Don’t bring a server to a cloud fight

QoS or not to QoS

One of my professors at IITK when I took the Computer Networks course, said something that had a great impact on how I think now. It has stuck with me since the day I heard it, this was his statement (perhaps worded differently), “If you guys ever get a choice to work on QoS or something else, always choose the something else”, his rationale was, “You can make almost all QoS issues disappear by throwing more money or resources into it”. I see that being tragically true, back when having shiny gray hardware was a thing of pride, you could either spend crazy hours reducing memory footprint and reducing the system load, or you could just add a bit more of RAM and a faster/more processors for similar results, but at much lower costs and get results sooner.

Note: If you are an engineer (or studying to be one), this is not an excuse to be sloppy. No amount of hardware horsepower can fix poor design or bad/broken code. If anything, it should motivate you to be better; you should not be replaceable with a few sticks of RAM.

Don’t bring a server to a cloud fight

Data growth and our hunger for more speed and power is insatiable. We are dealing with unprecedented amounts of data and we have far outgrown the limitations of singular machines.

The cloud offers massive distributed computing and the ability to get massive deployments for hire, with a few clicks. No need to order any hardware and worry about datacenter issues like space, topology, cooling, maintenance, power etc. On-premise datacenters cannot keep up with the growing power of the cloud, it gives you more of almost everything and its continuously evolving.

Most industry problems are around horizontal scale, that is, they are less about how fast you can do each “job”, rather about how many you can do per unit of time. It’s not always the same thing as plainly splitting the load. That being said except for the most “well funded” and specialized hardware needs, the cloud option wins hands down both in performance and economy.

The Speed Card

One of the things I am often asked about my company is about how I will deal with the lack of hardware acceleration in the cloud for managing encrypted traffic. Not surprisingly, this question usually only comes from the people selling hardware :-) If the only reason for new specialized hardware is speed, you are likely designing your cloud solution all wrong (likely) or are dealing with insanely high single connection speeds (unlikely). Cloud offers a lot of parallel processing horsepower and its single units are also fast enough for practically all industry uses/speeds.  Massive players like Zynga may seem like an exception to this, but are actually not, they have not moved away from cloud computing, only from third party cloud provider (they have their own cloud service call ZCloud).

The only reason to commission new hardware is if there is a serious issue blocking cloud adoption. FIPS cards come to mind, but these are specialized uses that most people do not care about (unless you are legally obligated to have FIPS compliances, you are highly unlikely to need it).

The Legal Card

This is something that is not a technical roadblock to the cloud, rather an impedance waiting on the legal system or compliance to evolve (it will, there is no choice). This is not to say that if you are among the regulated industries you cannot move to the cloud. You still can.

Even if you are a company with regulatory compliance requirements on physical location of data storage, not all of your data falls into that category, in fact most does not. This is true for almost all financial institutions, they have a ton of services and data that is non-sensitive and can be offloaded to the cloud. This was actually a pleasant surprise, a very large financial firm’s CIO himself wanted to do this without me even uttering a single word suggesting this.

Physical location of data is sometimes restricted. You can keep your data physically with you, in your datacenter. You can offload just the service that uses the data, to the cloud (with secure connectivity of course, trivial to implement). Of course this applies only to certain kinds of legal obligations (true for certain government data in EU at least).

Access control is a legal requirement for certain industries; currently the cloud vendors do not provide access control by themselves. This gap has traditionally been filled by security hardware in the datacenters, similar solutions exist for the cloud (and we pioneered this in 2011 at CipherGraph Networks are still the most advanced and easy maintenance solution).

Bottom line; don’t bring a server to a cloud fight!

The thing to consider here is that whatever you choose for working with the cloud, your access method, your management workflow or security, it must scale. If you bring hardware to this cloud huddle, you’ll lose soon enough. The cloud is just way too powerful and evolving exponentially for any kind of hardware solution to keep up with.

Why aren’t there more enterprise startups?

I read an article about this in Business Insider (here) and then again saw a similar question asked on Quora. It is a very interesting topic that touches on many general aspects of startups and I think I am in a good position to address this (being a B2B startup myself).

