Thoughts from conducting Jr security analyst interviews

Danielm7 · May 2016

Since so many people here are interested in breaking into security I figure I'll add my recent experiences with trying to hire people into exactly that level of jobs. Kind of a rambling here, but so far, not awesome.

I made this transition myself, I have a soft spot, I'm not super judgmental, I give people plenty of time and tips in interviews in case they are nervous. I joke around with them to try to lighten the mood, I'm looking for people with basic skills but a lot of interest that get along with everyone. The first round is a phone screen.

A few things right from the top, every person applying has a BS in IT or IS, most have a concentration in infosec and risk analytics from a few local, highly regarded, B&M schools. All of them have prior experience in IT even if it's just a few internships. Some of them were grossly overqualified, if you have a BS in CS and an MS in IT, 10+ years of experience and 2+ years in security specifically and are currently a security engineer, why are you now applying for a contractor jr level role? Most of them are people who want to transition into security and have some certs or are studying for them, related degrees and general IT experience.

So far, kind of dismal, which really surprises me. I ask very basic questions to get a baseline and allow them to go deeper from there. I tell them openly at the start that I have some different types of technology and terms, if you don't know what it means at all, just be honest, if you've used something related, then tell me about it, if you know a lot about it then by all means blow me away with details. If they seem really nervous I even tell them if they're having brain fog just tell me that and maybe we can figure out what they are trying to say. If anything, I'm leaning towards being too nice so I can find someone with a lot of interest who gets along well and wants to learn.

One of them was clueless on almost every question, then nailed almost ever port question immediately, which to me means he had a sheet of them in front of him. The same guy couldn't even tell me what 2 factor authentication was, or even tell me why you'd use a VPN or what it even does, but within a millisecond told me port 21 was "ftp control", not even just ftp, ha. Another person said they had a degree in security and analytics and listed excel as a primary skill, twice, and when I asked about excel he said that his last job exported info to csv and he expanded the columns and saved it as excel.

I understand everyone is looking for different things. But, please, show passion or even a strong interest. If you're reading here you're already a step above what I've seen for interest. Don't say you're a "security guy" and when I ask what you do to keep up with security news you reply with "I read yahoo news and I'm sure the big security stuff will show up there".

Just trying to start a topic I asked if they have any preferences in operating systems, know any linux? So far I've been told, "no preference" so I asked what they use, it actually took probing questions to find out they use only windows. That's fine, but clearly you have a preference then. Someone else asked on the call, OK so if you want to get your IP address in windows, what do you do? The reply was "I guess ping?" This is stuff I'd expect a first day helpdesk person to be able to answer.

Tips so far, if you are really excited by security, please try to show it. I ask if you even have anything interesting at home you've done, lab, etc, or even at school, anything? Be ready to talk about these things. If you're interested then you follow a few sites, twitter, whatever, be ready to talk about that and show you actually care. Don't say you follow security news and then you can't tell me what ransomware is outside of "ransom for your computer?"

Brush up on the basics, security isn't just watching a screen, I expect you to know networking basics, OS basics. Even if all you've done is read about something and you're interested you should be able to express that clearly.

Also, have some good questions ready, I don't care about the history of the company or stock prices, you can wow HR with that if you want, but ask me about the job, about how it is to work there, what you'd be doing if you're hired, etc. I haven't gotten a single question like that. Instead I'm asked "what's the best security certification?" Show me you actually are interested in the job.

I don't want to post the whole list of questions here as I'm not nearly done interviewing.

/Giant wall of text rant mode off

markulous · May 2016

Great post!

I'm trying myself to get into a junior analyst role and it's kind of surprising that those people couldn't ask those simple questions. I try not to be long-winded but I at least try to show interest with Splunk, news, Kali, etc.

Did these guys have any IT experience? You're kind of getting my hopes up on breaking into Infosec because I can answer what a VPN is used for or what 2-factor authentication is

Dojiscalper · May 2016

It's awesome that you're trying to understand the interviewee side and give them room to prove they want the job. I myself need to be interviewed by you, lol I have plenty of knowledge and experience but in an interview "brain fog" is exactly what I get. Sometimes I can't answer the most basic questions.

