How to Prepare for a Cyber Security Interview (w/ Stephen Semmelroth)

Stephen: Cybersecurity. Is it one word? Is it two words? Is it a hyphenated word? Is it actually infosec? Is it just cyber? You look at all of the industry and the marketing; none of it aligns, none of it agrees. So how can you expect a hiring manager to look at that and really know what they're looking for, and then go train your HR professionals to say, "Hey, these are the keywords that I want. " "Did you look at cyberspace security? " "No. " cyber dash security? " "No. " And then you have to teach your HR professionals how to do a regular expression, and that is a fun thing to do and really challenging. Ricky: One of the most stressful parts of building a career is job hunting. And part of that hunt process is the interview. When it comes to any tech-field like cybersecurity, nailing the interview is no walk in the park. Since you've got to balance technical and people aspects of the process. In this video, we're bringing on someone who specializes in just this topic. Stephen Semmelroth is an ex-army Ranger and Afghanistan veteran who's led a red team and threat intelligence team in the military. Stephen's currently the VP of cybersecurity at StrataCore, leading their external recruiting division and client cyber consulting practice. In this video, we're going to talk about what employers are looking for when hiring cyber talent, how to prepare for a cybersecurity interview, and some overall strategies for being successful on your job hunt. So without further ado, Stephen, welcome to the show! Stephen: I'm glad to be here, Ricky. It's a lot of fun, and I'm glad that I can bring something to the table that a lot of people struggle with early on. Because the process is a little different than in other areas because we are expected to know a different subset of information, and the outcomes that we're looking at throughout an interview can be different than other domains as well. Ricky: All right, So a lot of people start with this "me, I, my mentality" when they are seeking for a job; let's talk about the flip side from an employer, right? What are they interested in and looking for? Stephen: There are a number of things that we need to look at when we're hiring employees. I the business owner, or I the business manager, or I the leader, or the HR professional, there's culture fits, and there's all sorts of fits that we have to look at; technical capabilities, et cetera. But if we take all of that away, really, it comes down to one thing: "If I hire you, how much money will I make? " They care far more than just how much money you're going to make them. But that is the number one question that they have to answer because of their fiduciary responsibilities, whether it's formal or informal. Because, "Yes, I have to make money on you. The numbers have to work because I have other stakeholders, and they have to be happy through this. " And whether you are in a socially responsible company or a purely bottom line company, you get to pick that. That's what it comes down to is, how much will bringing you on make me and how much risk outlay will I have to accept to make sure that we, as a new team, can succeed, based off of that risk in terms of the dollar ROI that we can project. Ricky: What should someone do to craft their resume accordingly? A lot of keyword stuffing, just massaging to make it look good? Stephen: Cybersecurity resumes tend to be very different than general resumes throughout all of the other resumes that happen to be out there. And many industries have their own resumes. So like lawyers, for example, usually, when they're going to law school, they're very locked into a set type of resume, and it's formalized. Other industries, if you look at MBAs, there's not such a formatted template to it, but they rhyme really closely. Then when we start jumping into cybersecurity resumes, first off, you probably can't fit everything on one page because you have to make sure that you get those keywords. So you should have probably an 80% to 90% solution that is your base resume that really captures what you do. Taking that chunk, the 10% or 20% difference that you're going to scrub for the positions that you're looking at, is the part that needs to change. Aligning your resume towards the job description. If you do it too much, your HR professionals, your recruiters, and your hiring managers are going to key in it, and they're just going to drop you immediately. So if we take a look at it from a keyword stuffing perspective, I'm looking at, reading, writing resumes, multiple thousands of them. Keyword stuffing; if I see that, it's probably going to go straight to the trash. Resumes are often built by a business owner, a business manager, saying, "We have a need. We have to fill that out. " Maybe it's somebody leaving. Maybe we built a new space. Maybe we've grown, and we need a specialist to fill this. However it happens, that's one question you need to ask is, "Why is there a job position here? " When we look at it, that goes from the job manager up through the system, and then eventually it gets published as the job description. So you have to take a look at

