So, you’ve decided that information security (Other titles are available) is the career for you, now you just need a job. Firstly, congratulations! You’ve made an excellent choice. The threat to companies and individuals from cybercrime and cyber-enabled crime is ever growing, creating a pressing demand for skilled individuals to help protect our information, more than ever in the age of GDPR. Before you can get started in security however, you’ll have to come through someone like me – the hiring manager. Whether you’re an IT professional that wants to move into security; it’s your first security job; or you’re an experienced professional, this is what I’m looking for.
Know the basics
As a starter, regardless of the level of role you’re applying for, you need to understand the basics of the information security field. Things I would expect every applicant to thoroughly grasp is the definitions of threats, vulnerabilities, and risks and how they interplay. I would be looking for the candidate to demonstrate a working knowledge of what ISO27001 is, and how it can be used and misused. Even if you’re junior and this is your first security job, a solid understanding of the fundamentals will help you stand out from your peers.
Integrity and consistency of message
This goes without saying, but if I can’t trust you, I won’t be hiring you. On your CV, be totally honest about what you’ve done. If I ask about something you’ve indicated you’ve done or have knowledge of and you cannot answer, that’s a huge red flag. Also, if asked something you don’t know, say “I don’t know – I’ll need to find out.” Pretending to know the answer will also count against you.
Also important is that you understand that security is only effective when the message being given to stakeholders is consistent – No matter who they ask, they will get the same answer. That answer may not be the best answer, but it is consistent. This certainly isn’t to discourage continuous improvement however. The ideal candidate will agree changes to the message within the team, and communicate it to stakeholders with a singular voice.
Be able to evidence your qualifications
Following on from the point about integrity, if you mention that you have qualifications, make sure that they are in good standing and that you provide appropriate evidence to validate them. If you can’t do this, don’t tell me you’re qualified. The second part of being able to evidence your qualifications is being able to speak to the material that qualification covered. If you tell me that you have a CISSP for instance, I may choose to ask you questions about it. You need to be able to demonstrate that you have the knowledge required of that qualification.
The nature of the threats we face as security professionals evolves on a daily basis. Your knowledge of the subject has to evolve also. In an interview, I am therefore looking to see that you have curiosity. You’ll demonstrate this by reviewing content from a variety of sources (including general news, technology news, vendors, industry bodies, and government bodies.) You will aggregate all this information together and evaluate it critically and dispassionately. Regardless of the role you’re applying for, you’ll have a working knowledge of current information security related news including breaches and exploits, which you will be able to relate in business terms.
Be pragmatic, cynical, and resilient
As much as we would like to, we are never going to get every user and every stakeholder fully engaged with security all of the time. Pragmatism is therefore a key requirement to be an effective security professional; obtaining small incremental improvements in security wherever they can be found. In short, some security now is better than no security later. You may also find a healthy cynicism to be useful when it comes to dealing with users and vendors alike. Both are likely to tell you what you want to hear when it doesn’t matter, and utterly fail at execution when it does unless closely supervised. You should be able to balance this pragmatism and cynicism with resilience and backbone. While pragmatism is settling for less than perfect, resilience is never settling for less than your minimum, even if you have to fight for it.
Understand security technology, tools, and controls; and know their limitations
Again, how much you know here depends on the role you’re applying to, but as a minimum I would expect you to understand technologies such as firewalls, IDS/IPS, DLP and Anti-malware. You should also be able to explain the purpose of, and contents of security frameworks, policies and standards. For each, in addition to knowing what it is and what it is used for, you should be able to articulate the pros and cons of it compared to other solutions.
Understand how technology, tools, and controls impact the business
Following on from the last point, having got an understanding of the security components, you need to be able to articulate their value to the business. If you attempt to explain ethical phishing tests as a compliance tool, so what! If however you explain that half of all cyber attacks now involve some sort of phishing component, and you are educating staff what to look for before the bad guys come after them, it’s a much easier sell to get the business on board with an ethical phishing programme. Even as a junior analyst, you should be thinking about what value your work gives to the business.
Be clear and succinct
Again, this is one of the fundamentals, but one people get so wrong. If I ask you to describe a term and explain its pros and cons, I am looking for a three part answer. The first part should be a brief explanation of the term, no more than two to three sentences. You should then give a couple of sentences about why you think this is a positive, followed by a couple of sentences about why it is a negative. If you need more than a couple of sentences to answer the question, you probably don’t have a good enough grasp of the topic. If so, say so – don’t waffle.
Enjoy the subject
This one’s more of a bonus than a requirement. It helps if you can show an enthusiasm for information security! I’m looking for people with a interest in the subject that can talk beyond the questions which are being asked, and tie the different concepts being discussed together. I’m also looking for the curiousity described above and a desire to grow in the role. A candidate that has 80% of the skills and a passion for the profession is highly likely to be a better hire than one that is a genius that would rather be anywhere else but working for you.
If this sounds harsh, or you don’t think you can do all this – don’t worry! Some of this should be common sense, and other bits should be achievable by brushing up on the basics. Beyond that, showing an enthusiasm for security will help you stand out. Finally, to anybody thinking of a career in information security, good luck.