Mooseboost · May 2016

I certainly appreciate the type of interview you provide. Working for an MSP that provides firewalls, I work with a lot of various IT departments for other companies. Sometimes I shake my head and wonder how they ever got their position - let alone when I speak to their senior staff. I can only imagine what kind of questions must have came up in their interviews and how they responded to them. It leads me to believe that a lot of the people in these positions never had a real technical interview or never had anything on their resume tested - for example if someone has a CCNA on their certification list and they didn't **** it, they should be comfortable with discussing L2 and L3 communication.

I can understand not being confident with troubleshooting if you don't have experience. Understanding concepts and being able to troubleshoot them are two different things. That being said, I would fully expect them to have enough of the theory understood to lead them into troubleshooting or at least understand where to start.

A perfect example of this happened a couple of days ago. I was working with a network engineer, a new guy who had been there about 6 months - claimed to be CCNP. Which I know because he very proudly announced it at the beginning of the call and to let me know he knew far more than I did *eye roll* He was claiming that the firewall was preventing communication between their desktops and an internal server. Now mind you, the server and the desktops are connect via a switch and are on the same broadcast domain and our firewall is a perimeter device. He kept demanding that I run packet captures from the firewall to find out why we were blocking the traffic... Now, mind you again - he can ping the server, they just can't log into it. My suspicion was invalid credentials or RDP wasn't enabled on the server (Their "server" was actually just a Win 7 machine that they host some local files on) - I kept trying to explain to him that I don't even see that traffic because it doesn't run through the firewall. He wasn't having it. I tried my best to explain the network theory to him, but he just insisted that I didn't know what I was talking about. Finally, I have him run a continuous ping from one of the desktops to the server - they all respond. I babble for a little bit and he forgets about the ping. I have him disconnect the firewall from their LAN and then remind him of the ping. Of course, I get told I am pretty much retarded for claiming the pings will still be going and that they should hire someone better than me.. But lo and behold, the pings - they are still running. He tries to make up some BS about how the responses were just responses to cached pings!?!? At this point, I feel confident enough to disconnect the call.

My point with this engineer in specific was that I am sure he had an awesome resume. I cannot imagine that he had any kind of technical interview. I could see this maybe with someone who at an entry level position - but he was in control of their entire network. If someone had simply asked some basic networking questions - they would have know that he probably didn't obtain (if he actually had it) that CCNP legitimately and that he was simply interested in either that title or that paycheck.

Sorry Daniel to throw my rant in. In a shorter version: You are the kind of person I would want hiring my employees for technical positions. All kinds of people apply to positions, and some get them without even knowing what to do in that position. I run into so many people in IT who don't really want to be there, they just thought there was good money in it.

dmoore44 · May 2016

I've been doing a lot of interviews over the past few years for everything from Jr. level analysts to Sr. level analysts... and I have to say that that the quality is lacking overall.

Knowing a tool does not make one a security analyst. I don't care if you perform the updates to SEP, EPO, or FireSight, or that you've installed ArcSight, Splunk, or ELK, and I also don't care that you've opened tickets generated from those systems. I don't want people that are tool bound - I can teach a person how to use tools faster than I can bring them up to speed on OSes, networking, enterprise architecture, web applications, etc... What I want is people who can take the output of the tool and do something with it.

To that end, experience with a tool set isn't that important - it's what you can do with the output of the tools that makes you a good security professional. And, to go a step further, once you've identified that something's not quite right, can you turn that in to a method to go and find other machines exhibiting the same behavior? If there's a bunch of the same type of bad on the network, can you automate a detection? If your spidey sense tingles because something just seems off... what sort of methodology would you employ to verify that there's bad? If I give an analyst a memdump or a procdump or some logs, can you comb through them and report back the things are abnormal for the environment?

In an interview, I don't expect the guys looking at a Jr. level position to know all of the above - that's not realistic; but as long as someone is going down the right path, I'm willing to give them a shot. If i'm interviewing for a Sr. level position, they'd better know a good portion of the above.

markulous · May 2016

WTH are cached pings?

Dojiscalper · May 2016

Mooseboost, totally agree. I see it all the time as well. Troubleshooting is a skill and it takes experience to get it right.

