I had a lot of great takeaways in my recent interview with Stephen Semmelroth on how to pass a cybersecurity interview and turned them into some reasons why people might fail, since having a list of not-to-dos can be just as helpful as a list of things you should do. So the first way to fail a cybersecurity interview is not being able to explain what happens when you type in a URL. I did what everyone does. “Oh, it’s DNS, of course. There’s A versus quad A, IPv4, IPv6. Yeah, and there’s root DNS, and it traverses down and up and back, and there’s transfers, yeah, no worries.
” They go, “Hey, phenomenal answer. You missed 90% of it.” So what happened here? Well, the most important thing about the technical portion of a cybersecurity interview is not your ability to answer trivia. Seemingly simple questions are more like reconnaissance probes meant to draw out and evaluate the breadth and depth of your understanding between the different skill stacks that you’ve built over the course of your journey. A more thorough answer to the DNS question might start off with discussing the USB, 802.11, or 802.15 protocols, depending on if your keyboard is corded, wireless, or bluetooth. Then you might want to talk about how the operating system kernel works to process input-output for peripheral devices and what happens in the networking stack when you hit enter, encapsulating all the way from the application to the physical layer. You might need to explain ARP, HTTP, types of encrypted DNS, routing protocols, load balancers, proxies, virtualization. What is the difference between their production tech stack and their corporate tech stack?
How have they integrated work-from-home? Do they have a zero-trust solution implemented? Till 45 minutes in, we get to Syn-Ack, Ack. And then another 45 minutes in, the page displays, and I can actually see what’s going on. And that is just defining the environment because we haven’t even talked about cyber security yet. You’ll need to be prepared to discuss potential threat models and points of failure in this entire system, whether it’s hacking-related or the usual IT problems. Then you’ll get to explain how you would defend against those threats and fix those problems. This isn’t something that you can just learn overnight since your pre-memorized answers are going to come apart with just a few more probing questions. Focus on reading and learning everyday to continually be building your baseline knowledge of how the cyberspatial world works to be able to answer the DNS question. The second way to fail a cybersecurity interview is if the interviewer asks you what you’re doing in your free time, and you tell them you like to smoke barbecue and go hiking because now you’re missing out on the chance to demonstrate that you have a passion for the domain and a self-directed learning ability.
This can be everything from a homelab, crafting things in a makerspace, capture-the-flag competitions, or contributions to open-source projects. Most of the teams you’ll be working with tend to be resource-strapped in terms of technical talent and staffing, so you’re expected to be able to quickly learn your way out of A day-to-day problem. And having an active side project is one of the best ways to demonstrate that you can regularly do that. They’ve said, “I can learn.” Okay, go learn. “No, I want the company to teach me. I don’t want to learn and not get paid for it. I see that as a risk.” Go take the risk. Go take it. If the company is telling you that you need to know this for this job, go learn it, period. Or you are not a candidate for it. And speaking of risk, there’s a level of reciprocity when it comes to principal-agent relationships.
The more risk that you, as the agent, are willing to take in terms of investing in your abilities, whether it’s time, money, or opportunity cost, the more you’ve de-risked things for the principal to do business with you. And hence, they’re now more willing to take some risk as well, on you. Another way to fail your cybersecurity interview is not even getting there in the first place. I always get a lot of comments about how important certifications are for cybersecurity because that’s one of the few things HR professionals know how to select for, so there’s the keyword matching value of not getting your resume automatically filtered out because those certs aren’t there. While true, there’s almost always two doors into any system: the front door and the backdoor.
Going through the front door has the problem of not even getting seen since there’s a lot of systemic issues when it comes to hiring for cybersecurity. Some applicant tracking systems might not even be able to scan technical terms correctly because they were outsourced to generalized parsing companies or written in-house by interns. In other cases, the technical terminology and keywords on your resume don’t match what HR is scanning for, so in this case, you’ll fail the interview by default because it won’t even happen. So if you look at a job description, and they had that cyber-security, you better change the cyber-security in your resume, and then work out it from there. So remember to tailor your resume and cover letter to align with the job description and the context of what the company is actually looking for. If you want to boost your chances of getting an interview, use the backdoor approach by getting an internal referral from someone who works at the company, or being friends with the hiring manager on the team that you’re trying to join. Businesses know that the most successful hires tend to be people referred to by their existing employees since social networks are one of the best filtering systems out there. If I vet someone who’s unqualified, it makes me look bad, whereas if I vet someone who’s highly qualified, it makes me look good, so there’s natural human incentives in place. Creating content, being known for your side project, networking, and getting involved in the greater cybersecurity community are all ways to connect with people in different companies, which gives you more opportunities to get that internal referral. The fourth way to fail a cybersecurity interview is appearing unprofessional. The circumstances that you first meet someone in will shape how they see you for almost the rest of your life since people the rest of your life since people will recall those same instances down the road when they think of your face and name. For in-person interviews, you’ll probably have a quiet environment, decent clothing, and perfect audiovisual bandwidth.
