Cyber Security Interview Tips

In this blog post we will discuss tips for cyber security interviews, what I have experienced and key items/areas you should be bringing to the table to give you a higher chance of getting the job. Each of these items will take time and many interviews to become better at each item. For instance, it takes time and experience to develop soft skills, sure you can talk to yourself in the mirror or to a loved one to practice a presentation. Soft skills are not all about how you present yourself or a project to a group of people, soft skills are the interactions you have with your coworkers, and the ability to not only hear out another teams worries or issues on a certain security item but to quell those worries and issues, staying calm, winning them over on your side and delivering on all of your promises. Why would I need to show soft skills in a cyber security interview you might ask? In cyber security half the battle is the technical knowledge and skillset required to be successful. The other half is how you can sell a tool, solution, project, etc. and still meet everyone’s needs. Understanding a tool better than anyone else is a great skillset to have, but it doesn’t win over very many people if you cannot effectively communicate what you need. You also must have the ability to break complex items down into simple easy to understand items that everyone can get onboard with. In cyber security being intelligent is simply not enough, to be successful you must be articulate enough to win over a room that started out against you.

In my experience most hard to work with people struggle in this area, they are almost too smart for their own good and don’t understand how to talk about their own project needs at levels that everyone can understand. This makes them seem very rigid and inflexible to work with which makes other teams not want to work with them. Not being able to be flexible and agile in security will all but surely limit how far you go in this field. I bring this up because in literally every single IT interview I have ever had I have been asked how I deal with working with difficult people that do not want to listen, hear your side, do any work with you on critical project, etc. Even after I start at these roles teammates will point out other people from other teams that match this description. How do I deal with these situations and answer these questions? What I have done every time and it has worked every time is I normally introduce myself to them and their entire team, I discuss my experience with their domain and learn more about them and what they do on the team. I ask them point blank what are your pain points and how can I help? Almost every time the other person is caught off guard by this question. Rather than trying to have them help me with my work from the start I look for ways that I can assist them first to make their lives easier. For instance, one of the times I did this the “hard to work with” person stated he has more work than hours in a day and other teams refuse to work with him for various reasons. At this point he was at a standstill in all projects until he got assistance from other teams. I took that information and started working with the other teams to get time allocated to help move his projects along. This is one example of a common question, a common response and a real work example of how I have addressed this exact issue. This may seem like something that is completely outside of the realm of a security person. Most of you would say why cant a manager or project manager handle this type of work? Why cant this person figure out how to do this? All of those are great questions and all of them deserve to be answered. However, if we dwell on these questions and put the blame on someone else then nothing will get accomplished. If these projects affect the overall security posture of the organization then I take it as my responsibility to follow through and get these items accomplished. That is why I typically react this way to move things forward while keeping my own management apprised of the items I encountered and did so that it can be fixed down the line. This is something that separates an exception security person from an average security person.

Other common questions typically involve your experience, do you have experience with delivering a difficult or complex project? Do you have hobbies outside of work? What do you do to stay up to date on cyber security news? What was the last article you read about something in cyber security and what interested you the most about that article? All of these items are things you should not only be thinking about ahead of time but you should be actively doing to not only stay on top of your skill sets but to grow them and expand your knowledge in cyber security. Most employers are starting to realize that if you don’t love cyber security then you wont last long in this field. This field can be extremely difficult at times that will push the best system/network engineers to their limits. For you to be successful in security you need to truly love it and employers are starting to see this now and so they ask those questions to see how passionate you are about this field.

Honesty is key throughout the entire interview process. I have interviewed people that will claim they are experts in a certain domain, area or tool. When someone claims they are an expert in an area I will always make sure I ask 4-5 questions just about that with each question getting more detailed than the last. I have spoken to several people that will claim they are highly familiar with a tool that I have deployed myself several times so I will ask them to walk me through deploying that technology. What were the challenges, what was the deployment size, what are the critical services on the core servers that you always need to monitor for and what do those services control in the application? Being honest is giving the employer a true and honest perception of your skillsets and experience, it will only hurt you if you lie and say you are an expert in PAM solutions then you are hired on to deploy a PAM solution when you’ve never actually lead a deployment.