ThomasITguy · May 2016

Danielm7 wrote: »

Since so many people here are interested in breaking into security I figure I'll add my recent experiences with trying to hire people into exactly that level of jobs. Kind of a rambling here, but so far, not awesome.

I made this transition myself, I have a soft spot, I'm not super judgmental, I give people plenty of time and tips in interviews in case they are nervous. I joke around with them to try to lighten the mood, I'm looking for people with basic skills but a lot of interest that get along with everyone. The first round is a phone screen.

A few things right from the top, every person applying has a BS in IT or IS, most have a concentration in infosec and risk analytics from a few local, highly regarded, B&M schools. All of them have prior experience in IT even if it's just a few internships. Some of them were grossly overqualified, if you have a BS in CS and an MS in IT, 10+ years of experience and 2+ years in security specifically and are currently a security engineer, why are you now applying for a contractor jr level role? Most of them are people who want to transition into security and have some certs or are studying for them, related degrees and general IT experience.

So far, kind of dismal, which really surprises me. I ask very basic questions to get a baseline and allow them to go deeper from there. I tell them openly at the start that I have some different types of technology and terms, if you don't know what it means at all, just be honest, if you've used something related, then tell me about it, if you know a lot about it then by all means blow me away with details. If they seem really nervous I even tell them if they're having brain fog just tell me that and maybe we can figure out what they are trying to say. If anything, I'm leaning towards being too nice so I can find someone with a lot of interest who gets along well and wants to learn.

One of them was clueless on almost every question, then nailed almost ever port question immediately, which to me means he had a sheet of them in front of him. The same guy couldn't even tell me what 2 factor authentication was, or even tell me why you'd use a VPN or what it even does, but within a millisecond told me port 21 was "ftp control", not even just ftp, ha. Another person said they had a degree in security and analytics and listed excel as a primary skill, twice, and when I asked about excel he said that his last job exported info to csv and he expanded the columns and saved it as excel.

I understand everyone is looking for different things. But, please, show passion or even a strong interest. If you're reading here you're already a step above what I've seen for interest. Don't say you're a "security guy" and when I ask what you do to keep up with security news you reply with "I read yahoo news and I'm sure the big security stuff will show up there".

Just trying to start a topic I asked if they have any preferences in operating systems, know any linux? So far I've been told, "no preference" so I asked what they use, it actually took probing questions to find out they use only windows. That's fine, but clearly you have a preference then. Someone else asked on the call, OK so if you want to get your IP address in windows, what do you do? The reply was "I guess ping?" This is stuff I'd expect a first day helpdesk person to be able to answer.

Tips so far, if you are really excited by security, please try to show it. I ask if you even have anything interesting at home you've done, lab, etc, or even at school, anything? Be ready to talk about these things. If you're interested then you follow a few sites, twitter, whatever, be ready to talk about that and show you actually care. Don't say you follow security news and then you can't tell me what ransomware is outside of "ransom for your computer?"

Brush up on the basics, security isn't just watching a screen, I expect you to know networking basics, OS basics. Even if all you've done is read about something and you're interested you should be able to express that clearly.

Also, have some good questions ready, I don't care about the history of the company or stock prices, you can wow HR with that if you want, but ask me about the job, about how it is to work there, what you'd be doing if you're hired, etc. I haven't gotten a single question like that. Instead I'm asked "what's the best security certification?" Show me you actually are interested in the job.

I don't want to post the whole list of questions here as I'm not nearly done interviewing.

/Giant wall of text rant mode off

Here are some good questions that I always ask in interviews

1. What constitutes success in this position
2. What is the management style within this company
3. What would my daily tasks be if I was hired?
4. What is the office environment like at this company?
5. What is the expectation of continuing education or learning new things on the job
6. What resources will I have access to, to aid me in this position

And here is how to tell if you will get a call back

7. What are your concerns or reservations for hiring me for this position, and did you need any clarification on anything not mentioned or we did not talk about????

boom.... *drops mic*

the_Grinch · May 2016

Gotta say I would love to interview with some of you guys as you interview in the fashion I most enjoy! After reading this, I felt you had your expectations in the right place and my agency is much of the same (would you fit with the team, do you have the aptitude to learn as you go).

