IT security pros with the right skills are in big demand. Last year, the unemployment rate for information security managers averaged .9%, as we reported in High CISO employment rates means shortage for security industry. That’s as close to actual full employment as one can get.
But this doesn’t mean getting hired is a given. In interview after interview, CISOs and others in the industry express frustration over how difficult it is to find security pros with the right skills. And by right skills we’re not just talking technical acumen, but also the ability to work with the business, generate creative ways to help drive the business forward in a secure way.
To get some answers on the best ways to prep for an interview and show that you’re the right fit, we set out to ask quite a few security hiring managers, CISOs, IT security recruiters, and others who often find themselves in the interviewing process what they believe it takes to ace the interview.
Here’s what they had to say:
Put a Shine on Your Soft Skills
When it comes to interviewing well: personality matters. “You can be the greatest pen tester on earth. You could write flawless code in your sleep. You could be god’s gift to mankind when it comes to fuzzing. In most cases, that’s a plus but if you can’t articulate yourself or work with other people, you are not going to make it,” says Ian Amit, director of services at IOActive, Inc. Amit recalls candidates who looked quite well on paper, but in person just didn’t have what he felt it took to build solid relationships. “They were too uptight, wound-up, or blah personality,” he says.
Don’t just answer questions intelligently, ask intelligent questions
Eve Adams, senior talent acquisition expert at Halock Security Labs, who also helps to staff positions for Halock clients, says it’s just as important to ask intelligent questions of the person who first contacted you about the job, be that a recruiter or hiring manager. “What are the major security challenges the organization is facing? What’s the next problem you’re trying to solve in the security sphere: compliance, secure coding, or infrastructural issues? Does the organization plan to expand or streamline its security team,” she says. Questions like these not only display keen interest in the role for which you’re interviewing, but will help you to suss out whether this position truly makes sense for you, she adds. Why moving to a simplified access architecture is critical to ensure compliance, security, and control for the new digital enterprise.
Prepare to interview for attitude as well as aptitude
Most of the experts we spoke with agreed that no one is expected, as a new hire, to know everything about everything: both nuances about the business and specialized technical skills can be learned over time. And this advice holds for both senior and entry level positions.
“The candidate should avoid cramming for knowledge, and focus on interviewing to demonstrate attitude, not as much infosec aptitude. Infosec is baked into nearly every business and tech process, so the candidate should be prepared to identify the infosec activities within their existing strengths, and explain how they can be improved or exploited,” says K. C. Yerrid, senior security consultant at FishNet Security, regarding entry level positions.
Know the business
Almost universally our experts stressed how important it is to research the organization where you’re interviewing. Martin Fisher, director of information security at WellStar Health System says it’s important to at least know something about the business and/or the industry of the interviewing company. “Research what’s going on in that industry when it comes to regulatory compliance and information security,” Fisher says. Fisher stressed the importance of studying the language the enterprise uses, and knowing the basics of the enterprise itself — its size, number of locations, nature of the business. Anything to show interest in the organization.
Adams agrees: “When interviewing for positions with Halock or our workforce clients, the bare minimum a candidate should do to prepare for an in-person interview is research the company, its history, and culture,” she says.
Learn something about the interviewer
Knowing something about the company also needs to include knowing something, whenever possible, about the person conducting the interview. “This includes their work history, technical background, and any published research,” says Amit.
Such research can also prove a way to kick off a valuable, rapport-building conversation. “You might just learn something about her background which could prove a talking point: perhaps you both love open-source software, or went to the same school, or are passionate about wearable technologies. This will also help you feel more confident going in, so you’re not interviewing with a stranger so much as a colleague you haven’t met,” says Adams.
Dress the part
Not unsurprisingly, with the vast difference in business culture today, selecting the appropriate dress for an interview isn’t as straightforward as it once was. “I love the culture of information security, in which your CISO may well have a Mohawk,” says Adams. “My own image is far from suit-and-tie. But even if you’re a kilt-and-Vibram kind of person, be aware that a job interview is still a semi-formal event,” says Adams. “I’ve had candidates do Skype interviews sitting in hotel bathrooms, roll into on-site interviews wearing jean shorts and t-shirts, and use language I won’t repeat during technical screenings,” she says.
