How to prepare for your first infosec job hunt

You’re new to the information security industry and you’re wondering what to expect during an interview. A quick online search will bring up horror stories involving large IT corporations asking absurd questions like “How much should you charge to wash all the windows in San Francisco?”

You sit in front of your computer and you wonder why the university or that expensive certification hanging on your wall didn’t prepare you for this type of situation.


A college education will always look good on your resume, but plan to back it up with actual knowledge. Those that have been in the industry for a while will tell you that a well-rounded education is definitely a plus, but nobody is going to hire you just because a piece of paper. You will be tested.

The ongoing debate on the usefulness of certifications has strong opinions on both sides, but there are plenty of roles that will not hire someone just based on their experience. Remember, in bigger organizations you still need to pass through HR before they put you in the interview room with the technical executive.

“As the security industry grows up we are able to rely on formal education more than in the past. I think IT had an age when proven experience won the day, then we moved to certifications, and now in a lot of ways we need to be more accepting of the new degree programs that are available vs. certifications being mandatory in the HR process. For example, I have one posting now where I can hire contractually a person with a Comptia A+ for a security role but not a person with a Masters in Cyber Security,” Jason Oliver, CEO at Tikras Technology Solutions Corp., told Help Net Security.

“I think its important to be a life long learner in security, and whichever way you want to do that is fine,” Oliver added.

How to prepare for your first infosec job hunt

Oliver offers a variety of practical tips for those of you that are just getting into the job market and are searching for their first job.

  • Work on knocking down the things that will place roadblocks in your way to avoid a glass ceiling. Don’t wait until you need something like a certification, a degree, etc., to start.
  • At the end of the day, in a lot of ways security is an IT specialty service. In most smaller places it is mixed with normal admin duties, so take a good look at the security domains and see how jobs outside of formal security can and have provided you with security experience, and tailor your resume accordingly. If you can’t work with the technology you most likely can’t secure it.
  • Spend time in the community, join or attend local security meet ups, be it DEF CON, a Hackers Association, OWASP, etc., and meet people in the community. Security is still a place where at the junior level that first job is a break that’s earned with proven skills and experience in a lot of cases.
  • Look hard at the sectors of security that have the ability to be flexible related to HR requirements, you will find that the 0-2 yr experience jobs are really hard to find. This will take some networking on your part.

One of the ways to get in front of a targeted audience and entice job offers is to speak at one of the many infosec events around the globe. I’ve recently written an article on how to get your talk accepted at Black Hat, which contains practical advice you can use for most events.

Getting ready for an interview

1. Research the company, the executives, and the job you’re applying for

Just because your focus is on information security, it doesn’t mean you’ll work for an IT security company. With security dominating the headlines, more and more organizations of all sizes are opening security roles. Naturally, this doesn’t mean you’re excused from knowing what the company does. Checking your potential employer’s press releases, social media accounts, and blog posts is a good place to start.

The same security job title can include different responsibilities and skills, based on the type of business you’re targeting. Investigate the requirements for the role and be equipped to tackle specific questions.

2. Common questions

Let’s say you’ve spent a considerable amount of time in front of the keyboard and, at this point, you find yourself proficient in anything the desired role can throw at you. Still, in all likelihood, not everyone interviewing you will be a technical person. You should still anticipate to answer questions such as: “Where do you see yourself in 5 years?”.

Focus on your accomplishments and provide general examples on how your excelled in your previous position, or why you believe your background can help you thrive in the position you’re applying for.

3. Don’t be afraid to ask

You’re applying for the job, so you obviously want it. But, remember that a job is more than the salary listed in the advertisement. Ask the interviewer questions about the things that are important to you, for example:

  • What is expected from someone who is hired for this position?
  • Does the company provide ongoing education and certification?
  • Can you advance within the company?

And, if you’re not sure what exact position you’re after in the information security industry, I suggest you take a look at Breaking into Information Security, a practical guide for people outside and inside the industry.

More about

Don't miss