This actually shows why I took programming languages off of my resume. I can decode and/or figure out what a program is doing, but writing code or answering questions on how I would do x or y is not something I would be able to answer in a manner that anyone would look at me as a programmer. One interview I had went really well and I thought I was done when the interviewer then said "now I will ask you some programming questions". Can you say deer in the headlights? I immediately stopped him and simply said "I realize it is on my resume and I can definitely understand enough coding languages to know what it is doing, but I would not be able to write anything without some assistance". Low and behold I still got offered the position.

As for the quality of the talent you've been getting seems to just be about par for the course. Part of me will say that given today's environment people are listing everything they've seen regardless of their actual knowledge of the concepts involved with it or the actual use of it (if it's a tool). Sadly, most companies hire for one position where they list the farm of duties (such that the position really should be two or three instead of one). Doesn't make it right on the part of the interviewee, but nature of the beast I suppose. I look forward to a day where I interview and there is a lab portion to the interview. That is when I know I could shine and knock someone's socks off

Mooseboost · May 2016

markulous wrote: »

WTH are cached pings?

Still trying to figure this one out LOL.

Mike7 · May 2016

Supply does not meet demand. There was a Forbes article that forecasts 6 million cybersecurity openings in 2019 with project shortfall of 1.5 million. So everyone tries to jump on the bandwagon.

Maybe look for candidates with no security experience but are doing systems admin, network admin or programming. They know how things work and if have the passion or interest are able to transition into security roles easily. Hope you get the people you need.

Christian. · May 2016

markulous wrote: »

WTH are cached pings?

It's a phenomenon known as ghosts pings. If you run a continuous ping, an echo is created in the network and it can reply back even if nothing is there. Similarly to what happens with light, you might see something that isn't there anymore. If you ping long enough, you might trace the beginnings of the corporate topology and it helps you to understand changes over time. That's explained in a hidden dark chapter in the ccnp, but it was removed after many people pinged Cthulhu by going too far back, waking him from his eternal sleep and destroying their minds. This is dark network stuff. That guy was just afraid to speak about it.

markulous · May 2016

Mike7 wrote: »

Supply does not meet demand. There was a Forbes article that forecasts 6 million cybersecurity openings in 2019 with project shortfall of 1.5 million. So everyone tries to jump on the bandwagon.

Maybe look for candidates with no security experience but are doing systems admin, network admin or programming. They know how things work and if have the passion or interest are able to transition into security roles easily. Hope you get the people you need.

From my experience there are a good number of people that do that. I thought the OP had some reasonable expectations; just someone with a decent base IT knowledge with a passion for security. Those companies that have been asking for 10+ years experience in every single domain of IT are probably pretty disappointed and will be more so when there are more positions to fill.

ratbuddy · May 2016

Mike7 wrote: »

Maybe look for candidates with no security experience but are doing systems admin, network admin or programming. They know how things work and if have the passion or interest are able to transition into security roles easily.

That's me. Currently employed as a programmer analyst, got my CCNA, almost done with a masters in infosec. I can answer the questions listed above in my sleep, and I've got solid experience in a corporate environment along with an 'extra' accounting degree to help ensure I understand business language and practices.

On paper, I have no security experience, but I'd make a better security person than many people who do have security experience. I'd love a position that lets me leverage my programming background, while expanding into security, but I worry that my resume would get trashed for having no security experience.

Mike7 · May 2016

ratbuddy wrote: »

On paper, I have no security experience, but I'd make a better security person than many people who do have security experience. I'd love a position that lets me leverage my programming background, while expanding into security, but I worry that my resume would get trashed for having no security experience.

You are probably doing some form of security in your current job but are unaware and do not speak "infosec language". Security is an essential part of IT; sysadmins needs to configure and harden the OS and software engineers need to do secure coding.
Perhaps look at some infosec books/certs to get that understanding. "Passion for security" includes reading security blogs, upgrading your security knowledge and going for that CISSP certification.

markulous · May 2016

Christian. wrote: »

It's a phenomenon known as ghosts pings. If you run a continuous ping, an echo is created in the network and it can reply back even if nothing is there. Similarly to what happens with light, you might see something that isn't there anymore. If you ping long enough, you might trace the beginnings of the corporate topology and it helps you to understand changes over time. That's explained in a hidden dark chapter in the ccnp, but it was removed after many people pinged Cthulhu by going too far back, waking him from his eternal sleep and destroying their minds. This is dark network stuff. That guy was just afraid to speak about it.

