and for the foreseeable future at a rate much faster than larger and public companies. Therefore, one of the plans we put into place is a Box Car Plan. This is the most generous equity plan we could find to implement, and we understand that we are one of the very few companies offering such a plan. But our board and our executive leadership team believes strongly that the greatest value of Dragos is our team; therefore, anything we can do to get your buy-in and reward you more for our successes, the better for the whole company and community.

Normally, when you get granted equity in a private company, you are granted stock options. I’ll use some fake numbers here that don’t tie to Dragos to help explain. Let’s say you are granted $40,000 in stock options. There’s an actual value of those shares that the investors have set with the last round the company raised (e.g. if a company is a $200M valued company, that will tie to a share price: as an example $10 in value per share). There’s also a strike price (or the price you pay to purchase the stock options; this is set by a 409A process governed by the IRS for tax implications and purposes). Normally, you are granted your initial equity once, and years later you may receive a top up to make sure you have more stock options to stay longer as you vest your equity. While that’s a good thing in of itself, it can become a guessing game of how much equity you will get in the future, if any. And the strike price of new equity grants goes up over time leaving you with less profit when you eventually cash it out.

In this scenario, let’s say you have $40,000 in stock options granted over a four-year vest (meaning your equity is earned month by month over the course of four years, so if you leave at the two-year mark you have $20,000 vested and over a four year period the full $40,000). In this example the value per share is $10, so you get granted 4,000 shares. The strike price in this scenario is $3 a share. That means when you exercise your options into stock you pay $3 per share, and it’s worth $10 a share, leaving $7 net profit. Over time the value of the shares will increase. Usually in startups it’s not a 3-7% increase like you might expect in other investments, but instead it’s usually in multiples. By the time your shares fully vest, four years later, that $10 a share might now be worth $30 a share having tripled in value. But the strike price is locked in when the grant was given to you regardless of vesting, so still only $3 a share for you. For employees that get a grant four years later though, that strike price might be $12 a share. That’s all great, but if you get a top up grant later now that grant gets granted to you at the time the value is $12 a share. So, you’re still doing well, but it eats into your profits.

A Box Car Equity Plan is far more transparent and beneficial. Employees at Dragos get their initial equity grant just like you normally would at other companies. But then on their first anniversary with the company, they get another grant issued to them at 50% of the value of their initial grant. It has a four-year cliff though (so it vests all at once in Year 5). Essentially, the top off grant you’d be hoping for in year 4 of employment at another company, where your shares are now fully vested, gets given to you up front. So, you know what it is and what to expect. However, the magic of it is that you’re getting that Year 1 strike price. So, in our hypothetical scenario, you’re getting another 2,000 shares but it’s still locked in at $3 a share. You know exactly what’s in front of you by staying instead of having to wonder about what you’ll get in a top up. Also, you are getting your grant at the lowest legally allowable strike price so that as you help the company grow in value, it’s not penalizing your strike price and profits.

Additionally, you get another 30% of your initial grant granted to you at the 2nd anniversary and then 25% after that. You continue to earn more equity at Dragos transparently with the lowest possible strike price allowable. It’s the preeminent equity plan and benefits our teammates greatly.

Remote Work

All positions that can be work-from-home positions are work from home. This was true before the pandemic as well. We have a strong remote work culture. It can be difficult though for everyone to connect in an entirely remote world. Therefore, we have onsites where we bring everyone together multiple times a year (team level and company level). We also do small subtle things like asking that all team members use a real photo in Slack so people know who they are talking to. And unless you have a specific reason (you’re eating, just not feeling at the top of your game that day, etc.) we highly encourage cameras to be on during video conference meetings. We constantly work to find opportunities to make this remote world feel more connected while never limiting your options by worrying about where you work.

There are important caveats to be transparent about though. As an example, for some entry-level positions, we generally prefer to have people located near others or at one of our offices. There’s great value in having people to reach out to and connect with locally when brand new in the field. There are also some positions for which location matters; as an example, our sales team may have a territory account manager who needs to be in the Southeast US because that’s where the customers are. It won’t matter where in the Southeast they are so long as they are present in that region. For most jobs at Dragos though, location is irrelevant in the country we’re hiring in. We cannot hire in every country as there are significant expenses on setting up corporate entities in every country in the world. But once we hire in a country, where you are doesn’t matter.