that job description and go, "This aligns with my personal goals and my professional goals that I want to go there. So, yes, this is a job description I want to align with, and I think I'm there. " And then you take that hard look at yourself and go, "Do I match this job description? " And then of that job description, "Do I think that they are looking for a 100% fit to that job description? Are they looking for an 85% solution? a 70% solution? And how much did that job description changed from the time that the business manager submitted it to the time it got published out to the Interwebs or the Slack channel that you happen to be in, et cetera. " Now, there's a couple of hurdles you have to overcome. First off, no one agrees on any of this because everyone has their own perspective and their own pipeline, so all of this is inflammatory. And just to highlight that no one agrees, first point I'll make is cybersecurity. Is it one word? Is it two words? Is it a hyphenated word? Is it actually infosec? Is it just cyber? And if you go out and you look at the antivirus providers out there, managed detection response providers, you look at all of the industry and the marketing, none of it aligns, none of it agrees. So how can you expect a hiring manager to look at that and really know what they're looking for, and then go train your HR professionals to say, "Hey, these are the keywords that I want. " They go through, and they do a pull and their system, and they come back, and they say, "I only found 14 resumes that have the word cybersecurity in it. " "Did you look at cyberspace security? " "No. " cyber dash security? " "No. " And then you have to teach your HR professionals how to do a regular expression, and that is a fun thing to do and really challenging. So if you look at a job description, and they had that cyber dash security, you better change the cyber dash security in your resume and then work out it from there. And keep in mind that cybersecurity is so incredibly broad. An incident response position is going to be dramatically different than, say, a vulnerability research position or an app sec engineer position, et cetera. So you have to figure out where you want to go and then do the work to get there to show on the resume that you have done it. Say you're a correlation engineer. All you do is correlation. If I put the word correlation on my resume, probably not going to come up. If I put things like Splunk, or Elastic, or APIs, or some of those other pieces. So we've got that overall bucket title of that role versus the things that I know, I'm capable of, versus the things that I compete at, down to the correlating information across these systems, and network, and host, and domain, and identity, so that you've got the foundational level of the pyramid, which means when you tie all that in to show what you actually have done and have accomplished, resumes will not be one page in cybersecurity. Often they are one and a half to two. For those highly senior people, they either go to three, or they go back down to one. It's really interesting to see that progression happen because you're usually focused on the senior level as something like a CTO, or a product developer, or a CISO, which then you're looking at only almost outcomes and responsibilities versus the engineers and the architects. Whereas capabilities and driving towards the lower level outcomes, the amount of code that you've committed, how many of those pushes that you did before have you had to go fix? And that all tells a different story to a different stakeholder. Ricky: Yeah, so that's interesting. So the emphasis is less on who you are and more on what you do. And those capabilities that you mentioned, if you're a technical person, having those software keywords in there talking specifically about technology stacks will make you much more successful. If you're looking at something more managerial or business-oriented, hitting up those business outcomes is really what people are looking for rather than saying, "This was my title at previous positions. " Stephen: Absolutely. And thank you for bringing that cause titles and responsibilities, really often, shouldn't be in there. So let's break that down a little bit. They do care about who you are. They absolutely do. And as Peter Drucker said, "Culture eats strategy for breakfast. " But the barrier to entry to getting the interviews, to figure out if you are a culture fit for an organization, is that you have the capacity and the abilities that they are looking for, usually defined by the knowledge and skills that you have on your resume. And those can be tricky to show. And then let's jump into responsibilities. Responsibility, unless you are the executive suite, keep that in mind, this shot is for people that are looking at getting into the industry, or maybe moving up from a junior to a mid, or mid to senior, before that executive level. Responsibility, honestly, doesn't matter because we don't care what you were responsible for. We care what you did. Let's talk about this, "Stephen, responsible for securing the