I legitimately lol'd at this at my desk.

IronmanX · May 2016

I started writing this before all the replies came in and have not read them yet:

I've got 10+ years of experience and I don't really work in the security field. I am currently 5 years into a jack of all trades system analyst position.

My first job out of college was a Security Admin position. I'm trying to think what I knew back then as far security goes. My college program was in software development, so not really a lot of security related topics covered. I applied for a Java Developer Position and was told I didn't have enough experience for the Java Developer position but they had a security admin position if I was interested. I think they saw on my resume that I had experience with Linux and Mainframes so thought I would be a good fit. Of course my resume was not geared towards this position as I applied for a Java Developer position.

I believe what got me the job was in the interview they asked about my interested in security and I said something along the lines of I've always been interested in security I broke my family's computer when i was 16 trying to install dual boot Linux so that I could play with security tools I had been reading about. I learned a lot from breaking that computer and eventually got it working. I think that was what got me the job.

any preferences in operating systems.

warning I start ranting here haha: I hate these types of questions.
You did write that you where just asking to start a topic and get an idea of what they are interested in.
However I've been in so many interviews where it is just ask a question write done the response no back and forth.
I have said something along the lines of I would use what ever the right tool is for the job. Of course they can't write that down as a answer and try to nail me down on one without them giving details and then it just turns it to me trying to tell them what they want to hear haha.

I'd be ok with if they came back with something along the lines of ok your going to write a python script what would you use. I would say Linux and VIM. They ask why and I would say Python and its dependencies are generally installed by default in Linux and VIM is my editor of choice in Linux. VIM is especially nice with the intellisense plug in. That would be my preference but doesn't mean it can't be done other ways.

But they never specify and I think because they feel they will give too much away. If they say doing C# .Net development well the answer is obvious, which it should be and 9 out of 10 people will say the same thing.

I think its ok to ask these types of questions as a conversation but when it an interview where they ask, write down your answer and move on to the next question i cringe.

Me saying it depends you use the right tool for the job looks like i'm side stepping the questions when these interviewers just want to write down what you answered. I feel like saying hey your doing some carpentry whats your favorite tool the hammer or the screw driver? Of course it depends on what your trying to do.

I don't really like "tech people" who take such strong opinions on tech. Debian is better than Ubuntu is better then Windows is better then Free BSD. Java is better then C# is better the C++ is better then Python is better then Cobol. Visual Studios is better then Eclipse is better the NetBeans is better then Notepad++.

I worked with a guy years ago who wrote an application in C++ to query a database and created html pages based on templates he coded in C++. When asked why C++ he answered because C++ is the best language and listed a bunch of reason why C++ tech wise is great. Great so you spend 2 weeks writing something in C++ that would have taken what half a day in PHP and html.

OK rant over and i'm not saying that is what you did when you asked him about operating systems because you did say you where trying to get more into their interests.

Danielm7 · May 2016

markulous wrote: »

Did these guys have any IT experience? You're kind of getting my hopes up on breaking into Infosec because I can answer what a VPN is used for or what 2-factor authentication is

Ha, well consider these were the people that weren't going on to round two! But yes, they all had experience, even if it was a few internships and school, that is something for sure. My goal was to get them to talk about the basics then dig in from there, if you can't even answer the most basic level then there is no point in getting into the nitty gritty.

DPG · May 2016

Many candidates have flat out lied to me and had to be called out.

Me: "You have a CCNA?"
Candidate: "Yeah, I took the classes about 8 years ago" or "I know OF the CCNA" or "Yes. I have a CCNA"
Me: "Can you send me your certificate Verification Code?"
Candidate: "Sure." (Never hear form them again) or "Well I don't really have a CCNA. My friend told me to put it on my resume"
Me "..."

ThomasITguy · May 2016

DPG wrote: »

Many candidates have flat out lied to me and had to be called out.

