Share this page!

Taz Wake Profile picture
Twitter logo
30 Jan, 20 tweets, 4 min read
So #infosec #jobs thread.
In the last 12 months, I've been involved with 60+ interviews for various SOC, IR etc roles. This has come from about 120+ CV/Resume submissions.
To start, a caveat though - this is all IMHO. Hiring is an amazingly individual event.
First CV length. The common wisdom is that it has to be under 2 pages and very tailored to the role. I disagree. A CV should be concise but it also needs to provide enough information to make the hiring manager want to speak to you. If there is an HR screen, it needs to contain
a tonne of possibly random keywords. If a job advert asks for 10 different skills, and you can fit this in to 1-2 pages, chances are the person reading it will find it missing detail and think it is unconvincing. If it's your first job a 1 page CV is ok but the more you've done
the longer your CV gets. I don't have a perfect answer but I'd say don't fret about it. A large part of the hiring process is automated and even the people who read it will read it online scrolling through to get to the bits they are interested in. Long CVs rarely put people off.
Sidenote: if they do, they are likely to be difficult to work with so you might be OK with them rejecting you after all.
Next point - and it is sad this needs to be said, but DO NOT LIE. I get that we've been told for decades to "puff" out our abilities and "fake it until you make it" but nothing kills your hiring progress faster than being caught in a lie.
Sadly about 20% of the interviews I've been part of have ended with a candidate being caught in an awkward lie, almost always un-necessary ones as well. All it does is waste everyone's time.
Common examples are claims to have certifications which they dont (if nothing else it shows ignorance about what certs can be looked up...) and claims to have skills which they dont. I've sat in interviews with people who sent CVs saying "extensive experience in disk forensics"
Then, when asked, cant say what they do or what tools they use.

With this, I dont mean asshole questions like "tell me every forensic suite" or weird ones like "whats the difference between dd and dcfldd" I mean "tell me how you would do X" type questions.
If you say "I have 5 years experience in reverse engineering malware" but can't talk to someone about what your general approach is, it creates the strong impression you have exaggerated your background.
That's enough on the candidates. They have a hard enough job as it is so it's impressive that there are very few consistent problems. However, the companies doing the hiring are often nightmares.
It seems normal for medium-large orgs to have HR and a recruitment agency involved in the hiring process. This causes all kinds of problems, but lots of hiring managers who *do the job* make life harder as well.
The biggest issue is making sure the job description is valid and useful. I've seen countless JDs which bear no relation to what the hiring manager really wants, so every candidate gets rejected. If you want someone who knows EnCase say so. If you don't, DON'T ASK FOR ENCASE.
I know that sounds simple, but it's amazing how often organisations get this wrong. I've seen one place which was a full FTK shop use a job advert which never once mentions FTK, but asks for EnCase experience. Then they complained that almost no candidates had FTK experience...
Be realistic. If you want someone with X, you need to pay for it. If you want a junior then don't expect them to know everything. If you want someone who knows packets in-depth, can script, analyse disks, carve memory etc., you are asking for someone who is VERY expensive.
The WORST mistake I see hiring managers make is to demand the people they hire know as much as they do. There is an exception but generally, this is really flawed. If they know as much or more, why would they work for you on less?
The exception is hiring a specialist. You may need someone who is a ninja in (say) Malware analysis and I wouldn't expect the manager to know more about it. However, don't expect the Malware person to talk to you about weird DNS exfil techniques. (I've actually seen that).
The last point is that interviews shouldn't be adversarial and really shouldn't turn into a certification exam. You are trying to understand what the candidate knows and if they will fit into your organisation. You should be trying to get them to explain how their experience
solves problems in your org. Sadly about 75% of interviews I've seen have had at least one interviewer basically showing off their own knowledge to the candidate. This makes no sense and often leaves the candidate feeling they are inadequate. This is not your goal.
Tl;dr

Hirers: Make your job descriptions more accurate and honest. Interview people fairly. Have realistic expectations based on what you will pay.

Candidates: Never lie. Never lie. Never lie. Stop lying.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Taz Wake

Taz Wake Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @tazwake

Taz Wake Profile picture
10 Jan
I've been genuinely surprised how many people in infosec think [Twitter|Amazon|Apple|Google] should in some way be prevented from blocking Trump/Parler.

I strongly disagree & this is a hill I will die on.

I got a lot of DMs about this last night so I think a thread is needed.
First - part of the problem is that the public is being tricked into thinking there is something special about either which gives them an intrinsic right to have $things. I reject that idea. I kind of accept Trump got a pass as POTUS but even that is a sketchy argument.
If we start with the idea that "Tech Giants" should be prevented from denying service to people who violate the Terms of Service, we need to ask who will enforce that? The only option is the government. Think about that.
Read 15 tweets
Taz Wake Profile picture
27 Aug 20
Is there a skill shortage in infosec? Are we failing to bring new people in?
It may sound contradictory but I think the answers are "no" and "yes" in that order.

To be clear, in the last 10 years I've been in the private sector, I haven't seen a shortage. But....(1 of many ofc)
But before I continue, a quick side note. This thread was inspired by a tweet from @bettersafetynet who is genuinely one of the most awesome people I've met. His tweet about this was nuanced, which is why I've felt the need to have a massive thread in reply. Follow him right now.
(back to the thread)
But, the real problem is massively broken expectations, misunderstanding, gatekeeping, corporate ignorance and most importantly monumental misspending in the realm of cybers.
There isn't even a shortage of money, it just goes on tools rather than people.
Read 27 tweets
Taz Wake Profile picture
31 Jan 20
I've been thinking - what actual value do companies see from having a skilled, knowledgeable, capable infosec team? I am a bit worried, that on reflection, the answer seems to be "not a lot."
Dont agree - read on and I will try to explain.
First - backstory. About 5 years ago I was engaged with a company who had a genuinely top-notch [IT|info|Cyber] security department. For an org of ~7000 end users, they had ~20 security professionals who covered a range of disciplines, all motivated, experienced and hardworking
Over the next five years, a combination of frankly INSANE management decisions obliterated this great team. It wasn't a security management issue, it was an organisational fit of madness where most Director-level staff didn't stay long enough to have a forced password change.
Read 20 tweets
Taz Wake Profile picture
20 Jan 20
Bit of a thread here:
About a year ago I gave an @ Night talk which was attended by about 70 people and it went really well (IMHO). Over 50 people filled in feedback forms and all were 4s & 5s. This was really good because I was planning to use the talk again, several times.
After the talk, I got lots of very positive feedback from lots of people. It was a wonderful ego boost and I was pleased I'd managed to portray the work my team and I had carried out on a big incident.
There is always a however.
Read 10 tweets
Taz Wake Profile picture
15 Oct 19
Bit of an interesting tale about someone who I understand is about to be "let go" after a fairly short time as a CISO. First off, this is not a defence of the person, most people disliked them. It is more a comment on the culture and its problems. (1/?)
First off - the person didn't have the strongest security background and they did rub the security team up the wrong way (including some odd decisions). However, they were brought in to the organisation as an EXPERT over and above any internal candidates (2/?)
They were brought in because the organisation identified that it had problems across many departments and it needed a (new role) CISO to fix this. The person was engaged with a view to a "root and branches" overhaul with no baggage from previous management. (3/?)
Read 15 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @tazwake has new unrolls!

Check out other threads from @tazwake!

Read all threads by @tazwake