Perception Skew

The argument is that the apparent numbers may seem a lot more skewed that they actually are. That needs to be the first thing out before the other points.

Social focused startups by their very nature are good at generating “buzz”. It’s hard to ignore them in the media/internet. Media also loves them back, there is just a much wider audience that such ventures and efforts will appeal to. These companies also tend to be started by a younger demographic. I do not mean that they are better faces for media, just that they tend to be first time entrepreneurs and hence want to own the world, they want to be everywhere (the segmentation will certainly kick in at some stage when they begin streamlining). All these factors contribute to them being perceived as the “next cool thing”, refueling and inspiring the social/B2C startup trend.

B2B starups on the other hand are often related to problems that are conventionally tied to the things that are a little more serious. Average person is likely to know Mark Zuckerberg but unlikely to know someone like Martin Casado. It is hence not difficult to see why media buzz on “cool” social startups are significantly more likely to be “trending”. The astute observations made in the article at Business Insider (quoted above) are not very apparent to someone not explicitly looking for this data.

Source Set Skew

Human nature is a very interesting subject to study; humans are very good at emulating and continuously improving. Our machinery and design continue to get inspired by our observable universe. Why should industry trends be any different? To a budding entrepreneur Facebook is significantly easier to understand conceptually than say, Nicira (quoting the companies of Zuckerberg and Casado above). The set of budding entrepreneurs who can understand social (and hence see gaps in the exponentially evolving field) is much larger than set of people who are looking at disrupting some business problem.

Also the amount of technical expertise required to start businesses has also gone down (I said “start” not “scale”), hence it may not necessarily be true that the set of B2B companies is going down as much as its the set of the social entrepreneurs is growing rather disproportionately (and being far more permissive).

Age (experience) Skew

Starting a company is much cheaper now than it has ever been. It is now within reach of young , free-thinking bravehearts. The flip side is that they have far fewer years of “vertical” experience (not just professionally, academically as well, Ph.D. does take quite a few years to pursue). One don’t often see gaps in practices, one do not experience personally. Consequently, the problems they want to solve are less likely to be B2B and far more likely to be social and mobile (in both of which they have been “baptized”, in school/college).

Vinod Khosla advocates young entrepreneurs, almost exclusively (http://www.businessinsider.com/vinod-khosla-young-entrepreneurs-2012-9). There are several ways to interpret it, but since I am 31 and can do nothing about it, I like to believe he only really means this about the verticals I do not care for :-)

Truth may hence have more to do with “social” being a low threshold trend, than to do with the entrepreneur community missing an opportunity.

Startups: The early employee

It’s been just over and year since CipherGraph was born. Ever since I started working in the industry, I have maintained that hiring is a challenge for any company (read my past post on this here). It is one of the major problems in a startup’s life. Over the past few months I have been trying to hire for my company. I have noticed a strong inclination among young people to join startups, but also a surprising number of people who do not quite get why they want to do it or what to expect.

Lack of exemplary precedents

Almost all trends stem from a singular or small set of events. There is a lack of success stories in India that inspire the startup story among young people. Not many people in India have seen inception of Google/Facebook, their steady rise from being a closed group conversation, to evolve into raging phenomenon. Granted, the movie “The Social Network” did a good deal to inspire people, but that was not a documentary about the company. As such, it left the spirit of startup untouched (lost in a brief “photo montage”, as Eric Ries has been known to quote). Getting back to the point, the experience of seeing an end to end success story unfold is missing.

Infosys did a great job of letting people know that employees can be successful (money mostly) in a company, but that story was never followed up with anything similar in nature. It’s easy to mistake it for a fluke (but wrong). I, for one, am very hopeful that companies like InMobi, iXiGO and FlipKart will set the tone of the repeatable-success revolution. These companies are generating the right buzz and inspiring the confidence needed to set the wheels in motion. We need to see the people around us pull off a Google, Facebook or Amazon. What was missing was the hunger to do bigger, better and audacious. I see it happening around me now, building up, waiting for the flash point.