Me: "You have a CCNA?"
Candidate: "Yeah, I took the classes about 8 years ago" or "I know OF the CCNA" or "Yes. I have a CCNA"
Me: "Can you send me your certificate Verification Code?"
Candidate: "Sure." (Never hear form them again) or "Well I don't really have a CCNA. My friend told me to put it on my resume"
Me "..."

I had a co worker.... who lied to me daily about being in IT... how I knew he was lying is when he said "you dont have to have a degree in IT to put it on your resume because employers never check" that right there told me he had no clue what he was doing in computers....

Danielm7 · May 2016

Mooseboost wrote: »

A perfect example of this happened a couple of days ago. I was working with a network engineer, a new guy who had been there about 6 months - claimed to be CCNP. Which I know because he very proudly announced it at the beginning of the call and to let me know he knew far more than I did *eye roll*

Oh boy, that story is classic, haha.

Instead of me doing 20 nested quoted replies I'll try to hit on a few more points here.

First, I love when people come from systems backgrounds, that's what I did. They tend to know enough of networking to start and have likely done lots of security tasks even when they aren't really "security people".

As for the OS preference thing, it really was the opening of a question. I don't really care if you prefer debian or redhat, etc, but if you can tell me about that it shows me more than the person who might not have any input on the question at all. "The best tool for the job" is absolutely a great answer, because that's how life works really. We have one coworker who is so pro MS its crazy, like he's forced people to use much worse tools on occasion because they work on Windows than using something else.

And for ThomasITGuy, those are all good questions. Those are the types I ask as well. At least show that you care about what happens if you get hired. My first questions were always typically about company culture, work day, etc, I care about what I'm walking into and I'm not going to keep interviewing somewhere if tells me every day I should expect a hellstorm.

aderon · May 2016

If you wouldn't mind me asking, what state are you in?

EngRob · May 2016

markulous wrote: »

WTH are cached pings?

Seems they're created by the CCNP guy, interfacing between L3 and the L8 political layer. lol

thomas_ · May 2016

It would have been awesome if he pronounced it "ca-shay" pings. I giggle a little bit whenever I hear an IT person pronounce it that way. For end-users it's forgivable, but I just can't get over it when IT people pronounce it that way.

OctalDump · May 2016

IronmanX wrote: »

Me saying it depends you use the right tool for the job looks like i'm side stepping the questions when these interviewers just want to write down what you answered. I feel like saying hey your doing some carpentry whats your favorite tool the hammer or the screw driver? Of course it depends on what your trying to do.

Right tool for the job can be more complicated than it seems. For example, what if you don't have a screw driver in your kit? Or you do, but it's a flat head and what you need is a torx. Or you decide to use your torx driver, so you need to go and get some torx screws. Then you pass the job onto a colleague who doesn't have a torx driver.

So the right tool, or rather the best tool, has to take into consideration also what tools you have, what tools you can use, what tools your team has, what tools they can use, the cost of the tools, the cost of support... yeah, it's a longer list than that, but you get the idea.

So .net aspx might be the best tool for building that web interface to your MS-SQL backend, but it turns out that the company has plans to deploy on Linux in the near future, or you are the only person in the company with .Net experience, or the backend is actually in the process of being migrated to Oracle or some other thing.

EnderWiggin · May 2016

"What are some troubleshooting steps you would do for [...]?"
"....Have you tried turning it off and back on?"

billDFW · May 2016

curious how much of Info Sec hiring is 1) "hire the person, train the skill" versus 2) "hire the skill, fix the person" ?

many companies, across many industries, are finding #1 works better.

Thoughts ?

docrice · May 2016

When I interview, I look for aptitude and attitude. It's very difficult (if not impossible) to have someone in infosec be effective when they're inflexible as an individual. Security is fluid, adaptation is mandatory, and if employees are unwilling to keep up with the times and tune themselves for the job, then they're dead weight.

