6 Tips for Crushing Your First IT Security Job Interview
We dedicated an entire week of posts to breaking into the white-hot information security field, including how to get experience in IT security, tips for crushing your first security interview, certifying as an ethical hacker, and even what to do if you gets audited during certification.
You polished your resume until it radiated a dangerous glint. You scoured job boards, attended security conferences, spoke to recruitment consultants, and then you sent out your skills resume along with cover letters — and someone called.
This is it. Your first interview for a job in Information Security. Here are six tips for owning it.
1. Show You Know Your Stuff
Whether you've been working general IT for a few years with no certs under your belt or you're packing heat in the form of CompTIA A+, Network+, Linux+, or Security+, you should have a good idea of what makes computers tick by now.
The interview is your chance to make it clear that you know what they need you to know: the basics.
In an entry-level InfoSec position, you won't be expected to single-handedly mitigate a 30 Gbps DDoS, although you will be tasked with knowing the acronym, and how bad it'd be if you had 30Gbps of unwanted traffic coming your way. Nor will you be expected to be a Kali master.
That's because you're not only going to be assessed on the security side. They'll want you to know the basics because much of security is knowing the nuts and bolts of everything.
Can you explain how the Windows boot process works? Of course you can. Now, can you explain it step by step? This is a favorite interviewer question to determine your awareness of low-level vulnerabilities on top of testing your foundational knowledge.
And if you're highlighting the basics on your resume, leave off obscure technologies you worked with for only two weeks, particularly if they didn't ask for it. Murphy's law guarantees that you will be asked about it. If you simply can't help yourself, then answer honestly and let the interviewer know that you're not an expert, only that you're vaguely familiar with it.
Also, don't pad your resume with unnecessary productivity tools (unless they ask for it). There are situations when you should list Word on your resume, but you're not in that line of work.
When you get a chance to talk freely, throw in a few high profile security breaches that piqued your interest, like the Sony hack fiasco, and share your opinion about it. You'll be able to let your interviewer know that you're up to date on security trends and that you follow newsworthy incidents.
Here's a quick test. Can you talk confidently about any of the following terms?
If not, then a bit of Wikipedia is in order.
Another great resource for context is this timeline page of Computer Security Hacker History.
2. Investigate Your Future Employer like a Detective
What OS do they use? What apps do they run? What's their network like? What security/surveillance/monitoring/forensics tools do they currently use?
Of course, you may not be able to find all this information before the interview, but discover as much as you can. You will get serious bonus points if you're able to deduce certain information about your hopeful future employer without them knowing that the information was publically available.
Note: You're not allowed to phish anyone or pentest them for this. That can come later, with their permission.
Have they been hacked before? Possibly in the recent past? Coax it out of them in the interview and explain how you might've approached incident prevention. This is like setting up your own question to be answered and puts you in control for a brief moment or two. Make those moments count.
This will let you ask intelligent questions about the threats and challenges that the company faces. Research known vulnerabilities, malware, and exploits that can be used against the company. There's a lot that can be learned online if they're a decent-sized company, or if they have a public website (who doesn't?).
3. Look Sharp and Dress to Kill
Are they wearing ties on their website? Then wear a suit and maybe a tie, too. In the security field, you may have to meet with higher-ups often because when something goes wrong the highest levels spotlight you like the Eye of Sauron.
Even if the dress culture is casual, prove that you can pull off a dashing professional look when needed and suit up anyway.
Grooming, dressing well, the good posture your mom taught you, and confident tonality.
All these things will set you up for interview success.
You know all this stuff, though. You might want to dive into these interview tips every IT pro should know, which go beyond "sit up straight" or "dress appropriately,"
4. Prepare for Trick Questions
The easiest way to fail the interview is to answer a trick question incorrectly. If you're not expecting them, you probably won't even know you got pwned.
The employer might want to put pressure on you to see how you react. Honesty is an important quality in your position, so be prepared for curve balls that ask one thing and actually test you on another.
Here's a question: "If there's a security flaw in an app that won't give the attacker any reward or damage the business, does it make sense to expend energy on fixing it?"
A trick question might be centered around "How would you fix this?" Where the correct answer is, "I wouldn't because there's no reward for an attacker and no risk to the company." If you answered that question incorrectly, then take a quick review of the ISACA CISM course. It'll get you sorted out.
On the other hand, don't get paranoid! Most of the questions will be genuine. Remain calm, be truthful, and you'll be good.
5. Humble Yourself
Show that you don't just care about "going after the bad guys," but that you can maintain a defensive posture. You need to have both a blue and red team mindsetwhere you're heading. Most of your career will be dedicated to protecting the company and fixing their unique weaknesses.
Remember, it's about what you can do for them. Demonstrate good business sense and take into account that any hypothetical solutions you suggest will need to be realistic and in-budget for your projects.
Don't brag about your black hat exploits, even if it was "back then." No showing off by pentesting their network while you're in the middle of the interview or even before. And absolutely no name dropping, unless it's relevant to the discussion. Security professionals are expected to be discreet.
On the other hand, have a war story on hand. It's your first job in InfoSec so the interviewer probably won't ask about previous InfoSec projects. You can use this to your advantage and surprise them with a tale of how you saved the sales department at your previous company from a malware attack before the InfoSec guy came back from lunch.
When you are asked, "So, tell me about yourself," can you answer with a few interesting and intelligent sentences?
If not, write this question down for yourself and answer it on pen and paper. This question isn't often seen as that important by interviewees, but it is.
Now, take a moment to skim the Interview Tips Every IT Pro Should Know webinar for the most common questions you'll be asked in an IT interview.
6. Be Okay with Walking Away
At the end of the day, you're interviewing the employer as much as they're interviewing you.
If you don't get the job, take it in stride and start working on whatever weaknesses you feel you should have worked on, and onto the next!
The interviewer is under no obligation to tell you why you weren't hired, so be watchful of their reactions during the interview and note where they started losing interest in you. This will tell you where you can improve.
It's always possible that you simply don't have the required knowledge they are looking for. If that's the case, you're in luck. You can learn anything.