5 things to remember when looking for a security position.

I am constantly looking for ways to give back to the wider hacker/security community and found that this may be a good way to do so.

A brief intro. My name is Charles and I am the COO for RedBlue Sec, a trusted security recruiting partner in the USA. We cater for technically advanced Infosec positions. We do this by having a long-standing relationship with the hacker community, attending many conferences and also being a part of them (Organising, volunteering and talks). Enough about me let's talk about you!

1: Fake it till you make it = Failure

The Challenge: This is a saying that I believe was made popular/famous by Richard Branson (Unverified). The premiss was that if you don't quite have the knowledge or experience to do something or say, believe you can't truly fulfil your duties in a new position just fake that you can and then grind to actually figure it all out. People need to take a step back. Just because you are degree qualified or have experience or whatever, it does not mean you are useful to the specific company you are applying to. Gary Vaynerchuck recently did a talk in Singapore mentioning how flawed this is. Here is the definition of the phrase:

"Fake it till you make it" (frequently 'til you make it or until you make it) is an English aphorism which suggests that by imitating confidence, competence, and an optimistic mindset, a person can realize those qualities in their real life

The Solution: There is nothing wrong with challenging yourself. In fact, this is good and healthy. Go for that position that's 1up or 2up from where you are. SysAdmin, gunning for that Security Engineering position, or the Pentesting position? Hells yeah! BUT, make sure you are competent at the core tasks, systems and duties required of you. With hiring trends and processes these days, if you bite off more than you can chew, you will get caught out and this can lead to an embarrassing situation that can leave you mentally stumbled and a knock on the ego.

Take Away: Be honest with a recruiter or employer! If for eg, you are asked about your experience with scripting language "X" but you are much more experienced with "Y" and the syntax is similar, be straight and say "Look, I don't have experience with X, however, I am very strong with Y, and know that the syntax is similar so I believe I could pick it up fast". Remember, not all recruiters have the technical savvy to know about cross-language syntax, so help them out there. If you "gun" for a position that's completely out of your depth, you might just make it, but more often than not, you won't and will be left with battle wounds that will take a long time to heal. Challenge yourself, but be honest with yourself.

2: Fight the Power!!

The challenge: Recently I did a call with someone that was having bad luck in interviews. On paper and technically the candidate was brilliant, but in interviews, they would stumble on a tricky question, and that would cause a domino effect for the remainder of the interview. Who truly holds the power in the interview?

The solution: Who really holds the beating stick in an interview? Quite simply, you both do. Why is this company recruiting and interviewing for this position? Because they need to fill it. There is a demand for the skillset, and the company needs it. Now, what about you? Do you think that you are at the weaker side of the scale because you are looking for a job, simply at the mercy of the industry? NEGATORY! I believe that in an interview, both sides hold equal power (Especially when you really are a fit for the position). Did you know that a probation period at an employer works both ways? The interviewer is verifying whether you are a fit for the position (By education, certs, experience, culture etc) BUT you are also in a seat of power, because in the end if they want you, you can simply decline an offer.

Take Away: When you fit a position, remind yourself, "I HOLD POWER like THEY HOLD POWER". Sure, they want to see if you can walk the walk, but you're also here to see if that's a walk you want to engage in.

3: Interviewer OSINT and proverbial line crossing

The Challenge: Do you know what gets on a client's nerves? Do you know what loses you "50 brownie points" in the first 15 seconds of your first interview? Did you research the company? Did you look on Linked In to see whom you are interviewing with? Where they worked, what they studied? What they post on twitter. Did you see if you could find any common ground? "Oh hey, you were at Carnegie Melon? Cool, I was there as well". "Fishing, I love fishing". Know your audience and do some research. The other layer to this is it shows the potential employer that you are interested, that you did your homework, that this is not just a money move (Even though it might be). Imagine going on a date and showing no interest in the other person?

**Side Note: I once did that, miraculously it worked out for me, and she is still the missus. But remember, "The rule vs the exception"**

The second part. Can you go too far? The answer is simply YES. It's important to do your research but do not deep dive. Don't start Social Engineering the interviewers. Do not start seeing if you can crack their passwords. If you have an Onsite for a Red Team position, don't red team your way in. This immediately casts doubt on your moral fortitude.

The solution: Read up and take notes on the people interviewing you. Do research on the company, its history, its current status and plans for the future. Study this. Become informed. If you can find some common ground talking points it helps break the ice and shows you are interested.

Take Away: Knowledge is power, creeping out an interviewer is counterproductive and is probably going to end up in a "Thanks for your interest, but you were unsuccessful" obligatory email. In Infosec we have this very fine line, where you the Hacker has far-reaching abilities, and you are simply expected to keep that at bay, not do shady stuff, like a chained up attack dog foaming at the mouth. Keep it cool, get the job, then that company will cut you loose and the hunt begins.

