Chapter 7: Landing the Job
So, we’ve come this far in your infosec journey. You’ve studied hard, attended conferences, played a CTF or two, updated your resume, and networked a bit within the information security community. Great work!
Let’s prepare for your very first information security interview.
=== What to Say ===
There have been nigh infinite pieces written on the subject of interviewing, but I’d like to briefly share some basic interview skills that have really served me and my candidates well:
- Make sure spend at least 30 minutes researching the organization you will be interviewing at. What are their strategic goals or products? Where do they have offices? What’s their corporate culture like? Consider what interests you about their mission, and how you feel you could benefit them as a security professional.
- Always bring several printed copies of your resume and references to your interview, formatted the way you intended. HR systems will often remove formatting and line breaks before routing your resume to a hiring manager, and your copy may be more pleasant to read. You will also want a copy to reference, yourself.
- Bring note taking materials to your interview, and make sure you’ve written down a few relevant questions to ask your interviewers about the position and the organization.
- Arrive 15 minutes early for your interview, and be polite to everybody you meet. You never know if the person you make eye contact with and say “good morning” to in the hall will be interviewing you, later.
- Make eye contact, and pay attention during the interview. Most of us are introverts, and this can be a challenge. Make the effort to be personable and show that you are listening to your interviewers.
- Put your phone away and on silent. I shouldn’t have to say this.
- Answer questions honestly. Most of my colleagues and I would very much prefer, “I’m not sure”, to an evasive answer or an outright lie, particularly on technical questions. Often, knowing where you would look something up is an okay answer to a technical question. When we ask you questions about where you could improve, there should be a real response that verifies you are a human. Everybody has some area they can improve in, and we will never believe you’re utterly perfect.
- The initial interview is not normally the appropriate place to ask about compensation. Yes, infosec is an understaffed and in demand field. You have better chances than most at landing the job. No, your Masters in Information Security does not guarantee you the position immediately in lieu of a technical interview.
- Do talk about your (legal) infosec-related hobbies and activities! We want to hear about the security lab you built in your house, the book you read, the CTF that you participated in, or the security related talks and projects you’re participating in. They show you are an interested and involved candidate, and a good fit for our teams.
=== What to Know ===
The previous chapters in this blog series suggested ways to build your foundational skills in the key areas of networking, systems administration, and security, so I won’t dwell too much on the necessity of knowing the fundamentals of these things such as common ports and protocols, malware types, and operating system functionality in an entry level infosec interview. Suffice to say, this is where the free educational resources, formal training, and your home lab really come into play.
You should ensure, before going to an interview, that you are up to date on the basics of current threats and security news. What you learned at your university is almost certainly not current enough for most interviews. There are a lot of great resources that provide information on ongoing threat activity. For instance, I really like the exploit kit status dashboard at (ProofPoint) EmergingThreats. SANS ISC posts botnet and scanner activity from publicly submitted data, and Sophos posts a nice free malware dashboard that shows their overview of currently detected malware. Threat trackers, coupled with the blogs, news services, and educational resources we’ve previously discussed, should enable you to go to your interview ready to answer general questions about the top threats that are currently plaguing organizations.
=== What Not to Say ===
In May, I surveyed a broad swath of security professionals to share the statements they hear from interview candidates that are the most indicative that the person is inexperienced in professional information security work. I’d like to share a few of the most popular, and why they carry that connotation. Keep in mind, the selected statements by candidates aren’t necessarily technically wrong; they more often tend to oversimplify or ignore administrative and business-related problems in security. It would be wise to choose your words diplomatically before saying any of the following things:
“Antivirus is obsolete, and a waste of money! Get rid of it.”
We can’t all be Netflix, dramatic headlines or not. It’s true that antimalware programs have a lot of problems to contend with in the 2010s. Between a cat and mouse game with well-funded malware authors, and polymorphism and regular botnet updates, simply maintaining a library of static signatures is indeed not effective anymore. Most decent antivirus vendors recognize this, and have implemented new tactics like heuristic engines and HIPS functionality to catch new variants and unknown threats. Antivirus is one component of a solid ‘defense in depth’ solution. It has a reasonable potential to mitigate a percentage of things that slip past network IPS, firewalls, web filters, attachment sandboxes, and other enterprise security solutions.
“Why are you wasting money on $x commercial product? I can do the same thing with this open source project on GitHub”
We love the philosophy and price tag on open source projects, and it’s great that commercial vendors have open source competition that drives them to improve and enhance their products. This doesn’t mean that free tools are always a viable replacement for commercial tools in an enterprise environment. There are intangible things which usually come with the purchase of a good quality commercial security product: support, regular updates, scalability, certifications, and product warranties. Those intangible things can have a tangible cost for an enterprise implementing an open source product in their stead. For instance, the organization may have to hire a full time developer to maintain and tweak the tool to their needs and scale. They may also be solely legally liable if a vulnerability in free open source software is exploited in a breach – a risk many organizations’ legal teams will simply not accept.