Diversity and Inclusion

Diversity is important. Diversity comes in many shapes and forms, and it is not up to us to dictate what does and doesn’t qualify as diversity. However, we attempt to understand what diversity we lack at Dragos and aspire to counterbalance it by recruiting a diverse candidate pool. As an example, when it comes to gender in the tech industry and at Dragos compared to society, women, non-binary individuals, and transgender community members are not as well represented as their male counterparts. Therefore, we encourage all applicants, including those who identify with those communities, to apply for our open positions. We are careful not to discriminate in any direction, though, including in this example against male applications. There are no quotas and being of any background does not guarantee any result in the interview process. But diversity adds to Dragos and helps us be better, think better, achieve better results, etc. So, we seek to add diverse candidates to our candidate pool wherever we can.

It’s not enough to just encourage people to apply to Dragos and to join our team, though. We have a diversity and inclusion committee at Dragos made up of our awesome team members who help try to keep us on the right track as we expand our team and work to ensure that everyone has the chance to succeed and thrive. It is not only the right thing to do, but selfishly it makes Dragos a better place to be and allows us to achieve our mission for everyone.

The Interview Process

Our recruiters and hiring managers try to make the interview process at Dragos as easy as possible. We realize your time is valuable and you have plenty of options. We feel lucky to have the opportunity to recruit you to join our mission.
Generally, every interview process runs like this:

  • Jobs are posted with full compensation information listed and as few requirements as possible. As an example, we expect an entry level position to have no requirements because you’re new, and there are no expectations of work history or performance. We expect mid-level positions to have 3-5 requirements. We expect senior/principal level positions to have 5-7 requirements. We try to eliminate fluffy requirements like “be a team player” as they don’t help you self-select in or out of the process. We do not evaluate or consider certifications or degrees unless they are necessary for a specific position.
  • You apply through our website, and we go through and flag the applications. There’s no automation; a human is looking at every single application. We prioritize a reasonable number of applications that we can take to the interview stage. Everyone else is given a rejection notice. We’d love to give feedback on every resume, but it’s just not feasible. If you do not make it past the first step, you’ll get a notice as soon as possible so you’re not left waiting.
  • If selected, the recruiter schedules a call to answer any questions you have and guide you through the interview process. They’ll also help you understand the compensation better. Even though it’s transparently listed, you still may have questions about the compensation or how equity works at Dragos.
  • For most positions, after the initial screening call we’ll schedule up to three interviews with the hiring manager and the team.1st Interview with Hiring Manager: Approximately 1 hour evaluating the candidate for both alignment with our values and skill alignment.2nd Interview with Peers: This may be a 1-hour panel or broken up into two 30-minute conversations with peers you will be working with. The intent is to give you and them familiarity with each other.3rd Interview with Senior Leader: This interview is with the senior leader of the group and will be approximately 45 minutes. They have all the notes from the previous rounds and ideally if a candidate makes it to this round the goal is for the senior leader to validate the team’s decision.
  • After all that, you should either get feedback on why you didn’t get the position and whether we encourage you to apply for future roles, or you’ll get notified that you got the job and will be extended an offer letter.

New employees will get their company equipment and accesses sent to them, and their team will help them through the onboarding process. New employees also get access to Dragos Academy with recommended videos and courses that range from why we do what we do, our technology, our diversity and inclusion training, and any other welcome videos specific to their team. The idea is to have as seamless an onboarding process as possible where you have access to all the information you may need to become quickly acclimated in your new position.

Conclusion

Hopefully, this blog has been helpful in your decision to apply for a role at Dragos. No matter your decision, I hope these insights and the logic behind our hiring practices give you some ideas and/or considerations you can apply elsewhere.

In a perfect world, we’d encourage other employers to adopt lessons learned that work for us and we’d learn from other employers and adopt what they find that works. Ultimately, our role as an employer is to make the best experience possible for our team members, and as employers worldwide experiment and learn we can all achieve that together. We should be competing on products and services, not on treating employees fairly.

There are plenty of other reasons to come to Dragos and plenty of things that simply wouldn’t fit into a reasonably sized blog, but these are answers to some commonly asked questions about our hiring process. Thank you for your time, and if you decide to apply to Dragos, thank you for the trust.

Learn more about Dragos culture and career opportunities on the Dragos Careers page.

Robert M. Lee is a recognized authority in the industrial cybersecurity community. He is CEO and co-founder of Dragos, a global technology leader in cybersecurity for operational technology (OT)/industrial control systems (ICS) environments.