Mastodawn

I just sat through two video interviews for our entry-level infosec position. Both were good people, but it was painful watching them struggle through our questions.

Here's some tips for anyone applying for a similar position:

1. When an interviewer asks "what makes you stand out?", have a solid response already prepared. If you say "well, I'm a hard worker" I'm going to have difficulty suppressing my eyeroll. Find something that is unique about your abilities, knowledge, personality, or experience and get us excited to hire you. Even if you're not asked something like that question, volunteer that information. Make yourself memorable.
2. Don't go into the interview cold. Do some prep. If possible, know the backgrounds of your interviewers/their company (Google, LinkedIn), dress how you expect them to appear (or better), clean up your video background. Have talking points / notes pulled up to reference key data about the company/position/interviewers/yourself. Be eager to talk at length about anything you claim to know on your resume.
3. If you tell me you're a semester shy of an Associates degree in infosec, I should be able to ask you how an IDS differs from an IPS and get a semi-coherent answer. At the very least correctly tell me what the letters stand for. Yes, this is an entry level position, but that is about the biggest softball question I can lob. After two years of study you should have familiarity with the most basic of our acronyms.
4. I don't expect entry level to do packet analysis, but at least know a few common network ports and what traffic is expected on them. Bonus if you point out it doesn't have to be the expected protocol.
5. When I ask if you've seen any infosec stories in the news lately, the answer I'm looking for is YES. Show me you're keeping an eye on what is happening in the field you say you want to work in.

Good tips? Bad tips? Am I the asshole for expecting the above from an "entry level" candidate? All feedback appreciated. #fedihired #interview

tippenring May 24, 2023

@clueax I disagree with the "what makes you stand out" type of questions, especially for someone with little experience.

These questions set up the interviewee for failure. It's an almost impossible question to answer in any meaningful way.

I like to ask something toward the end like "is there anything you'd like to mention that we haven't touched on yet?" That gives the candidate an open to bring anything up they'd like to talk about.

Otherwise I'm with you on the rest of your advice.

Kenton Riley May 24, 2023

@tippenring Good point. I hadn't thought of it that way.

Dr. David McBride (dwm)May 24, 2023

@clueax I concur with @tippenring, faced with that question, the only truly honest summary answer I can give is, "I don't know" — because I don't know the other candidates!

I could talk about my history, and discuss what experiences I can draw on in the prospective role — but I've been going a few decades, someone going for entry level is unlikely to have that.

So I'd think about what kind of evidence you want to get from asking this question, and then consider alternatives. :)

💉💉💉💉 Sean Houlihane 🕷️🔶May 25, 2023

@clueax @tippenring Q1 would be 'thanks, let's not waste any more time, bye' from me. It comes across as lazy and useless to me. Just read an early CV which opens with an answer to this Q, comes across as badly prepared for work (unless it's a school leaver where there is literally nothing they can say, it's just a writing assignment)

Tröglödÿt May 24, 2023

i think this is mostly good advice. not sure about the acronyms and ports as smoke test but that's because i'm not sure whether "infosec" should imply knowledge about network technology, in vernacular i use it to mean a lot more things than it-security, it could be about organisational process, storage and retrieval systems, physical systems, &c.

lj·rk May 24, 2023

@troglodyt @clueax Same, although I'd know the ports and know what the acronyms stand for, I'm mostly doing application security and less infrastructure... so IDS/IPS/WAF don't concern me. But then I can talk about anti-reversing and stuff :-)

I also would feel uncomfortable with the "how do you stand out" question. Although I think I get it, it feels like putting me above others or bragging. The latter being a really big problem combined with toxic masculinity in infosec and related fields. May be off-putting especially to non-cis-male people. Maybe something more along the lines of "what are your strengths and weaknesses?" Also, if pick one special deep interest that's not necessarily directly infosec related even (can also be e.g., engineering) and talk about it.

Tröglödÿt May 24, 2023

i think the 'how do you stand out' question might broadly discriminate against young people and people from economically disadvantaged backgrounds generally

i also don't think recruiters will stop asking it in some form or other if they have trouble getting a feel for someone. my tactic is to preemptively talk about experience and interests, preferably such that are uncommon but relevant

Tröglödÿt May 24, 2023

in the workplace it's important to be a bit conscious about 'how you stand out', strength and weaknesses in social settings. it can get very uncomfortable when the organisation messes up who gets which responsibility when something needs to be done in a hurry and while it's ultimately a management responsibility it's also better for the heart to avoid it entirely

lj·rk May 24, 2023

@troglodyt @clueax Yup! Of course, going by interest can also be difficult since especially beginners are too insecure to admit to being interested in something without deep knowledge at it (although they sometimes do have surprisingly deep knowledge). But as long as one manages to frame it as a "curiosity", it could work to get that "feel".

Strengths and weaknesses can be figured out later, when mutual trust has been built and one starts becoming part of the team.

Tröglödÿt May 24, 2023

when thinking about it most people realise if they were the ones who did the work, delegated it, or something else in group exercises in school, and also whether they did projects that were ambitious or just what was asked, and what the response from teachers and students were, it's usually this kind of information presented in some abstract sense that they're after

and yeah, not obvious to young people

Kenton Riley May 24, 2023

@ljrk @troglodyt That's great feedback on the "how do you stand out" phrase and something I failed to consider.