In a virtual interview, your quietness, clothes, and camera might not be ideal, but it’s still your responsibility to control and fix. Is your microphone picking up environmental noises? Is your camera eye-level? Are you making eye-contact with the lens? Do you have decent lighting that separates you from the background? Is your background messy and distracting? Do you have slow upload speeds or high latency that makes the picture pixelated or increase audio jitter? These are all factors that you can control on your own end and can make a huge impression on other people, especially in a cybersecurity interview, where you’re likely expected to be working remotely. If you don’t know where to start, check out our video on how to look and sound good in a remote work environment, link in the description below. link in the description below. Next up, is failing because you’re unprepared and don’t know much about the company you’re applying for.
If you don’t do the right due diligence you’re going to have a hard time answering questions like, “Why do you want to work here?” “What is it about our company that excites you?” Journalists are some of the best OSINTers out there, especially investigative ones, and they’ll go after the data sources that technicians tend to avoid, like court records, earnings reports, press releases, and corporate registrations. At the macro level, you need to be able to understand where the company is going and what challenges they’re dealing with, what their funding or financial prospects look like, and what projects they’re working on. At the micro-level, follow the specific team within the company you’re looking to join. People within these teams will often write content and publish research relating to what their team is doing. Then communicate your abilities in the context of what the company cares about. Journalists will also interview people. Lots of people. So find someone who’s been at the company and take them out to lunch or schedule a video chat with them. While you’re at it, find out if the company is the right culture fit. One aspect of this is bureaucracy and scale. If the company you’re applying for is a very large and established firm, whether it’s tech, insurance, or energy, there’s going to be people and policies that are old enough to be your grandparents. For younger, challenger-type companies, they’ll give off a different vibe of being less bureaucratic but also less mature and consistent. The amount of personal freedom and responsibility you’ll have as an employee will vary depending on these factors. Another cultural divide is on the values of the company. Some firms focus on performance and the bottom-line, while others are riding the ESG bandwagon, which is a trending term that stands for Environmental, Social, and Governance, which is a way for companies to virtue signal that their business practices are positive for humanity and the environment. Now, understand that not all of this is true across the board because different teams within the same company may also have cultural contrasts with the parent, so good due diligence at the macro and micro levels will help you out. At the end of the day, all the business owner or executive really cares about is how much value you’ll add to the company, whether it’s money you’ll bring in or problems you’ll be able to solve, which tend to be people, process, or technology related. So there’s a lot to pick from. The final way to fail a cybersecurity interview is personality and decency issues. Depending on the amount of practice, we all have different social baselines. When it comes to cybersecurity interviews, a lot of it’s going to depend on the interviewer. If you’re too formal, you’ll come across as stuffy and wooden. If you’re too relaxed, you’ll be seen as haughty and arrogant. In any case, you’re going to want to develop the minimum amount of self-awareness to avoid flukes like. of self-awareness to avoid flukes like. Not showing up, not getting on the call, Not looking presentable when they come in. Showing up for company A and mentioning that they’re interviewing with company B. Consistently mispronouncing the interviewer’s name or saying the wrong name completely. Not reading the room, and maybe cursing or swearing at the wrong time. Showing that you’re just not a good person. If that is a failure in who you are, you’ll probably going to want to go see a counselor because that is much, much harder to deal with than where you are and what your knowledge and skills, and abilities are. All in all, people want to work with other amazing people. That’s what makes work exciting or miserable. Develop inside of yourself those same qualities that you find attractive in others, which will make them more attracted to you. So go into that interview understanding what the company is about, how you’re going to add all sorts of value with your talents, and prove it in advance through some tangible outcomes you’ve achieved in prior experiences both on the job and on the side. So that’s six ways to fail a cybersecurity interview. You can find my conversation with Stephen on our channel and in the description below. Remember to like and subscribe with notifications if you enjoyed this video and found it worth sharing. Thanks so much for watching, and I’ll see you soon!