The Mercenary Needs to Die

The IT boom in India has done a lot to transform this country (or at least a few select cities) beyond recognition. What started out as large scale “outsourcing”, empowering engineers across this nation, simultaneously gave birth to a mercenary culture among young people. Living in today was never more fashionable. But there isn’t enough headroom for the “coasting” generation. A lot of people will argue with me against it, but I don’t care, I have seen enough that if I am proven wrong I will not curse myself of being too quick to judge. To fuel the rocket-ship we are all building, the mercenary culture needs to die. Money is certainly important, but the feeling of building something, competing with the heavy-weight veterans to make a true mark is a whole different story.

Thankfully, things are quickly changing! I am happy that there is enough mass of people who understand that it is not a scalable model. Progress beyond the beaten path requires leadership, ambition and a lot of audacity. If the recent startup events I have been to are any indication, we are gearing up very steadily for our next boom (and I think this will be bigger, much bigger).

It’s just a matter of time where the first few precedents will set off an explosive chain reaction.

What Women Startups Want?

Gear up! You want a roller-coaster ride, bring your hunger. The last person anyone wants in a startup is the person who does not want to do his best. Mercenaries are always a bad bet, if they come only for money they will also leave for money. I often get criticized for reading too much into the covering letters or specifically asking for descriptive resumes. I know it’s time consuming, but it’s worth it to know who you will work with to build the rocket ship you are working on. More than anything else, a resume’s contents are often a good reflection of self-esteem.

Startup success and early-employee success are a package deal with almost 100% symmetry. One of the things that has fascinated me in the past few weeks is the story of Marissa Mayer. Not just because of her exceptional success, but because it highlighted how incredibly well assembled the early Google team was. It’s good to read how the almost all of the early employees were able to fulfil a long term promise and grow parallel with Google (read at Business Insider).

I have always been a fan of team sports (mostly football/soccer), because I have always thought that it enhances the journey and the experience. Not just of winning but also recovering after a loss. If it was all about superstars, I think Real Madrid would never lose a single game, but they do, often. A team must be able to accomplish a feat bigger than the sum of its parts. To thrive, a startup must assemble the best superstar “team” possible, not just assemble the best “superstars” it can. Teamwork requires putting yourself “after” the team to work collectively for bigger returns. No pain no gain, no risk no reward.

You can’t jump if you refuse to get both feet off the ground.

Cloud/SaaS : Effects of migration on security landscape

Last week I met an experienced professional from similar domain to mine and we talked at length about SaaS. Most of the time we were talking about how SaaS is the future. Later, I got thinking about what would happens when SaaS gets mainstream and cloud adoption reaches a good ratio.

My last post talked a bit about what the people were not thinking about in all the cloud-buzz (http://wp.me/p1ZlqR-z). But this is something a little different.

It is pretty clear to me that a lot of generic services will be SaaS and will find good adoption, alongside, there will be a lot of people like Amazon AWS who will offer both general and specialized infrastructure services. The gaps will be filled by vendors selling stuff on these clouds for ready customization/use (like EC2 paid AMIs). Only very specialized, highly sensitive information will be kept on-premise. Of course there are many who will keep owning large datacenters (because it may be more economical) or have solutions that quite simply do not work well with any acceptable vendor’s offering (and there will certainly be many such things).

There is no “inside” anymore, need ubiquitous security

Its not hard to imagine that in such cases, many offices will really no longer have any on-premise critical servers/services to protect. You’ll need a secure way to connect and use your data even from inside the office. I was fascinated by the notion that we are now heading towards an era where there will be no “inside” network, we are all on the outside, all the time. Thinking back it should have been fairly obvious when we first started having internet on the go, at least to the people who are much smarter and more experienced than me, it probably was, the complication of feasible often beats reasonable!