dark side of the moon against alien intent, with zero incursions, zero failures, and 100% success to make sure that it happened. " Responsible for it, didn't do anything. Not a thing. What I did do was all of these things. I moved the company's security posture from a standard evaluation of a 2. 9 to a 3. 5, thereby allowing the company to move into a new market category and generate a revenue that they were not able to do before. That is an outcome. Ricky: So when you do submit your resumes and your applications, is it better to spray and pray, casting a wide net, or really target and spear one or two employers? Stephen: If you are focused on the resume and spraying and praying, then you are effectively allowing the company to tell you no before they've taken even a look at you or even talked with you. You can still be very successful in doing that, but the vast majority of people, when they're getting their new job, they get there because they knew someone. And those percentages vary, and they vary by industry, et cetera. So now I know that the next question is almost always after that, "I'm new to the industry, Stephen. How do I build my contacts? If I don't know many people, how can I leverage a professional networking career that I don't have? The answer is, you got to have hustle, and you have to build that out. So there are professional development organizations throughout the country and the world. And you can pick your favorite one, but just figure out who some of the security leaders are in your community and figure out what organizations they are part of. Figure out where they are speaking, and then go to those places. Because if the luminaries of your local geography are going somewhere, chances are, other people that you need to connect with will be there as well. When you can physically go somewhere, and it's an option, do it. And the vast majority of those organizations have made that pivot to Discord, and Slack, and Facebook groups sometimes, and other places to elevate that to have a broader community, and more flexibility to join those events and organizations, and you should do it. And when you go to them, for my security engineers out there, I know this can be a challenge. You have to talk to them. You have to ask questions. You have to be engaged. It can be a challenge, and some of our best engineers really struggle with that. And there's a reason that if we go back to the old office space quote, "I talk to the engineers, so the customers don't have to. " Engineers need to talk to customers too. So if that is something that you struggle with, there's a number of different organizations that are out there. One of my favorite ones that a lot of my friends have gone through and helped their speaking ability and their ability to connect is called Toastmasters. I don't know many of them out there, but I do know the Toastmasters does a good job. So I will highlight them as an organization for that, for anybody that might be struggling with building relationships and speaking in front of other people. So that way, they can build the network to get to the next jobs that they deserve. Ricky: So, with that being said, what does the structure of the actual interview process look like? Stephen: So if you were working with a recruiter, a good one gets to know who you are, your motivations, what your overall goals are. Maybe gives you a little bit of coaching in order to get to where you need to be and also understands your capabilities and your limitations. And then we go out to the market, and we say, based off of our clients, are the open positions. "We think that you are a fit for these four things. And maybe five, and that fifth one, you're a 70%. You could be an 80% or 90% solution with a little bit of work. Here's your homework, go for it. " Then we take you out to the clients, and usually, we introduce you to both their HR team and the hiring manager in one go. And we sell them a little bit on you because that is what we should be doing. Why should you pick this person? And then, usually, the HR professional calls you first and does that initial screening because it's their due diligence, again, to make sure that you fit what their needs are. Because if I tell them that you are good, they want to make sure as well. So they'll often align on things like location; if you require a clearance, visa, all of those admin check blocks that sometimes they could get if they just sent you a form and you click the buttons. But they usually want to hear it. And then, "why do you want this job? Why do you think you're a good fit? " They're probably not going to ask you how much money can I make off of you. Cause again, that's crass, but it's in the back of their head. And they'll do some of that initial screening because the hiring manager probably has a few things that they want the HR person to do. Or the HR person has some due diligence as required by legal or another framework that they might have before you get to the hiring manager. Thirty minutes, 15 minutes, an hour per screen, depends at different companies. Then usually, it's over to the hiring manager for a quick, "Okay, tell me about your experience with data aggregation and correlation. " "Blah, blah, blah, blah. " "Boom got it. Okay, great. " So this person has at least a base level of understanding that I can send them