TheFORCE · May 2016

You know, i will play devils advocate here and call BS. If you are getting those type of candidates then maybe your resume screening process needs some improvement. Also it seems to me that when you find a candidate that is knowledgeable you say they are over qualified, but you do not take the chance to train those who are not, again this goes back to your screening process needs improvement.
If your candidates do research on your company, why dont you do research on them also? Besides if the role if for a junior position, you should expect to find someone and train them in the role, people wont necessarily know all areas of InfoSec.
Are you advertising the job for what it is or are you also asking unrealistic requirements? I've had phone screening interviews where the role advertised was something totally different from what I was expecting. So it is not only a one-sided issues.

Danielm7 · May 2016

docrice wrote: »

When I interview, I look for aptitude and attitude. It's very difficult (if not impossible) to have someone in infosec be effective when they're inflexible as an individual. Security is fluid, adapation is mandatory, and if employees are unwilling to keep up with the times and tune themselves for the job, then they're dead weight.

Absolutely agree, which is why I ask even people starting why it interests them, how they get their news, etc, there is going to be a lot of learning and change in the career and if you wait until you have a job and suddenly try to change all your habits it probably isn't going to happen. If someone knows zero of the tech we have but can say, for example "well I've never managed antivirus in groups or a console or anything, but here are my thoughts on AV in general and what I've used at home.." that's fine, they can learn. Hiring for a higher level position they might say, "I've never used what you used, but here is what I've used in the past to do the same thing..." which means they already understand enough of it and are just learning a new UI and some configuration.

Danielm7 · May 2016

TheFORCE wrote: »

You know, i will play devils advocate here and call BS. If you are getting those type of candidates then maybe your resume screening process needs some improvement. Also it seems to me that when you find a candidate that is knowledgeable you say they are over qualified, but you do not take the chance to train those who are not, again this goes back to your screening process needs improvement.
If your candidates do research on your company, why dont you do research on them also? Besides if the role if for a junior position, you should expect to find someone and train them in the role, people wont necessarily know all areas of InfoSec.
Are you advertising the job for what it is or are you also asking unrealistic requirements? I've had phone screening interviews where the role advertised was something totally different from what I was expecting. So it is not only a one-sided issues.

That's fine, I don't agree, but I'll explain my side. My resume screening process for an jr level contractor consists of a very trusted recruiter doing the first wave. He's been doing IT recruiting for a long time, but he talks to them about their jobs or experiences, he doesn't tech screen them. He gives people who can have a reasonable conversation who have related things on their resumes. When he contacts me and says, "This guy has his BS in IT security, had 2 internships and a contractor role as an analyst for a few months and is studying for his net+ and sec+" I see someone who sounds new but likely has a lot of drive and interest and I look forward to talking to them. I look over the resumes, check linkedin for people I'm interested in just to see if there is more detail and there frequently is, and I setup a first round phone screen to get an idea.

As for the overqualified ones, this is a jr level position, if you have an MS, 10+ years in IT and 3 years in security and you're already a security engineer, why are you applying as a jr level analyst? Best case you're just trying to get out of your current role badly and will likely leave me in 3 weeks when you find a better job you're already qualified for, worst case your resume is all fake. I know different people have different reasons for taking different types of jobs, but the the two that we ruled out that fit that bill have yet to explain to the recruiter why they'd want to take such a step down.

I in no way expect someone to know about all things infosec, I don't, neither does anyone really. I expect them to have a reasonable foundation. I try to get a baseline of what they know, and when you can't even tell me that a VPN allows you to connect to another network or even that it's a tunnel and you basically fumble over words for 5 mins, can't even explain at the most basic level what 2 factor authentication is, that even my wife (who is in no way technical) who says "that's when I get a text message as a 2nd way to log in with my password, right?" and when asking about internal or external / public or private IP addresses I'm told "well, I guess one is external and one is internal" and that's it... then it's not me just being picky and expecting too much, it's someone who needs to hit the books again.

I ask very basic questions to start then we can dive deeper. For example, someone asked me about VPN when I was hired. I said I had set them up as a systems engineer in the past. We got into the way I did it on a Sonicwall vs how they do in Cisco, IPSEC vs SSL, etc, we went deeper. I wasn't expecting deeper I was expecting a general understanding of a technology so when they bring an alert and I say, "oh that's a remote user who is connected via VPN let's reach out to them" they don't stare at me like I have 6 eyes.

Thoughts from conducting Jr security analyst interviews

Comments