4: Compare apples with pears.

The Challenge: This is something that does happen and causes frustration for both agencies and employers. You know that job I sent you? The Pentesting job? Well, I thought you are a fit for that job and thus me messaging you. If a recruiter contacts you for a position X, you state you are happy with Position X, and recruiter sends you over and you get an interview for position X, DO NOT on that interview say, well actually, "I'm more interested in doing this (Either this is a completely different roll/department at the employer or in a field that this company has nothing to do with)". It's not going to work. You have just wasted around 3-5 hours of 3 entities mutual time.

The Solution: Stick with your guns. If a recruiter contacts you for a position that is not a fit, or you don't want to do it, tell them. If they decide to do a call with you, take the call, and don't try to fool anyone. If, you are interested in the company but not said role, tell the recruiter. What the recruiter will do then, if they have the scope for it, is send you over saying either "We have this candidate that we contacted for position X, but they are more keen on Y, or a hybrid of the 2, can we work with that?" or "I have this great candidate that I contacted for position X, but they are not keen on it and are interested more in this "Idea" of a position, do you think there is scope/need for this skillset and can we make something happen?"

By doing this, right from the start, your intentions are clear. A lot of companies will role with this, and on your first interview with the company, this can be an open discussion as opposed to the employer becoming very confused and you causing a bad first impression.

Take Away: Be straight, stick to your guns and be honest. You would be surprised what can be done and created. If the role doesn't fit, don't pursue it.

"This is your last chance at a first impression"

5: The Shape-o-Toy conundrum

Firstly here is a picture of what I am talking about, in case you don't recall it from your toddler heydays!

The Challenge: The Shape-o-Toy was a favourite of mine and many other 2-5-Year-olds. You know how it works right? Put the right shape in the right hole and hey presto! When you are a noob at it, you seem to think you can make the pentagon fit in the circle-shaped recess?

You are an individual, with a certain past, a current skill set and level of experience. You have a plan for the future and what you want to achieve. Most of us do. If you are dealing with an agency or a company, and they have not got a position for you, then they simply don't. It's not a reflection on you, your skillset nor ability. There just simply is not something available that suits you. This is why I used the reference. No matter how good you think you are or actually are, there is simply no recess or gap available. Also, if you aren't a fit, you aren't a fit, no matter what you think.

The solution: Stay in touch with recruiters you know, like and trust. Recruiters that "Get" you. If they don't have anything for you, they simply don't. Stay in touch, every 2-4 weeks or so, but not daily. That's where things become tricky and uncomfortable. Sadly it's important to note if someone has represented you, and interviewed you for a position and you end up blowing it (On advanced stage interviews) a recruiter would be inclined to try you elsewhere, but if you blow it again, most will put you on ice for a year or so. Its important to note, by "Blowing it" I do not mean you interviewed and were rejected for say, lack of experience or not entirely a culture fit, I am talking about really messing up. Telling the company/recruiter with concrete confidence that you are a ninja with something, and then, when you are on your onsite you bomb out on the most basic level question or test. You cause a scene. You go in confident but actually its seen as outright arrogance. This is what I am talking about here. No matter what you think, you simply can't force the hand. Your shape does not fit the recess.

"Humility will open more doors than arrogance ever will." Zig Ziglar 

Take Away: Keep in touch, within reason. Don't get negative with someone that truly wants to help you find a gig because they simply don't have anything for you. They may post a job that you think you fit, and you should ask them if its a fit, but if they say you arent it is a calculated assessment after knowing you, your abilities and also them knowing the inner workings of their client and what works with them and what does not.

Final Thought: We are lucky, and privileged in this industry that there are more jobs than there are people to fill them. It's a candidates market. Yes, this positive side has a negative implication, with getting spammed 10 jobs a day, most of which are not a match, but remember, these are the right kind of problems to have. It's crucial to remember that your skills are in need, work more on the opportunities that fit and work. Be straight about who you are and what you can bring to the table. Believe in yourself but show a sense of humility and empathy. Master the art of balance and hack the planet!

--------------------------------------------------END-------------------------------------------------------

I hope these tips help. I hope to do this more and help where I can. I think I can summarise this entire article with one sentence, and that is

Be true to yourself, and the people you deal with.

Be sure to check out my other article on if you want a perspective on what got me started in Infosec and leave a comment! Would love to hear your thoughts!

Special thanks to Michele Schreuder, SanctusM for the input/assistance, Jimmy Shah, @c0Ba and Styx for the proofread!