to a technical panel. So we're talking about three calls, plus your recruiter-ish right now, so maybe four. And again, these swap all over the company, and industries, et cetera. Then you get to the technical screen, and you can expect questions like, what happens when you type in a URL and hit enter? Which, oh, by the way, is not just a DNS question. We'll probably get to more of that later, but you get into some of those other technical questions, "Explain to me the research that you've done about our company. What do you know about us? " "I got on my open-source security solution search engine, and I searched for you, and I took a look at your infrastructure. I found your Chef and Ansible repos out there, your GitHub, and it turns out you've got three API keys on a Pastebin that you should really remediate. " Okay, good. They've done their due diligence, et cetera, whatever that happens to be. And then often, and this is more usually at those mature companies. I say mature loosely because, often, is also a loose term here, is then you usually go into, some companies call it like the big show or the culture index, it's almost like speed dating, rapid-fire, for three to four to five interviews with one to three to four people on it at different levels of the organization. And it's almost like they're trying to get a 360 review of you as a person to make sure that you do align with the culture. And oftentimes, those questions get scaled back. And that what they're going to do in the background is they're going to review, and they're going to come together, say, "Will this person, will Ricky inspire everyone here in order to drive our culture? Will Ricky fit our culture? " "Ricky, in our particular culture, we really focused on the positives here. " "Man, Ricky really focuses on the negatives. He's going to drag us down. " "Hey, we're bottom line and outcomes-focused. We don't care about feelings. " "Is Ricky bubbly? Does he care about feelings, and is he super positive? " "Probably not going to fit because we want you on the grindstone all the time. " Culture mismatch and that is something that you want to know and evaluate the company as well. Because if there is a massive culture mismatch, you're probably not going to make it 90 days. Either they're going to let you go, or you're not going to be happy. And then you're going to have that beer with your family or friends, and they're going to say, "Hey, how you doing? How do you like the new job? " And you're like, "It's great. " And they're going to tell you, "No, it's not. I can tell because I know you. You are not happy. Are you not happy because this is a short-term amount of time, or is this going to be forever? " "I think it'll be fine. " And then two more months after that, and your hairline's receded a little bit, you've got a little bit more of a silver fox going on, and you go, "Uh-oh, maybe there is a cultural mismatch. " And then, "Oh boy, that wasn't a good fit. How do I explain that fit in my next interview? " There's a lot to it, and it varies by company. I've seen companies that, in low compliance, high transferability areas, industries, where it goes straight to the hiring manager, and the hiring manager makes all of those judgment calls themself and signs off on the offer letter. And the candidate starts in a few days after that. Which really comes down to the ability of the hiring manager to be a leader and follow both what the paper says and what their guts say on top of that. And I will say there's one piece that I haven't really talked about, Ricky. One of my favorite things to do, and it can be hard, there are some vendors that are coming up in the space in order to get there, and some companies are doing it a little bit more differently. If we go back and you were going to hire a violinist for your symphony. Are you going to sit there and talk to the violinist about how they build a violin, or about the different major and minor chords that they have, or their ability to take a solo or lead? Maybe you will, but you're going to give them a violin, and you're going to say, "Prove it. " They're going to have an audition, not just an interview. I'll be honest in the industry that we work in right now; the vast majority status quo is that companies do not do auditions. They do interviews. We are starting to see that change finally, but there's a big push. Now, thankfully, demanded by some of those hiring managers that are leaders that they've moved up is, give me a virtual environment where I can make sure that this person really can do the things that they say. Did they just learn about the systems, or are they an actual practitioner that can type so fast, their fingers bleed because they're amazing. And it's gotta be somewhere between the two. But it's starting to come up and starting to be a thing, and it's pretty fun to watch the industry change that. Ricky: What types of systems are employers using in the backend, and how do they work? Stephen: Brace, because I've done a lot of research on this to figure out where the failures of the system. As we look at the general overview of people, process, products, it is all three. And it depends, and it is a variable. So let's talk about best-case scenarios, right? Best case scenario, you submit your resume to a system, you upload it, and it says, "We've received this. Somebody will be talking with you shortly. " And then maybe, somebody in the backside