I digressed. What it probably means is that either all the SaaS (and other *aaS) meant for mass consumption, will have to be fully security compliant for critical service adoption or there will be security brokers and managers who will do it for them. I find the former a dream at best, if you have ever worked on software and had the misfortune of dealing with interoperability issues, you understand. It looks like we’ll have to have security built right into the cloud (like a VPN and other stuff ) if we are to ever adopt a very serious ratio. There are efforts on for this, cloud security is expected to be the next big thing. CipherGraph itself is one such effort to ensure that only the right people will get access to authorized resources. More on this later.

Standards such broker based security SAML and other such things do come to mind, but that paradigm is suited only to certain kinds of services, not all. They do not secure the network anyway, just offer identity assertions, that is only part of security. Also, enterprise standard solutions of this kind are often quite expensive and challenging to maintain (or find compliant services for).

Policy Control

Its a known fact that all security vendors like to control policy, that is after all, the brain of the security infrastructure. But how far can policy go while being disconnected with the corporate identity and role? Not too far, I believe. Ultimately it is all about who is allowed to do what and if you do not keep the actual user’s identity in mind, enterprises are going to find it hard to adopt such systems. The current SaaS vendors rely on simple authentication mechanisms and are often completely corporate-role-agnostic. To be fair, they should not be duplicating security efforts anyway, there are powerful policy enforcers available (and it is a specialized field).

Prevention is the best cure

Security is like a chain, its only as strong as your weakest link. The idea hence should always be to layer security infrastructure not chain-link it. What I mean is that it is one thing to expose your Exchange server to the network and give credentials to authorized users, its another thing to ensure that only the authorized users even get to see the login page. It is hard enough to come up with enterprise class solutions, its even harder to have built-in enterprise class security (economically).

Just a few days back Checkpoint released some EC2 firewall security system. I should have been scared but I was excited since there was unassailable validation that my own effort (CipherGraph Networks) was in the right direction, but I was even more happy when I realized that CipherGraph is the first and probably the only one that caters to on-premise as well as cloud infrastructure.

One of the things I realized is that most of the formulas and fundamental are already in place, we just have to map it to a very different scenario (cloud, in this instance) and forge a fitting solution. It will take a different sensibility since the topology is completely changed and we are dealing with a different set of parameters, but it can be done :-) we’re on the job!

Cloud Tech / *aaS: We are not talking enough about flexibility and security

Cloud is available everywhere

I find it strange that some people don’t immediately see the other implication of “access from anywhere”. That being, it really is accessible from anywhere, it leaves your data/services open to a wider array of security threats (and as expected, from anywhere). Hence, you need specialized  security around your “accessible” services. I believe we are just one step away from  a security revolution since the rules are being changed by the cloud revolution. CipherGraph Cloud VPN can secure your cloud infrastructure from unauthorized and malicious access, while still allowing authorized people to use it from anywhere.

Do I need to understand security even for using SaaS?

Yes! The only person who understands your data’s worth, is you. For everyone else, its just a payload of bits.

You must choose your data’s location/accessibility wisely. You have to determine how and where your data gets accessed. This is the same reason why you have been investing in security all these years, the cloud does not implicitly address security, in fact its ubiquity makes it even more important.

There are certain things you cannot trust someone else to understand and decide, your security is one of them. Nobody will accept liability for the real loss your business incurs because of any operational failure.

If you are putting your data somewhere, you need to understand who else has access to it and how it is protected from unauthorized people. Cloud is not a bottomless pit of capacity and power, it too reacts badly to usage spikes and other adverse scenarios. Vendors are not really liable for any damage of any kind, you are solely responsible for making sure your business does not suffer.

 Your Cloud/*aaS choice may be binding, choose wisely the first time!

Extended *aaS use often locks you down to one vendor, make an informed choice the first time. *aaS is meant to be mass produced and mass-consumed, the implication is that there will be little flexibility. It is up to you to ensure you understand your vendor’s policy. Security and backup policy are also a must when considering a vendor.

Migration can be very difficult and expensive (if not impossible), so be extra sure of your choice and its implications. Self hosted or cloud hosted virtualization can may be a less painful and more flexible choice. It is not a coincidence that legacy systems are the hardest to maintain, they usually get that way because they locked your data and could not be migrated. After all, you know its not easy to migrate terabytes of data or replicate any working setup of one vendor with another.

