Welcome back to our Hacking into Cybersecurity series. In our first installment, we discussed how certifications could help you land your dream position. Those certifications will only get your foot in the door, though. You still have to nail the job interview to land that perfect position. So, what should you do to prepare for the interview?

There’s a long list of items that go into being prepared for an interview:

  • Arrive on time.
  • Dress appropriately.
  • Review the job listing.
  • Be ready to discuss your resume.

But what are some things you can do to set yourself apart? These tips apply to any job interview — but the way we approach an interview in cybersecurity does have some quirks, as there’s such a broad range of domains you can enter (We’ll discuss all of those in a later blog post. So, what are some of the things we should do to prepare?

Step 1: Research the Company

This is important for anyone interviewing, not just cybersecurity professionals, but there’s a unique twist for security personnel. We want to understand the industry the organization is a part of, as well as what regulations and legislation the company must meet. For instance, we need to know if the company is publicly traded to know whether they have to maintain SOX compliance. Do they deal with protected health information (PHI)? If so, they must meet HIPAA requirements. All of these go a long way in understanding the security controls the organization must have in place — plus, it gives you, the potential employee, a roadmap of where your knowledge needs to grow to realize your potential within that organization.

Something else people often do not pay attention to is that sometimes other interviewees post the types of questions they receive during the interview process to sites such as Glassdoor. This gives you a leg up as you can then prepare your answers to those types of questions ahead of time. Of course, this is going to vary according to the hiring manager and the position you are interviewing for, but most organizations have some basic idea of what a typical interview is going to look like. This should give you a good baseline for the question types to expect.

Step 2: Research the Hiring Manager

If the recruiter for the position tells you beforehand who the hiring manager is, find them on social media. LinkedIn is especially useful for this. Find out where they have spent the majority of their career, whether it was at a certain company or in a certain industry. Look for any clues about their experience. Did they work their way up through the ranks as a technical security expert? Did they come from an audit or compliance background? Or did they come from a separate department and just kind of land in security? How long have they worked in security? How long have they been at the organization itself? These are all going to give you a basic idea of how to help answer interview questions and what kind of questions you might be asked.

Personal anecdote time! When I interviewed for a previous position, I researched the hiring manager ahead of time. I was interviewing for a security engineering position, but the hiring manager had a background in audit and compliance. I researched the company well and learned what compliance standards were required for their industry and organization size (remember, size plays a part in what controls are applicable in some cases). So, I studied some of those controls, knew what the job listing was asking, and knew she had an audit and compliance background. During the interview, much of our discussion centered around how the position would help the organization maintain regulatory compliance, as well as their security posture. Within 20 minutes of leaving the interview, I was contacted by the recruiter with a job offer. She loved that I was able to discuss how to move the company forward not just from a compliance or security standpoint, but how the position moved both forward simultaneously.

Step 3: Ask Questions 

During an interview, I’ve found hiring managers appreciate when the interviewee says, “I don’t know much about that — do you care to share more about it?” It’s that simple. Remember that cybersecurity is a broad field, and many of us slide from one domain to others or have overlap between them. If the position requires knowledge or experience in multiple domains, demonstrating that you have knowledge in the majority of them while you have needs (not weaknesses) in others helps the hiring manager see you are willing to learn those to perform the job functions. It is important to remember the interview is a two-way street and should be an open discussion.

Here are some of the questions I like to ask during interviews that are more specific to our career field than some other fields:

  • How does the organization’s overall culture contribute to the success of the cybersecurity program?
    • This may differ for you and your own beliefs, but I want to hear specific examples of how other departments and security have worked together in the past. Was it contentious? Was there a mutually beneficial solution? Is funding an issue?
  • For the position I’m interviewing for, what are the short-term (over the next year) and long-term (three years, five years) goals?
    • Of course, this is going to depend on the position, but a short-term goal may look like “Implement xyz….” Long-term goals should line up with your own professional development needs and goals. If you want to branch out from your own area of expertise, now is the time to bring that up and ask how the company and manager will facilitate that over the long term.
  • If the hiring manager has been with the company for more than a few years: What has kept them there?
    • Feel free to ask follow-ups on this one. For instance “I really like the company culture…” should probably be followed up with, “How would you describe the company culture?” Remember that cybersecurity experts are in high demand, so long-tenured employees usually mean the company is doing something right.
  • This is the big one: If you have identified a need (remember, we don’t say weakness) during the interview process, ask the hiring manager what you can do on your own to address it, and, once you start, what you can do together to further address it.
    • First, it demonstrates you’re willing to recognize your own needs and work on them independently. You don’t need someone to hold your hand. This means in the future they can count on your own initiative, and they won’t have to babysit you.
    • The second part of the question makes them paint a mental picture of you already in the position and answer the question, “How would we do this?” It’s a simple trick but makes the hiring manager think about the two of you working together in that partnership.

Conclusion

So there you have it — my three simple steps to helping you nail the interview! Of course, these are not foolproof, and following these steps alone will not help you land the job, but they’re a good starting point for what you have to do to nail the interview. Landing the position will require you to have the prerequisite knowledge and/or experience, but these tips will help you demonstrate and connect with the hiring manager. Oftentimes, demonstrating you are a “culture fit” for the organization is more important than having an exact amount of experience

Other Resources

If I can help you in any way during this journey, please reach out to me via LinkedInemail, join our Community Slack (search for the #security channel), or leave a comment below!

3 responses to “Breaching the Interview in Cybersecurity | Hacking into Cybersecurity”

  1. Sinan Ozdemir says:

    Hey Justin,

    Thank you so much for this awesome article. I always feel like there is a lack of mentorship in this field and people who are willing to talk to you, don’t go into this much detail. The only feedback I get from other folks in this field is to get certifications, internships, or help desk jobs. These kinds of feedback also show that your resume was either overlooked or not looked at all.

    Honestly, you are the only one so far who has given me this much information.

    Thank you again .

  2. Bob says:

    Do not, however, tell the hiring manager that you investigated him or indicate that you have details of their career they didn’t tell you unless they’re well-known or active on social media (and not just a bare-bones Linked In profile). I did technical interviewing and phone screens for a network & security team I was part of and had someone start rattling off details of my career from Linked In and a few things from Facebook where friends had tagged me in public posts presumably in an attempt to establish a rapport. It failed miserably since I ended up feeling like a stalking victim. Then they sent me a thank you note to my personal email since it was the only public one on Linked In.

    We didn’t end up pursuing him since the position open didn’t match his expertise but if it had I probably would have spoken against bringing him onboard as a bad culture fit.

    • Justin Mitchell says:

      That’s good advice, Bob! I appreciate you pointing that out! You have to be careful about showing what you have discovered and in most cases, you can just ask the interviewer for those answers. For instance: “May I ask how long you’ve been with the company?….Oh wow, so what would you say is your reason for staying here for X years?” Or if they’re pretty new to the org, what made them decide to come on board?

      I appreciate your story, as well. I think I’d be a little freaked out if someone started rattling off details about my personal life during an interview, too. And then sending a follow-up to your personal email? Ouch! This whole experience is just cringe-worthy!

      For all of you job seekers out there, this is what not to do! ^^^

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get actionable training and tech advice

We'll email you our latest articles up to once per week.