reads it. That's the ideal. And actually, what you hope is that the hiring manager reads it. Probably not. It's probably somebody else screening them because the hiring manager has to get their products out into production now. So they have to have somebody else doing it. Now let's look at another organization. What if we could have a system do that screening for us? Now we have to look at not just the maturity levels of the systems, but who are the people that are designing those systems. And then whether those people are internal or external to the organization. So let's take a deep breath. We're about to go on a canvas carpet ride to all around the world. First piece is, they're going to say, "Is this something we can build or we can buy? " Okay, let's say buy because that's probably the fastest and largest case out there. So there's really only about four companies out there that are the resume parsing companies that support the vast majority of applicant tracking systems throughout the various entire ecosystem of CRMs, or customer relationship managers, or applicant tracking systems, or the elevation from applicant tracking system to CRM, or back vice versa. Parsing, and having done many deep dives on this, and doing my own evaluation as I built out a recruiting company, I have to have something that can parse and do it well. So then you go through, and you say, "Okay, in cybersecurity, unfortunately, certifications are a big thing. " but if I have a client that comes to me and says, "Stephen, I want somebody with these four certifications. Period. " My applicant tracking system better be able to go do that. And the reality is that most of the resume parsing companies have at least a nascent capability to pull things out either a JSON or other data frame that you can then ingest and filter and parse through at your own leisure, or have some sort of tagged data that comes back to you. But the reality is, those are different. They are growing. And then you have to look at what types of systems they're using to do it and what it comes back. And then keep in mind that those parsing systems are usually outsourced from the other systems that HR is using. And that means the using may or may not actually know that the parsing company has the ability to pull that information back in. And if they know or do not, have they implemented it? So the other piece is if we choose to build it ourselves. Say we're a company with $2 billion in revenue, and we've got some people, we could build this ourselves, so we don't have to go out and outsource it to another company. Are we going to put our best engineers and architects on that system? No, they are out driving our top line. Are we going to put our mids on it? No, because there's some more in the primes. Are we going to put her in juniors on it? Probably not. Cause if they do have the capacity, it's probably not going to get there. So if you look at that risk, who are you going to put on it? Probably interns. And so then the interns are going to develop it, and your interns, basic computer science undergrads don't teach security, they teach availability often, and then the fundamentals, which aren't included. So the first time that they have either a dropped resume, or a dropped candidate, or a system is shut down, and they go, "Oh, CRUD. How do I do that? I didn't actually parse it right because the header was wrong. " And then they'll go, “Okay, so anything that I don't know how to parse, I just drop. Anything with tables in it. Anything with code in it. " If they do a cursory scan, and somebody's got funny, and they put output to /dev/null, and then the parser looks at it, and they go, "Oh, no drop. Someone's trying to attack me. " And so, if this is a capability that we built internally. It can be really frustrating. So I'm not here to name names or point fingers. But I can tell you that in my own personal search in diving down this journey and figuring out the actual truth and bedrock of this. Holy cow! No wonder HR professionals have such a hard time just looking for certifications. So, ways around that. Number one, get an internal referral, use your network, get an internal referral to the company that you are applying for so that way someone actually looks at your resume. Number two, if you can make friends with the hiring manager, better for you. That can be a challenge because you have to get into OSINT in order to figure that out often if you don't have the professional network to lean on. Number three, submit a cover letter. It is an old school method. It doesn't always get looked at. Let's be real. I have a number of cover letters in my queue that I just haven't had a chance to look at and read because how much of my time needs to go through that? So again, it goes back to build your network, build your community, get someone to look at it, and have an internal referral for the position because the spray and pray can work, but you are relying on the company and the company's software packages, and then the outsourced parsing partners out there. And all of those, that very fickle chain can fail you. So you don't want to rely on it immediately. Ricky: I wonder if there's ever been a drop bobby tables event with resumes.