“They deserved to get breached because they didn’t remove Java / Flash / USB functionality / Obsolete Software…”
Most organizations exist to provide a product or service, and that’s usually not “security”. As security professionals, we’re just one small part of our organizations and their mission, and we never function in a vacuum. Oversimplified assertions like this are a dead giveaway that a candidate is not used to compromising and negotiating inside a business environment. Yes, in an ideal security world, we would use hardened operating systems with limited administrative rights and no insecure applications. Few of us actually operate in that ideal world, and many of us work at an operational scale alone that renders this unfeasible. We do what we can; navigating the political risk management game where we must to provide the most secure environment we are capable of.
“Just block China/Russia/x… IPs.”
Once again, this indicates a candidate is thinking only as a security person (and a biased security person) and not as a member of a business. Unfortunately, it also shows a lack of technical knowledge, as many attackers use large, global networks of compromised hosts to launch attacks.
“Security Awareness is a waste of money. Users will always be stupid.”
This is an appalling lack of confidence in your own ‘team’. Yes, some end users will probably always click / ignore / fail to report. (Most security people will also click when properly socially engineered.) The point of security awareness is not to create a perfect environment where nobody ever clicks on a phishing message or ignores an alert window – if your management has made that their measure of success, they’re doing security wrong. The point of security awareness is to improve awareness of threats, encourage some employees to report potential threats so you can respond, and decrease day to day problems so you can focus on the more severe ones.
“[Fortune 100] should have already have gotten rid of $OS and gone to $OTHEROS, because it’s more secure / real security people use $OTHEROS.”
This is dogmatic elitism without real business or technical foundation. Any up-to-date operating system can have a valid use case in business and in security work. A good red team or blue team security professional should be able to secure, compromise, and use tools on OSX, Linux, and Windows effectively (and indeed, there are valuable tools unique to each). It’s okay to have an operating system preference and to intelligently discuss the merits of $OperatingSystem for your specific use case. Don’t assume everybody else’s use case is the same.
“Hack them back / have the attackers arrested…”
We all crave the movie ending where the black hat hackers get their comeuppance and are thrown in jail. Unfortunately, unless we work for a LEO, the military, or a huge global telco, we’re rarely likely to get it. “Hacking back” of any sort is usually wildly illegal (especially because attacks are almost always launched from compromised hosts that belong to law-abiding people). Arrests happen when time-consuming coordinated efforts between security firms, global law enforcement, and lawyers are successful. Even the terrifying financial spearphish to your CFO is likely to not be chased down by law enforcement for some time. When permitted, absolutely do share your threat intelligence with law enforcement and working groups to aid in these important efforts. Expect any response received will take significant time.
“Don’t you monitor every brute force attempt against your perimeter? I count the dictionary attacks against my honeypot every night!”
No, monitoring this would be a waste of time in most large organizations. Behavioral trends and specific sequences of events that could indicate a compromise are more valuable to monitor. Time is money.
Any statement beginning with, “Why don’t you just…?” or “It’s simple…”
It pretty much never is that simple, so don’t personally insult your interviewer by assuming it is
This concludes the InfoSec Career Megamix! I hope you’ve enjoyed this blog series and that it has been helpful to you in furthering your own security career. Many thanks to everybody who has commented on my blogs or provided input and suggestions. Please do check out the links to other peoples’ wonderful work on the subject which I have included throughout the blogs.