Others relayed similar, and surprising experiences with candidates. “[A] recent college graduate came in dressed like they were about to go to a rave. They hadn’t bathed in a few days. [The candidate] was selected for non-continuation of the hiring process,” says WellStar’s Fisher.
“If this is a face-to-face interview, and you don’t know already, don’t be afraid to ask your interviewer or HR ahead of time what the dress code is like,” advises Shawn Moyer, partner and chief researcher at Atredis Partners. “Go ahead and dress a notch or two above the norm, but don’t go too far. As a consultant, every time I wear a suit and tie to a t-shirt-and-jeans startup, I get asked if I’m a lawyer or an undertaker,” he says.
Study the job description and align yourself to match
The goal is to align yourself to the job description as much as possible, but don’t stretch the truth. “If a job description is available, and it has fairly good detail, prepare to answer how you fit the description and be prepared to answer any areas where you fall short of the requirements,” says Moyer. But no need to think that you have to be able to check every line item. “In a lot of cases, job descriptions are a wish list for an ideal candidate that may not even exist, so don’t be intimidated if you fall a bit short. If you’ve made it as far as the interview, you’re at least in the running,” Moyer says. Not only will such prep help you match yourself to their needs, but it will also help you to avoid selling the wrong aspects of yourself to the interviewer for the position that is up for grabs. “There’s nothing ‘better’ than giving a lengthy rant on the great things you can do that have nothing to do with the job position or the company’s needs,” says Amit. In other words, you only have a limited amount of time to sell yourself, make each sentence count.
Leave the ego at the door
Security pros tend to be a bright bunch. Very bright, in fact. But if a candidate is going to be offering advice on how they could improve the operations at the company they’re interviewing – a bold move unless asked directly – they need to be careful. “One guy came in and spent the entire interview telling me how wrong we were doing everything and that he would fix us right up. This was for an entry-level position. He did not get hired,” says Fisher.
Prepare to answer questions on your current employment situation, and other potentially negative questions
Be prepared to answer questions that aim to expose your weak points as your skills align to the requirements. It’s important to stress that you are eager to, and want to, learn the gaps you currently have. “Nobody is perfect, and often you’ll need to answer the “what are your weak points” questions. I won’t ask because I think it’s stupid, but some HR people are keen on this. In security you always have something new to learn. Even if it seems completely tangential to your “area of expertise:” Arduino hacking, playing with crypto, or making a Furby do somersaults,” Amit says.
He says most would be surprised at how valuable sharing such information can be to the interviewer. “I always find something security-relevant that can be achieved with those skills,” Amit says. And he adds that it helps to assure the interviewer that the candidate isn’t a one-trick-pony that is entrenched with Nessus or Metasploit and can’t be really used in a real-life pentest,” he says.
Also prepare to answer tough questions regarding your status at your current or previous position, but be careful here. “Obviously, you’re dissatisfied with your current job, and maybe you were even demoted or let go under less-than-charitable circumstances, otherwise you wouldn’t be interviewing somewhere else. An interviewer will pick up on that dissatisfaction, and may even ask you to speak openly about why you’re leaving,” says Moyer. “Resist the urge to air all your dirty laundry and try to keep things neutral. Keeping it classy when talking about your last job shows you’re willing to do the same thing in your new job as well,” he advises.
When it comes to hard technical skills, show passion, and don’t fake it
“I look for an understanding of the OSI model and TCP/IP. I [also] would look for how they are advancing their knowledge. What blogs and resources are they familiar with? Finally, I would look for where their passion is within technology [and they should] be ready to answer technical questions, show technical proficiency, and creativity in solving technical challenges as they relate to the job description,” says Fishnet’s Yerrid.
Whatever you do, don’t fake it. It’s one of the worst moves a candidate can make, says Amit. “I immediately had candidates disqualified for faking it. I’m dangerous enough in multiple fields of practice to know when the BS is being shoveled, and I’ve had candidates, who after taking a hacking course or watching some online video, thought they were uber-hackers. If you don’t know something, don’t try to make up for it with BS,” he says.
Finally, it’s not always what happens during the interview that can break one’s chances, but also shortly after the interview. Here’s a surprising anecdote from Fisher: “One person didn’t so much mess up during the interview as allowed it to die in a fire later. It was a couple of days later when their Mom called to get feedback. Yeah, not so much,” he says.