Stephen: There has. Little Bobby Drop Tables, I love him. He comes over to Christmas all the time, but he can be rough on some SQL. Ricky: So being a good researcher is really one of these more important skills you can have as a cyber professional. You mentioned OSINT. So how do you apply those same OSINT skills when looking for a job? Stephen: In cyber, first off, we have to call something "fun. " So we call it OSINT; it's got this aura around it. You go, "Oh, we've got this great thing. And we do OSINT, and it's amazing. And because we did it on the computer, we're hackers. " But really, what I call it now is more just due diligence and research. So some of my favorite tactics that I learned early in the day on this were actually from journalists. Because they would just get on early search engines, and they would search for slash index of, because that meant that you could get a lot of companies information that probably wasn't supposed to be exposed, but was because it was in HTML. And they thought it was fine, but you could find it. So we're going to use OSINT tactics to get us there, but we need to understand what are the business objectives for the company. And then how do we align with those business objectives? So what are some of the standard things that you can do? You can look for a schedule 10-K if they're a public company. So that's an SEC filing where we talk about, basically, the outcomes and the risks to the company where we stand financially, et cetera. There's tons of juicy information, and there are usually, the mission of the company is in there if it's not on their website. Usually the officers of the company, so your C-suite, some of your legal team, risks to the company, who are their biggest competitors in the space. Which means that, when you can come in, and you do get that interview, and you can solidly talk about where the company is going, what their objectives are. For, again, for public companies, the investor relations calls the quarterly reviews. And you'll see it in the stock, the quarterly review came out, and they made more money than they thought they should, so the stock went up. It was great. Those earnings calls are available. You can sit in and listen to them. You can sit into the actual leaders of the company and figure out what their motivations are. And then you use that to understand how you align, the keyword, align with those business outcomes. So that way, you can walk in, and you can say, "Hey, we need to stand up a SIEM. " "Okay, why? How much is that going to cost? " We need to stand up a SIEM because; one, the forces of our suppliers demand that we have it. Our clients it, but we don't have any compliance requirements. And in order to get to that next quarterly earnings call where we talked about moving into a different market, we do need to have a SIEM, and here are three different options that we can have. And, Oh, by way of those three, I have personally worked on one of them. And these two, we've started taking a look at it as a team to understand how we can roll those out. Knowing what the business needs to do, or move, and how you fit inside of that overall paradigm means that we're starting to pivot from an interview to a planning session, which means you've started to get them to yes. And you're tying in OSINT into social engineering as part of your ability as a cybersecurity professional to get the job that you need to do. So that way you can go home, and you can have dinner because you want to eat. Ricky: The technical questions, you talked about the DNS question, or maybe the home lab question. What are interviewers, maybe, looking for? Stephen: Oh man, yes. So this kind of goes back to your OSINT on the company, your due diligence, your research. But the DNS question by itself, "What happens when you type in a URL and hit enter? " They're looking for more of a mature response for that and understanding. I'll go with one that I had personally a few years ago, right around the time that I was starting one of my other companies, didn't know if it was going to work or not, so I was still doing some interviews, right? Thankfully I got a hint the day before, and they said, "Hey, Stephen, you have to be prepared to talk about what happens when you type in a URL. " I did what everyone does. "Oh, it's DNS, of course. There's A versus quad A, IPv4, IPv6. Yeah, and there's root DNS, and it traverses down and up and back, and there's transfers. Yeah, no worries. " They go, "Hey, phenomenal answer. You missed 90% of it. " “Ooh, okay. ” So let's break that down. Where did I fail on that? Thankfully, I had the hint the day before and was able to scale up, but what does it really mean? Let's take my failure and turn it into a teaching point. What does that really mean? So you have to take a look at the potential employer. What does their tech stack look like? Okay, what is the difference between their production tech stack and their corporate tech stack? How have they integrated work-from-home? Do they have a zero-trust solution implemented? What are we going to assume? assume that we're actually looking at their infrastructure-as-a-service pipeline that they've deployed to their client environments? We're going to assume that I am on an EC2 instance in AWS