SaaS magic

SaaS gets incredible press these days, it has a lot of romance associated with it. “Cloud” seems to be the magic elixir that will solve all the problems of any business. Its not everyday that security gets a mention in the SaaS context. Lets face it, people are just beginning to talk about it seriously. Security issues/considerations do not go away magically when software is hosted on the cloud. Often, it brings with it new set of issues that were non-existent in the traditional model of hosting servers.

I have often come across companies who have told me that they don’t need security because they do everything in cloud. I do understand that security is not something most people think about everyday. Most don’t really realize how security applies to their business model. Unfortunately I believe they are in a bubble, data breaches/attacks on cloud setups are making the news all the time.

*aaS model

*aaS model relies on “One size fits all” policy, where they can reuse the same infrastructure and same kind of service for all users. This mass consumption allows them to reduce the costs and ultimately make the service available at a cheaper rate. What they do not do is comply with your specific security policy, they have their own, which may not be aligned to yours. Before you use any IaaS/SaaS/Cloud service for your business, consider all options with security in context. Even if it does not have implicit security by themselves, they should be flexible enough for you to be able to use their own or a third party’s solution (I personally prefer Amazon’s AWS because of its higher flexibility).

Did you pay for security?

You will get only what you paid for. So if your SaaS vendor is charging you peanuts, they are optimizing (cutting corners) somewhere. You’ll see that when something bad happens, till then you are in a bubble. Security and secure access is a specialized field and needs specialized attention, your vendors own the infrastructure and is tuned to give maximum performance not necessarily to be fully secure.

Tele-commuters and VPN Remote Access

Given today’s fast and global life, being tied down to a location for certain task is often too much to ask for. You have smartphones that don’t require you to go home or office to check your email. Your Phone/MP3 player is in your pocket always at your disposal for music/video. You are carrying Kindles for reading books (and not just a few, all of them).

Your office at your fingertips

People now understand that it is counter-productive to always be in needed in office for every little work related thing. Technology is allowing you to govern your time the way you want. Never before has the problem of physical presence in office been more constraining than now when you are often deal with people in different time zones. People often take conference calls from home at night, taking down notes of little things to do next day. Now you can take your office (not just the phone) to your home and be fully functional. Your documents, your office network should be there when you need them.

Gone are the days when it was acceptable to hear, “I am not in office at this time, I’ll send you that important document tomorrow”. Companies need to be nimble all the time. Telecommuting via VPNs, is here to stay. It is not just the ability to work from outside the office, it puts your entire office at your fingertips. Companies are fast recognizing the importance and benefits of enhanced productivity of remote workers (full time or part time). Some analysts even say that remote workers can often be up to 40% more productive, it is a surprisingly large number, something your company should not ignore.

Ubiquitous Productivity

I have read many articles (like IT Business’s Telecommuting benefits both employees and employers) that give a glimpse into how telecommuting is increasing productivity. It is seen as a perk for some offices, but in others it is indispensable, especially those that have a lot of workers on the road or working from other locations.

VPNs allow fully functional remote connectivity to your office. Some good solutions (like CipherGraph :-) allow access on mobile phones and tablets too. This is incredible flexibility and power that you just handed to your employee. Little things like generating a report or creating an invoice can be done from anywhere, even the client’s office. Speed is critical to all business, loss of time is loss of money. If your office does not provide a solution for remote connectivity, you are lacking the pace that your competition can (and will) take advantage of. Everyone knows the price of moving slower than the competition, “going out of business”.

Morale, Flexibility and Employee Retention

Importance of morale is another critical thing that any seasoned professional will be able to tell you about. Little perks that benefit both the company and the employees equally, go a long way. Telecommuting (even few days) makes your workplace seem that much more flexible and trusting of their employees. Good workers recognize and appreciate that. When I was working at my previous company, I used to work one or two days from home in a week. That saved me a total of four hours of commute time weekly (in horrible traffic) and on those days I had a jump-start because I was fresh when I start work. I was more productive in general and not just on the days I was not in office. Not to mention that I got more hours of my life into useful work than looking at tail lights in a traffic-jam. There is no simpler way to add more hours in a work day.