I feel it is also key to not only state what you are looking for in your next role but to state your 5 year goals and to state how you think this role will fit into your own goals and plans. Read the job description inside and out and do research on the company. If this is a true fit then you will be able to see it and make the hiring manager aware that you see the fit and that you want the job. For myself it is always a bit frustrating when someone comes in and it seems like they haven’t read the job description, researched the company and/or they don’t have goals for themself. I know you may be young in your career and may not have all the answers and you may have never done this before but having something ready for each of those items is always better than nothing at all. If you are missing one of those key items it leaves the impression that you weren’t prepared for the interview and if you aren’t prepared for the interview then why would you be ready to take on the work they are about to give you?

Times of the year and how long a job has been posted are huge factors that you have to account for in your negotiations given you get that far in the process. Typically hiring picks up dramatically from January – July as I am sure is the case with most industries. From August – October it slows down a bit from what I have experienced but there is definitely still new roles being posted and interviews occurring. Anything after November turns into a bit of a crap shoot. The company could be looking to hire someone ASAP before year end or they could be looking to hire someone at the start of the new year. I have had both happen to me personally. I have also seen it where companies have had the role open all year long and have redrafted the job description several times and now need to hire just about anyone. This may sound great because it would be easier to get a job then (hopefully) but more often than not these companies don’t really know what they need in that role, and sometimes they have no direction with their security program or that role. These are red flags and if you see these things or get that thought you should run for the hills. At this point in time in the cyber security market everyone seems to be looking for a security professional which makes it very difficult for people that are looking for a role because they have to sift through all the companies that don’t know what they need. You have to be able to look past the right verbiage, the right experience, the right outlook, and even the team and see if they have a proven track record of delivering on what they claim. This is in many cases very difficult and requires talking to current and former employees, reading reviews online, and maybe even having more casual conversations with the hiring manager.

Nowadays I have seen more companies looking for “unicorns” than ever before. This means companies are looking for people that are basically experts in several domains that command large six figure salaries on their own. When you see a job description that says they are looking for a large amount of experience with cryptography, IAM, cloud, and more, just run for the hills. They don’t truly know what they want or need and if that is what they want/need then they likely don’t have the money to pay what that skillset would deserve. I constantly come across roles that are asking for 10+ years of experience in cloud computing and cryptography, this is an issue especially since there is a handful of people on the planet with that experience. To make things better it will require the OSCP, OSCE and CISSP and they will give the role an Analyst title. This isn’t even an extreme case of this, this is very average for what I have seen. I know many recruiters will say we only post what the manager says to us but at the same time any security recruiter needs to look at this and have enough knowledge to know that an analyst won’t have that experience and raise a few red flags. Whenever I see a description like this, I typically don’t give the role a second thought because it shows me there is a disconnect between reality and the manager that I will never be able to live up to.

In a job description I tend to look for two things: 50-75% should be things that I have don’t or am currently doing in my current role in some capacity. The other 25-50% should be areas/skills that I want to grow in that I want to take my career. My resume should also be drafted geared more towards this job posting. This doesn’t mean copy and paste from the job description into my resume, but it means if the job posting is looking for AWS security experience and I have that experience then I should have a bullet point or two about a project or skill set that I have to fill that requirement.

One last area I would like to touch on is the questions that you ask throughout the process. Not only should these questions be any areas that you need clarity on. One example of this would be what is the outlook for this role and where they see this role & team going in the next 2-5 years. These questions should also be aimed to be something that the hiring manager hasn’t heard before. I always take time the day before to write down 3 questions per person I am interviewing with. I will look at the persons LinkedIn and try to ask questions that won’t necessarily challenge their experience, but it will be a middle ground question. Something like; Where can I make the most immediate impact from the first day of starting in this role or what areas do you need the most help in right now that I may be able to help with? I have even gone as far as to how their previous role prepared them for what they are doing today with “X” company. It turns the interview from a one-way conversation into more of a two-way conversation where you are actively engaging the interviewer back. I find that these are always the best interviews that tend to end with the best results.

I will close with this, eventually you will find the right role for you and you will get a job. It is only a numbers game that is in your favor the more interviews you go on. I have found that my first few interviews when starting to look for a new role are always my worst. After I interview around a few times I start to get into the swing of things. Don’t be so down on yourself, try to be loose but not too loose in the interviews. Be yourself and be confident in your own skillsets but don’t overly exaggerate your skillsets. I hope you have a great year, go out there and kill it!