Research, demonstrations, and popcorn

How to lose an InfoSec job before you’re hired

Recently I have seen many posts from out-of-work security researchers who are looking for gainful employment.  It is never a bad idea to exhaust every resource you can when looking for a job, but you should be mindful about the request you are making, the demands you have, and the impact to your acquisition of that position.

The world has changed.  In the last twenty years, hackers have gone from cyber-punks with green hair and mohawks, to Information Assurance and Cyber Security Professionals with suits and formal education.  Unfortunately, It appears that most security researchers have not caught up with the times.

I am the first to admit, I don’t know everything.  If I did… I would be in a very different position in life.  In fact, I was just passed over for an Information Security position.

That being said, I do know how to present myself in a manner appropriate to the situation.  You must understand that in most cases, the person hiring you is not a hacker.  The person doing the vetting or hiring is going to be a suit-wearing business professional in IT or Human Resources.  There are a few exceptions, like being hired for a Red Team or being hired by the National Security Agency, but even they expect a certain level of professionalism and responsibility.

There are some basic standards to enact when looking for ANY job, especially one in InfoSec:

  1. Dress one-step better than the person interviewing you.  If the standard at the company is Khaki’s and a polo, wear a tie and some slacks with dress shoes.  If the standard is a suit, wear a pin-striped suit and polished shoes.  Include a pop of color, but don’t be Andy Warhol about it.  The idea is to present yourself as someone who cares about your appearance and is professional, but someone that can fit-in with the team.
  2. Compose all communication in a professional and formal manner.  Like the poor soul in the image at the top of the page, do not use emojis.  Let me repeat that… DO NOT USE EMOJIS.  It’s not hip and modern… it’s unprofessional.  Spell-check everything.  Even if you are just sending a one sentence response as the end of an email communication, address them formally and end it with a formal “Respectfully.”  Last, always try to use proper grammar.  Do not make statements like “Don’t got time for hiring process games!”  It is improper grammar and shows right off the bat that you do not care to be professional and you are unreasonable and inflexible.
  3. Bring printed copies of your resume to any interviews.  It doesn’t matter if they say they already have a copy on file.  Always bring printed copies of your resume.  Find out how many people will be involved with your interview and bring at least three copies more than you expect to need.  Someone always tends to drop-in to participate or was forgotten on the initial meeting invitation.  Having enough for everyone to get one is important as it conveys your level of preparedness and it ensures that everyone leaving that room is carrying something with your name and your skillset on it.
  4. Do not make demands.  Making statements like “No interview rounds! (interview me & then say if I got the job or not)” is not only grammatically incorrect but is demanding to a point that is unacceptable to most professional organizations.  Most companies have a legal or regulatory obligation to interview more than one person.  Demanding they decide right after talking to you is an easy way to get the answer you don’t want.  Be flexible.  If the company is based in another city and you do not have transportation, get an Uber until your first couple of paychecks.  Do whatever you have to do to get the outcome you want.
  5. Do not present 1996 digital “hacker” images as your profile image.  The companies seeking qualified information security professionals are not mom and pop shops looking to pay you $150K a year.  They are usually fully developed organizations with standards, audits, and accountability.  You may come off as someone who will architect the best security solution in the world, but if you also come off as someone who may steal the owner’s social security number, you are not getting hired.

This is all in the context of Information Security, but, most of this is just common sense.  Be professional and I can promise, it will not make your situation worse. 


Kalypto • March 20, 2018

Previous Post

Next Post