Incredible flexibility and Savings on External Contractors/Consultants/Others

Remote workers are not the only things that VPNs can enable. In my company I often hire external consultants to do some part-time work. Sometime they are not from the same city, but this never prevented me from hiring them. I would just give them access on my VPN (access limited to the parts of my network that they would need to access), when the contract is over, I can just suspend their login. This means that I can hire based on talent alone, their location is immaterial. I also saved a bunch of money since I no longer have to pay temporary relocation for them.

There are other cases where you might want to use a VPN, every once in a while there are people you have to work with but you cannot accommodate them in your office (or don’t want to) because of some reason (possibly office capacity). This may be some audit team or customers or some other people who may need access to limited portions of your company resources. VPNs are pretty much designed for this scenario. Some companies have to hire financial auditors who need access to company’s payroll portal and leave management portal, they often work in teams and are working on sensitive financial data that is meant for executive/board staff only. You do not want your meeting rooms blocked for days (non-stop) and certainly do not want them discussing company financials among your employees.

Efficient Office Space Use and Savings

I myself operate from a much smaller space than I would need, to if all my employees had to come to office every day. Earlier, all my employees were working from home and I operated out of a virtual office (paying just $80 as office rent per month). In both cases I saved thousands of dollars by using a VPN. It is not just the seating space; I am talking about all the resources I save (including energy, cooling etc.). A good article that explains this is Plantronics smartens up its headquarters for remote workers

VPNs are loved by everyone

The best part of being in my business: We are not an additional liability / process, we are 360 degree facilitators. We make work easy, enhance productivity of companies and no one feels burdened, not the employees or the IT or the corporate executives. In fact, they all appreciate the freedom, peace of mind and savings (and not just in the same respective order :-)

Related Articles:

Telecommuting benefits both employees and employers: http://blogs.itbusiness.ca/2011/01/telecommuting-benefits-both-employees-and-employers/

Telecommuter-Friendly Office Leads to Happier Workforce: http://www.mobiledia.com/news/120383.html

Remote Workers: http://blog.delawareinc.com/2011/11/hiring-remote-workers/

Plantronics smartens up its headquarters for remote workers: http://www.smartplanet.com/blog/design-architecture/plantronics-smartens-up-its-headquarters-for-remote-workers/2755

The Indian Tech Interview!

Disclaimer: Much of this is only going to be applicable to tech interviews in India

I have had the (un)fortunate privilege of interviewing for my previous company over several years. During this period I personally interviewed more than 700 people (mostly for developer/lead roles but at various levels). I have also given interviews at many places, both big and small.

I started out my company just some time back and I have been taking advice from lot of fellow entrepreneurs. To pay back the community, I wanted to write about something many others may benefit from. Preferably something they cannot self-learn without real-world experience. This is probably a good bet.

Many bloggers have talked about interviews, unfortunately they are either focused on the generalities of the west, or are rather idealistic. Here are my learnings, hopefully someone somewhere will benefit from it.

This entire article is about getting to the right people earlier, with least investment.

How is Indian Situation Different?

India suffers from a problem of excess, you have a load of candidates that just apply for the sake of it. About 50% of these are carbon copies, hence filtering is not an easy job.

This excess of candidates causes companies to do “formula” hiring. The formula is a numb assembly-line process replacing the rigor needed to hire a teammate. This formula encourages candidates to feign a “personality” that will get them most number of callbacks and interviews.

If you think the right candidates will not do this, stop kidding yourself! Smart candidates know they have to get past the exact same process of “keyword based selection” before they meet the real panel. The only way around for them, is to brave it and let it pass.

Soliciting/inviting candidates

A bad data set will never yield an optimum selection, you must diversify your inviting/soliciting methods. In short, never rely on only one channel.