[You can find the previous chapters in this blog series here:
> Education & Certifications
> Fields and Niches
4 thoughts on “Starting an InfoSec Career – The Megamix – Chapter 7”
[…] 7 Landing the Job] […]
Development: Career development is always the accountability of the individual to manage and people should not expect organizations to do that. Individual investments in training, certifications, staying up with trends, etc is something every professional must do and organizations are going to want to see that in their top candidates, as that means this person cares about their career and always being on the top of their game. Regardless of the training $$$ comes from the organization or not, this always is an investment in oneself that needs to be a top priority. Now this may not apply directly to newly minted InfoSec professionals, but in general development can also be in the form of changing jobs and diversifying experience in different settings (i.e. shift in industry, shift in specialization, enterprise vs niche/product/IOT, etc). Staying in a particular industry and simply changing organizations is also of benefit because it shows the market that you can solve problems in different organizations with a new set of people rather than the same people over a long period of time. By all means I am not advocating for anyone to become a “job hopper” nor do organizations want to see this, but having multiple years with multiple organizations over a career will increase future possibilities than someone that only has worked in one organization, dealt with one culture, etc. The type of advice I provide to professionals is to always stay humble, explore opportunities to see what could possibly be gained to enhance the overall marketability and attractiveness of your skill set for that dream job down the road, and to keep a strong set of connections
Degrees: I agree that large organizations have standards and minimum requirements that tend to be firm, regardless of how hot a skill might be. This is not due to the inflexibility and willingness to adjust, but more towards being fair to internal staff that perhaps were not provided the same opportunities because of their education level. Large organizations are more at risk to be audited to ensure applicable policies and procedures are followed consistently. If an exception is made to one person, then there is risk to the organization for all the other individuals (internal or external) that chose not to apply or were not selected because of the education requirement. You will see many organizations combat this with indicating degree or additional experience, but I spent many years on the corporate side, they always will prefer someone with a degree over someone without. Yes, InfoSec is hot right now and experience usually outweighs a piece of paper, but perhaps that ideal opportunity an InfoSec person aims for will not be a possibility simply because the degree is missing.
Resumes: I like what you put together about resumes. Like said, I am surprised to see how ugly some resumes can get. Working as a corporate recruiter at Motorola and other organizations, I like to say that they can’t qualify people for the jobs they are working on, but they certainly can get in the way or disqualify people. Corporate recruiters can be dangerous as they tend to deal with a volume of resumes, a being pulled in multiple directions internally, generally tend not to know enough detail about the jobs and what to look for. They WILL overlook qualified candidates simply because of this. A typical corporate recruiter gives a resume 5 secs to determine if it is warranting additional time. They tend to only focus on the upper 2/3 of the first page, so that is the real estate where they need to sell themselves. They will quickly look for spelling errors, goofy fonts, a lack of focus, general fit (ie a marketing person applying for an IT job), location, overall level of being able to communicate and articulate themselves, and many other things simply to get the stack of resumes down to something manageable. Resumes should be customized for the role they are applying for and should, whenever possible, use similar lingo the organization is.
Recruiters: Finally, I have to admit what you say about recruiters tends to be true when you said they get “false advice” to get them. It is unfortunate but true. Many recruiters are either under-educated or just don’t share the same morals that the candidate would like them to have. My point of view, be honest with the candidate and as the candidate to be honest back. I can’t ask you or anyone to believe what kind of recruiter I am (or any others), but developing a report/relationship or getting recommendations should help someone identify the good ones. (yes, there are good executive recruiters out there). A candidate should develop strong relationships with a few good recruiters that can offer advice, counsel, and insight to what the market is doing and saying. Combined with networking, this should keep the candidate informed of most of the great opportunities out there as I am sure you have heard, the best opportunities are the ones not advertised.
My take on candidates & recruiters:
At Brainlink, we ask each candidate to take a COGNITIVE test (math, english, logic, memory, spatial reasoning) and we ask them to write SAMPLE SOPs based on our template.
A) Many candidates don’t spend even 5 minutes researching us (I wish applicants spent 30 minutes researching!)
B) The salary/compensation ask from new hires is crazy – too many read industry surveys, magazine articles and assume they’ll get above average compensation.
C) I am shocked how little people are investing in personal development, practical skills development. Met too many 30 year olds who act like 70-year olds.
I’ve had the privilege of working with a fantastic recruiter when I started my career (Thanks Alex!). He talked sense into me, kicked my ass when needed and didn’t send me to unqualified jobs.
Contrast that with the firms we’re seeing today.
Most recruiters I’ve met are plucking resumes from Indeed, wrapping them, and pushing them out as vetted candidates.
How do I know? We’ve interviewed candidates who were unqualified, and the recruiter had slapped a 300% markup on their rates.
What do I think needs to be done:
1) The certification mills need to be stopped. A 6-week A+ bootcamp isn’t sufficient
2) The industry needs to stop debasing training. Cisco ruined it by offering CCNA-lite in High schools, and Microsoft devalued it’s offerings the same way.
3) We need to restore the apprenticeship model. I learned by spending nights and weekends with my mentor (thanks Crawls!). He’s been mentoring me for 26 years and I’m still learning.
We’ve instilled that in our staff with in-house mentoring and training.
4) At some point, IT & Infosec needs to become a real profession with mandatory training, licensure, insurance requirements.
5) We ALL (employers, applicants, employees, recruiters) need to re-read Lesley’s articles several times and actually APPLY the principles.
LikeLiked by 1 person
Thank you Raj and Jason.