Do’s and don’ts for a cyber-security interview
Whether you’ve been working in the IT field for a long time and you’re looking for a change in direction, or whether you’ve been in training with the intention of breaking into the cyber security industry as the start of your career, there are a few things you should keep in mind when you are preparing for that all important interview, and which extend into your general preparation for a role in the industry.
You’ve found out the dress code, you’ve worked out how to get there & you’ve learnt a bit about the company, so what now? Owing to the unique nature of the cyber security industry, we’ve put together some dos and don’ts that you might not have thought about.
Don’t rely on your qualifications to see you through
Obviously, qualifications are important, and you will be asked about them. However, cyber security employers are interested in what you can do and what you have done, often more-so than what your qualifications are. They are likely to hire someone who can clearly demonstrate that they have the right skills to hit the ground running over someone with a strong theoretical background but lacking in practical experience. In fact, experience is so important to InfoSec employers that it’s leading to a potential hiring cliff in the future, so sell yourself on the basis of your ability to make a difference from the get-go, even if you think your qualifications are awesome.
Incidentally, this means that your chances are going to be much better if you can show them things you have done in the real world, such as securing your own networks, InfoSec challenges you might have competed in or completed, etc.
If all you have is a qualification, it might be worth considering entering some InfoSec challenges to get something tangible under your belt you can demonstrate.
Don’t pitch yourself as a generalist
Whilst it might be tempting to sell your expertise across a range of skills, in reality, nobody can develop skills in a huge range of different disciplines to any major level of depth. Firms need experts who understand their area of expertise well. If you try to pitch your generalist knowhow for a true hands-on infosec role (as opposed to team leader or supporting role where management skills are more important) you can expect to be challenged. If you aren’t truly an expert in something, you can expect to be found out very quickly. Far better to stick to what you know well than constantly reveal weaknesses elsewhere.
Don’t focus entirely on technology
According to a study released by security firms Proofpoint and Balabit, social engineering emerged as the top threat to information security in 2015. Technology is always important as it is exciting, but arriving to an interview with nothing to say on topics outside of your favourite tech, tools and software will make you seem like you have tunnel vision in a world where users represent the biggest vulnerability to information security.
Try to gain some understanding of the entire threat landscape and the typical holes that need to be filled that take into account users, the 3rd party web sites they visit, their social networks, their lack of security savvy AND relate it to your technology knowledge.
Don’t punch above your weight
When playing to your strengths be careful not to slip past confidence into arrogance. The people interviewing you are likely to have extensive expertise of their own (especially if you’re just breaking into the industry), so whilst it might seem like a good idea to tell them about all the cool things you would do to fix their terrible security, keep things relevant to the job you’re applying for. If you’re looking at an entry level position, keep things relevant to that.
Do demonstrate you can work within a large corporate structure
Large corporations present the need to balance sometimes competing needs. You need to be able to prioritise the vital security measures from the ‘nice to haves’, and when rolling out a security initiative across a large organisation you must be able to take disruption this might cause into account. Planning how to mitigate the impact on users, working out who might need additional training – all of this falls into the project management skills you’ll need to do your job effectively.
Equally, sometimes you will make security demands that will have to take a back seat against other business considerations; you might have to delay or adjust your recommendations accordingly, and do so at the planning stage – pre-emptively; not when users complain.
Showing you understand the application of security skills in a way that takes the business needs into account, as well as a strong ability to prioritise, is a must.
Do put your people skills forward
You must show that you’re able to competently explain the ramification of your security recommendations to a non-technical audience, not only so that users and stakeholders are clued-up, but also to help you make the case for your ideas with senior management. If you can’t express the need for a security measure in a way that relates to the bottom line of the business, you can expect to see your influence wane within the organisation. Maintaining this influence is as much a part of the job as anything, and you may have to fight your corner on occasion to get things done.
You are going to have to work closely with a lot of people, (often dealing with senior management) and your decisions and recommendations have the potential to inconvenience people. You need to show that you are a good communicator, negotiator and teacher. When it comes to high threat areas like social engineering, you cannot make a difference if you cannot advocate for security awareness among regular users, so demonstrating your communication skills are vital.
Putting it all together
We hope this gives you some ideas for the sorts of approaches you can take when you’re going for that vital first step into the cyber security industry, and that you’ll avoid some pitfalls along the way. Maybe you’ve realised that you are thin on practical applications, or that you could do with developing your people skills? Either way, we hope you found this useful.
Check out our other articles for more ideas, or, have a look at our cyber security courses to see where your skills could use a tune-up.