My thought process was along the lines of the potential employee offering their abilities as a service to the employer, similar to a vendor. Vendors tend to be very eager to tell me why I should choose them over other vendors, which, now that I think about it, is also very off-putting.
(Gartner magic quadrant!)

I've removed "stand out" from my list of questions - I was already asking what they felt they knew/performed best at, so this was redundant in addition to being poorly worded.

As for the non-infosec interest, I shied away from that. If someone wants to voluntarily share that's fine, but I wasn't going to prod for details on anything other than "can you fill this infosec role."

lj·rk May 24, 2023

@clueax @troglodyt Yes, it definitely gives a similar vibe – although the power levels of a service provider are different compared to a new hire (usually). If the applicant is a "star" this may be different, but then the question is probably redundant as well or just a boasting opportunity.

My idea was less to ask about non-infosec interests specifically but just to "allow" non-infosec interests. But in hindsight the term "curiosity" fits better. My goal would be to check for "unique abilities" but without phrasing it that way due to the issues above. In the answer I'd be looking for hints to such skills (or future skills) in order to gain similar insight. But I'm not happy with this question yet either :'-)

Thank you by the way for the transparency about your process, the tips – and listening to feedback! I'm personally new in some kind of leadership position (nothing big) and discussion about this is so incredibly helpful!

Kenton Riley May 24, 2023

@ljrk @troglodyt If it wasn't obvious, I'm also pretty new to this hiring thing - I've been tasked to write the questions, sit in the interviews, and give my recommendations/feedback, but I'm not the one making the final decision.

lj·rk May 24, 2023

@clueax @troglodyt I'm not yet interviewing myself (not that much looking forward to *that* part of leadership, but oh well). I really like transparency though and exchange. Otherwise we all just end up making the same mistakes all over again :)

Emily Gladstone Cole May 24, 2023

@clueax I would add that I always find that interviews are about the stories you tell. People respond well to stories. If you can tell me what you can do in story form then you can answer questions like "tell me about a project you worked on" or "tell me about a time when" and it will flow smoothly.

@clueax the “do you watch the news” one matters to me even more than the ports!

48kRAM May 24, 2023

@clueax Hmmm.... I've never formally worked in infosec* but these examples of entry-level questions make me think that maybe my sysadmin background is more than enough to try and "pivot" (as they say) into infosec.

(* SA is always infosec-adjacent. Anyone who says differently is selling something**)

(** probably an IPS)

Kenton Riley May 24, 2023

@48kRAM Hey, it worked for me!

I was desktop support before moving to sysadmin/vmware admin, then into infosec.

Shadrock May 24, 2023

@clueax Not just infosec, but this advice is broadly applicable to data protection / privacy / responsible data stuff too. I am definitely going to share this around.

Éibhear 🔭May 24, 2023

@clueax I would encourage people to point out what makes them distinctive, rather than unique. Taken literally, "unique" is a very high bar, especially for a recent graduate or an undergrad.

Kenton Riley May 24, 2023

@eibhear Yeah, based on other feedback I've received, I'm eliminating that question. It was poorly worded and didn't really give me any valuable information.

joel b May 24, 2023

@clueax asking a candidate to explain acronyms is really giving them a helping hand. It builds their confidence. There is a whole lot that simply can’t be covered in a semester but learning the acronyms is easy stuff you can just put on a syllabus and in the midterm.

If a candidate can’t do that it’s likely they just aren’t paying attention in class or not even attending.

SIEM Shady May 24, 2023

@clueax All seem good and fair. Consistent with my style interviewing intern prospects for summer sessions leading into their senior year.

Tom O’Trent May 24, 2023

@clueax ooh! I could be entry level!
I’ve finally found my level :)

CyberSecJames May 25, 2023

@clueax I think they're solid tips. I've Sat in a few entry level interviews where they tanked these sorts of questions. We did not pursue.

I would add that if you blank on a technical question, (like what PKIP is) try to show that you understand the concepts and what's going on.

i_got_bees May 25, 2023

@clueax thank you for posting this! It’s always frustrating never getting any feedback after an unsuccessful interview so this is very helpful 🤘🏼

Grant May 25, 2023

@clueax one question I’ve found quite useful for entry-level roles is “what got you interested in infosec?” You can pretty much spot future superstars by seeing their eyes light up.

black_sparkling_heart

If I might make a suggestion, you might consider amending the "have you seen any infosec news" question a bit.

I would suggest phrasing it as asking if the can discuss "some of the potential sources that they use to follow infosec news"

This will help you as an interviewer look into "where they are" in their development, plus get some info on the quality of their news sources.

Adam May 26, 2023

@clueax
I hope you have someone good pre-screening the candidates before you see them, if you expect competence in the subject matter.
Personally I think those are all good and reasonable questions/expectations. ..Well, tbh, I am on the fence for someone having a pre-prepared answer for 'what makes you special?'
It's a great interview question generally, but few entry-level folks have war stories or differentiators yet.
Most graduates have been told that the employers only care about their school transcript.