The varying attenuation levels of each channel ensure that you avoid homogeneity of candidates. This is important since your ideal candidate is not necessarily a perfect match of your written requirements. Ideally you need a Gaussian Bell Curve kind of distribution around your “target profile”.

Popular options are head-hunters, self search via social networks (like LinkedIN) and internal referrals. There is also an often overlooked (but surprisingly powerful) option; re-invite a small selection of people from older interviews (perhaps for other teams) who were worthy but did not make the cut for minor reasons. This also means that if you come across a sharp individual in your hiring cycle, but cannot hire him/her for some minor reason, you must keep this name in your database.

The least effective option (in my opinion) is newspaper ads. They are just a migraine waiting to happen, you will get hundreds of poor responses each hour. The ROI of this is low enough to warrant complete omission. Of course, if you are looking to fill a lot of seats with average to above-average engineers, go for it.

Short Listing

If you have a pile of 500 resumes on your desk, not an easy thing to do. Here too, you should try to maintain some diversity. The idea here is got this done as fast as possible and ensure that you begin with the real interviews quickly.

There is no statistical advantage to spending 15 minutes on one resume as opposed to just 1 minute. Select based on weak criteria, be flexible. At this stage give the benefit-of-doubt to the candidate. This is to ensure that the bloaters don’t overshadow the genuine resumes just because they have a fancier skill-set.

Phone Interview

If feasible, please spend 5 minutes on the phone with each selected candidate. You will instantly be able to drop the “definitely-not” people. The things to note here are communication skills, the reason to switch company (yes its important, even if you know you’ll get a textbook answer) and the capability to explain themselves. Other defining criteria being gross mismatch of CTC expectation, relocation constraints and time to join (in India, some insane companies have 2 months mandatory notice period).

Written Test

Keep one if you are charming enough to convince your candidates without offending them :-) The ROI of this exercise is shockingly high. I try to keep the questions with the following split; 30% very easy, 40% not too easy, 10% tough, 20% simple logic (like simple puzzles or simple math). Also, all questions were multiple choice. The advantage of having multiple choice questions is that anyone can evaluate the answers and hence this can be done even without involving the tech team.

Interview

Don’t be casual about it.

Usually companies will request someone with less interviewing experience as the first filter, nothing wrong with that. BUT, avoid sending out your “preliminary interviewer” to invite the candidate inside. First person sets the tone for the interviewee’s expectations from the company. It is as much an interview of your company as it is of the candidate. In India, the right candidate will get offers from many places, your professionalism may be the deciding factor when it comes to choosing between you and Google (for instance).

Interviews must be staged, in favor of your time constraints, please be prepared to cut short an interview process politely if it is leading nowhere. Just like you, the candidate also does not want to waste their time. Also, you might be setting incorrect expectations if you extend a dead end interview.

Types of questions

Never ask questions from a text book, or some website. If you are the kind who likes people who can do just that, you are probably not reading this blog anyway.

Never ask questions about subtle programming syntax or API (surprisingly a lot of people make that mistake). Ask questions that are about logic and something they could not have learned from a book/blog. Try to keep it to algorithms and reasoning. Multithreading related extensions to known problems often work well. I often ask about thread safety when it comes to deletions in various data structures.

Ask them to write pseudo code for some well known but subtle problem (perhaps BFS).

Pick up one or two of the tough questions from the written test (that they got right) and expect a full explanation of how the answer was derived, don’t go easy here.

In the advanced stages, I sometimes ask about unrelated tech that they can talk neutrally about, it should be something they may know about. One of the things I was talking about recently, was amount of RAM on the new iPhone 4S. There is no right or wrong answer for why apple thinks 512MB enough while most competition seems to have 1GB.

Smart people can learn your tech

Face it, you are not looking to hire people because you don’t know how to spawn “pthreads”. You are hiring people who solve problems skillfully. Pthreads are a “man page” away, IQ is a lot harder to acquire.

That’s the bird’s eye view. If you want to know more about my reasoning, please contact me.

UPDATE: Slighly off the Indian context but a good read http://gigaom.com/2011/12/20/how-to-hire-rock-stars/

4ZKC25PEE5E3