Sunday, March 14, 2021

Tips For Being An Interviewee In InfoSec

A Few Notes Before We Begin
  1. This post is incredibly biased as I'm a white male that looks like the massive nerd I am - with a dash of  survivorship bias
  2. I've also only really had offensive roles 
    1. Minus some engineering work, largely writing tools for other people to use and weaponizing vulnerabilities
  3. This is an attempt to explain the way I interview, as I'm told I interview rather well
  4. Not super happy with the format and would love suggestions - it feels a bit like a brain dump that is somewhat categorized currently
That said - Hopefully this is helpful for somebody :)!

Determine Your Total Compensation # is a good starting place to help gauge salary bands for the company you're interested in. Ask around in your network to see if you can get an idea of what to ask for. However, know as you approach more senior levels your salary largely caps <= 300k and your stock compensation is what continues to grow. It's also important to keep in mind that this is for larger companies - smaller companies simply can't compete with FAANG (Facebook, Amazon, Apple, Netflix, Google, Microsoft) or even mid-size technology companies on salary, but typically have other non financial benefits that FAANG's would love to have.

Decide What You Want
Before I start interviewing anywhere, I list out and prioritize what I'm after. For me currently, it's the ability to participate in specific bug bounties, stock options, and remote work. I'm in the incredibly privileged position to work remote in one of the cheapest places to live in the US, so salary is not a main concern of mine. 

Don't forget, EVERYTHING can be negotiable, but it doesn't mean the company you're applying to is WILLING to negotiate on said item. Example include, but aren't limited to: how many days you work, vacation days, research time, when you come and leave, taking naps during the day - I used to work with a person who took a 1 hour nap from 2-3PM everyday, and they loved it - getting classes/conferences/training paid for. Figure out what's valuable to you and ask for it. Nothing is wrong with being money driven, or by something else. Many companies will only negotiate on salary, and not allow things such as extra vacation. I recommend converting your vacation days to a dollar amount in these instances, making sure it's more than your "Daily rate" (salary / 2080) to compensate you for the lack of time away from the job. 

You've probably heard the saying, "the worst thing they can say is no". Unfortunately that's not really true - companies are made up of humans, and we are flawed. There are tons of stories out there, such as, for you to get an idea for shit companies will try to pull. You should 100% run away from these situations if you're treated this way - you dodged a bullet before investing too much time in a company that doesn't deserve you.

Rank Your Priorities
You would think knowing what you want and your priorities would be the same; however, some things will always be more important than others. For me, my current priority list is:
  1. Remote
  2. Stock options/RSUs/etc
  3. Vacation
  4. Salary
Knowing what's important to you ahead of time has helped me the most when it comes time to negotiate. This will change as things in your life change, or it might not. There is no right or wrong way to do this, but it is important to do this. Managing expectations throughout the interview process is a huge component of successfully getting an offer. And it is much easier to manage your expectations when you have clearly defined them for yourself!

Figure Out Your Interview Cadence
I personally try to interview or at least chat with companies every 6-8 months. This is one way I make sure the skills I'm looking to develop and have developed are useful to companies on the market. It's also best to interview when you don't really need a job, as it makes negotiating more in your favor due to the fact that walking away is not as painful - at least from a financial perspective.

Know When to Walk Away
Just like buying a car, you have to be willing to walk away. There are lots of jobs out there, and unless it's your dream job or they're solving a problem you're interested in, walk away if something is off. For example, during the interview you ask about the "sexual harassment problem plaguing the company" and they state they won't discuss it with you without lawyers present and become combative for the rest of the interview. In my experience even really interesting problems become significantly less interesting when you're miserable because of company/team culture.

Completing Challenges
It's up to you as to how much time you put it to challenges, however I typically limit it to 3 hours over a weekend, and submit how far I get. I talk about what I would've tried, and what I would do next. For example, several infosec consultancies have CTF style challenges, where a flag, file, or a certain level of access is requested by the company you're interviewing for. I chose 3 hours, or ~$1000 worth of my free time. I have side projects / passion projects that I'm working on that are higher priority than a job.

Thankfully most companies do this better than they used to, but plenty still do this. Unfortunately for them they will lose out on people who know what they're worth. I've also had a company actually pay me for doing an in depth CTF for their interview, which was a lot of fun and hopefully they learned something! However, I've had a company pay me for my time once in probably 40ish interviews I've had over the last 7 years. 

Of course, every rule has to have exceptions, and this one has for me a few times. I once broke this rule once for a protocol challenge, simply because it was different and fun!

Prepping For In Person Interviews
This boils down to one thing: research. I always bring a legal pad, with 1 page to ask generic questions to everyone, and then 1 page per person / persons interviewing me that I'll want to ask specifically about their job function, how I'll interact with them,  generic questions about the company, and some of my goals. If a company doesn't offer up front who is interviewing, it can't hurt to ask. Worse case, they tell you they won't know and then you'll want to come up with some generic questions.

I always spend some time on Glassdoor to read reviews from people, but take everything with a giant grain of salt, as there are always "three sides" to every story. 

You should be familiar with the companies goals and values, as well as what responsibilities you will have. If you can't speak confidently to your ability to fulfill the role, practice. In front of a mirror, with a friend, or at a con. Several cons do mock interviews, as do several slacks. If none of that is possible, practice by doing an interview at a company you're not really wanting to work at.

It's always a good idea to talk to your hiring manager, recruiter, or whomever you're point of contact is about your expectations around your wants, and getting feedback on what's possible. Letting them know what you're looking for at a high level will help with expectations come negotiation time. 

If you get here, congrats! If not, keep on going, everyone is practically always hiring. Regardless of whether an offer is made or not, try and get some feedback from the company on how you interviewed. While many will say they can't give you any, every now and then you will get some feedback, which should help you for your next interview, however long away it is.

If you were given an offer, now is where your wants and priorities are used. Hopefully you've asked the right people the right questions, and they are aware of what your expectations are.

You Are Going To Be Passed Up On
At some point you are not going to get an offer / going to be outright rejected. Maybe you didn't get along with one of the interviewers, maybe you blew a question that they rate highly as an indicator of a good hire. Maybe your research was off, or maybe the interviewer simply didn't like you. It happens to everyone, and is definitely expected. If possible, get as much feedback as possible from the company, though many will simply refuse to provide feedback that is useful. 

Regardless of the outcome (AND assuming nothing egregious happened), BE POLITE AND THANK THEM FOR THEIR TIME. It costs you nothing to be kind and will do nothing but help you in the future. Yes it sucks being rejected, and your ego will take a hit, but like most things in life you have to dust yourself off, learn from your mistake(s), and try again. Soon enough you'll be used to being told "We've decided to go another direction" like most of us!