Finding a New Infosec Job - Part 3 - The Interviewing
Howdy howdy, it’s been a bit, but good thing I wrote this in advance! For this post, I’ll be talking about how the interviews I completed went. Most interviews followed a pretty standard process:
- talking to the recruiter
- talking to the hiring manager
- some technical prescreen
- virtual on-site
- final questions and follow up
- a decision
A lot goes on here, and having been on both sides of the process, I’ll have some thoughts on both.
You will likely speak to the hiring manager during this process. I cannot stress enough how important this part of the process is. You will be reporting to this person and they will be making critical decisions about where your career goes. Some of the things I want to get an idea of are:
- Do I get a good vibe from them?
- Do they know what I would be doing and have they done it themselves?
- Do they seem competent, trustworthy, understanding, and like they would be a good leader?
- Do I expect them to treat me fairly?
- Do they speak negatively about people currently on the team?
- Do they say things that make me think they empathize with the people they manage?
- What can I infer about their management style?
This is so hard to do right in a 30 minute to an hour interview, but I hope you feel like you’re talking to someone you want to work for. Too often, the manager/employee relationship can be a difficult one where managers have a disproportionate amount of power over the employees. Does your future manager seem like someone who wants to empower their employees? Do they seem like someone who respects people that report to them and treats them as equals with just a different role? Can they give examples of that? Good questions might be something like:
- How do you think your former or current reports would describe your management style?
- Can you give me an example of where you had an influence on the direction of one of your report’s careers?
- If you have two employees who strongly believe they can solve the same problem in conflicting ways, how do you mediate that?
If you feel you need more time, ask for another call with them, but have at least some specifics to talk about. It can be a few high level questions you can expect to discuss in depth for a while or a lot of small specific questions, but you are going to be giving a lot of your time to this company and this manager will be one of the people who has the most direct impact on how that will go for you. If they’re not willing to set that up, how do you think it’s going to be working for them? Is that a role you want to commit to for the forseeable future?
Everything is still really early for me in this new role, but I have a really good feeling about the situation I got hired into. The team seems great, the manager seems great, the indirect manager seems great, and I am generally excited about the situation I am finding myself in. (edit: Since that was written about a month ago, I do want to follow up and say things are still looking really good.)
I completed two very different interview projects and would have been assigned at least one more had I not cancelled the interview process with a company. Both gave me a week to complete the project, more time if I needed it, one was expected to take about 6 hours and the other about 2-3 hours. I completed both and did them well enough to advance to the next stage of the interview. The first project took me 8-9 hours spread out over a full week and the other took me about 3 hours over a single night.
These projects were example projects meant to test my skills in incident response, software development, infrastructure management, and ultimately documentation because I had to explain what I did. For the longer, more involved project, I passed the standards they tested me against and only had a couple of questions about the exercise during the interview.
I felt like I spent more time on the longer project than it was used to in evaluating me as a candidate, but of course I don’t have a view into what the interviewing team saw and evaluated so that might be entirely wrong. The other project took me about 3 hours, but we spent a good chunk of the interview talking about my results and methods, and I felt like it was a proportional part of my evaluation.
I don’t have a solid answer on whether you should do these or not. The idea of doing “Free Labor” for a company (eg, “Fix this problem we have in production now and maybe we’ll hire you”) seems exploitative and I don’t think either of these projects were that (lol I hope they didn’t put my project into production).
The fact is, they are stressful, often require more time from the candidate than they do of the interviewer, they can require skills you dont have or have slipped on (your 30 minutes to build web app might be a 3 hour to build web app for someone else even if you both produce something of similar quality), and ultimately I think this process goes better for the candidate if they get feedback on what went well, what didn’t, and some kind reasons behind the pass/fail. Otherwise, imagine how frustrating it would be to do 4 of those projects and fail them all without feeling like you’re getting any feedback on why you failed.
This just seems like some kind of rite of passage we’ve all come to accept. These are hard for the candidate, they are mentally exhausting, its hard for employers to do them right, it’s hard to do consistently, eliminating bias is tough, do they even measure what they think they do and on and on and on.
A line I used a lot was “We are going to go through some scenarios and scripted questions with you. There is not a specific right answer we are looking for and while there are probably some wrong answers, what we’re really interested in learning is how you approach problems, what kinds of questions you ask in unfamiliar situations, and how your experience informs how you solve problems. If something is unclear or you want more context, just let us know.” This gives the candidate immediate room to relax and understand there’s no specific secret they need to unearth, they just need to approach the problem and reasonably solve it.
For example, in an IR interview, if the question is how to respond to a malicious document downloaded to the user’s workstation detected by anti-virus, theres a few different reasonable steps you could take here, but a completely unreasonable and wrong answer is to immediately shut down the entire corporate VPN in response to a maldoc being downloaded.
It is entirely possible the candidate is nervous, forgets a step here and there, and still “passes” this section of the interview, but it’s going to take an unqualified candidate to give a completely inapproriate answer. Follow up questions help you identify more closely how qualified a candidate might be, but I always tried to keep in mind that there are lot of people who could potentially do the work we were hiring for.
I don’t think we should be looking for the absolute best candidate for the job, but you’re looking for someone who can do the work and do it well. Despite all the work both sides put into this process, you really don’t know how someone’s going to perform until they’re on the job.
How well this goes depends on the candidate and the company. How well does this company do these interviews? Do they have a real process? Do they publicize what it will be?
There are some companies that do this really well and there are some that simply do not. Look at Gitlab’s documentation on how they conduct interviews. There’s acknowlegements of how difficult it is, advice for both sides, and a clear understanding of what the process is and should be. It’s really easy to expect a structured, productive process from them.
Many of us have had an all day interview where it just feels like you’re talking unscripted to random groups of people for 6 hours. Those can be all over the place, from excellent to awful, depending almost entirely on the skill of the individual interviewer.
Whatever situation you find yourself in, interviews are a two way street. If an interviewer is giving you an unclear question, ask them to clarify. If you don’t think you have enough context to answer, ask for more context. Don’t forget you made it as far as you did for a reason, you have skills that they want and it’s important you get your best opportunity to demonstrate that.
I don’t know what section this fits in, but usually in the all day interviews, I try, as a candidate, to ask at least 1-2 people I feel I am getting good rapport with a question like “If you had a candidate you really wanted to work at your company, what’s something you hope they don’t find out before they accept the offer?”. I will often add context around how one previous company I interviewed at many years ago told me that everyone quit and they’re essentially relearning undocumented parts of the production environment as things break and they fix them. You’re not trying to learn what laws they’re breaking here (hopefully none?) but you want to ask them a difficult, possibly uncomfortable question and get a good idea of a challenge you will see and if they deal with that question honestly.
Every company has its challenges. If you’re accepting a role somewhere, that’s your challenge now and it’s good to be informed up front about whether or not it’s something you want to take on. Or not, I dunno. I seem to interview once every 4 or 5 years, so maybe I’m not as good at this as I think.
Even good interviews can be tough. They’re stressful, a lot of them are over Zoom now, you don’t always know how you did, and you don’t always know what to improve and how. It’s frustrating that I think a lot of interviewers and candidates are learning to navigate the process together and interviewing is always something extra people do on the side of their main job.
There’s people who have been on both sides of a lot more interviews than me that might have different or additional advice on these things, but I hope this at least gave you something to think about. If anything, you’re interviewing them too and if you get a job offer for something you don’t feel entirely comfortable taking, I hope you have the option to treat is as offer and not as something you have no choice but to accept. If not, I hope you can gain skills and experience that make your options more flexible in the future. Thanks for reading.