So last week, I wrote about the difficulty of landing a security job and promised to explore it further.
And I think the first key, and what should be the most crucial key, is being conversant in security. Having a certification is one thing, but at the end of the day, the biggest thing it means is that you passed a test. It’s possible to pass a certification test and not be able to talk intelligently about security. So in the process of interviewing, you can expect to have to answer a pile of questions, and if you don’t answer those questions well, you won’t be offered a job.
Here’s one easy test. If you look at the stuff I write here about security, and you’ve already heard of it, then you’re pretty well-informed about security. If you read my analysis and there isn’t much there that you wouldn’t have thought of yourself, then you’re going to be pretty well prepared.
So how do you get there?
On my most recent performance review, my boss observed that during my breaks, I was much more likely to be reading a technology web site than a sports site. Although I was glad someone noticed that, to me, I’m not certain that needs to be on a performance review. I had a supervisor, several years ago, say she wanted people doing exactly that, so they keep up with the changes, because technology changes so fast. I think if the word “senior” appears in your job title anywhere, or if you want the word “senior” to appear in your title, it probably ought to be a given that you spend an hour or so per day reading technology-related web sites. And if you can’t slip in an hour of it during your workday–I think that’s reasonable, because you can slip in 30 minutes around lunch and the equivalent of two 15-minute smoke breaks–then get an hour in at home.
Most certifications require continuing professional education of some sort, and podcasts are the easiest way to fulfill those requirements. Listen in the car during your commute, and you’ll be well informed. Here’s a list of podcasts I recommend.
I know at least one person whose key source of CPEs is the official (ISC)² magazine. There’s value in that magazine, but what you really want to be is one of those people who doesn’t even bother to report all the CPEs that he or she could. It’s not entirely difficult to get all 120 CPEs you need per cycle in a single year, just from listening to podcasts during your commute–which would be time you would waste anyway. And if you did, you would be very well positioned to handle any technical and issue-related questions that are likely to come up in an interview.
Some people are going to ask you questions like the definition of inherent risk or a runbook, which you can easily Google. If you don’t know the answer, turn it around. Admit you don’t know offhand and would have to Google it, then ask for an example where you’d need to know that so you can talk about a time you solved a similar problem. When I interview, I prefer to focus on how someone solves problems, but not every interviewer knows how to do that.