because I think 70%, based off of their 10-K, said that they're focused on AWS partners. Okay, got it. So when I press enter, there's actually a signal that goes from the keyboard all the way through. It does all this crazy traversing. It lands on that EC2 instance, and the EC2 instance does these things. And as it does those things, we're going to go up and down the OSI model. And are we going to assume that this device or this particular instance has been maybe joined to some sort of other identity service? What does that stack look like? Let's assume that maybe, I'm just on a virtualized Windows box inside of a vSphere somewhere. Okay, it gets there. Okay, what browser am I in? Am I in Chrome? Is it the most updated version of Chrome? Have I patched windows? Okay, is there a cache inside the browser, and I can just load it? There's not. Okay, is this domain joined? Do I need to send out an ARP request to figure out where the router is? And then if I figured out, “Okay, now I'm going to have that transfer. I know where the router is. Now I can send my request, and again we're bouncing up and down the OSI layer. " Till 45 minutes in, we get to Syn-Ack, Ack. And then another 45 minutes in, the page displays, and I can actually see what's going on. And now there's two follow-on questions, Ricky. Especially in security is, now that we've talked about this entire model. How can I break the model? Can I break that internally? Let's talk about reliability engineering. If I fail, or something floods, or suddenly we're an e-commerce company, and it is Black Friday. Uh-oh, good traffic shut us down by DDoS. Got it. Now all those things, maybe it's server utilization, I can just shut down by increasing the packets, et cetera, or maybe it is, I've got a radio device in your office. And every time you push down your enter key, I can actually pull that off because there's some electromagnetic interference, and I can read that. And I know what an enter key looks like. Now, I basically have a key logger that's a Raspberry Pi sitting over there in listen mode that you're not going to find. And then again, now we've talked about a few different ways that this model could break. How do you identify, protect, detect, and respond, and recover against any of those pieces? We had a little bit of NIST there, of course. But, okay, we've got this model, how can it break? How can I break it? How can I prevent it from happening and recover from it? That's one, one of those questions, and there's a couple other questions there. The home lab question, the vast majority of hiring managers that exist want to know that they're not just hiring somebody that is capable now. But they want to know that they're hiring somebody that is capable in three quarters, in two years, in three years, and they also want to be entertained. Let's be real. The human element, you have people, process technology. People, process, technology, Oh my gosh, you come into work the next day, I just got my Guacamole server up and running so I can access my home lab from anywhere, which means that I can have secure communication from my endpoint back to my home lab. And then once I'm inside there, I can set up some high compute, maybe you were training a new algorithm or whatever it happens to be, or you're doing some video rendering. I can control that from somewhere else, and I can access all that stuff, and it is amazing, and it's awesome. Let me tell you about how it works, and I think we could potentially use it at the company in these three instances. Are you going to just come in and do the work, or are you going to come in and use the time that you spend off-campus building something fun? Maybe it's Raspberry Pis; maybe you've got a Kubernetes cluster for auto-scaling. full domain in the back, so you can practice kerberoasting, whatever it happens to be. What does that look like? How do we drive to the next step? Can you both entertain me at work, and can we drive new business revenue because of the things that you do in your off time? How do we build it? And it just tells me that you want to learn and you're hungry. And I need that because we have an ever-changing environment, and the fundamentals are the same, but the roads look different every couple of weeks. Ricky: That's really fascinating because it seems as if most people think it's a question, regurgitate type of process, where some of these technical questions, there are more just like a tiny reconnaissance probe to see how much you're sending back to me. And the more me; I can obviously tell your experience and understanding because, it's hard to learn overnight that when you hit enter to go to some website... what if you're in Russia and your BGP's being changed, or you're in China and being man-in-the-middled. So there's just so much connections in this domain that your ability to understand it is really measured by how well you can describe the entire domain. Stephen: Absolutely. And remember, we're not looking for somebody that just has the knowledge. Because knowledge, we can teach that all day long, right?

If you know Splunk, you can learn Security Onion, which is Elastic-based, et cetera. That's just knowledge. We're looking for somebody that has skills and, more importantly, abilities and behavior that drive the outcomes that we need. So those are different conversations. And when you see those hiring managers that have the right scar tissue from years of doing this, they usually zero in on those abilities and behaviors versus just tell me about what you know. Because know is for interns. Let's be real. Do you know the things? Okay, cool. Now you can figure out where to click, and you can do the stuff. And I'm not paying you much, so there's not much risk on that other than some really minimal funding and some coaching time for me and my team. Ability is where we move the market. Ricky: So cyber is all about technical skills, right? You got all those DNS and home lab questions, how important are stuff like appearance and sound for our interview? Stephen: Oh, let's talk about cyber practitioners from a leadership perspective. One of the biggest questions that the leadership teams will ask, especially when they're looking for a senior when they bring them on the team, and especially for sales engineers, or anybody that might be client-facing, or could be client-facing in the future is, how confident am I that I can put this person in front of my clients, keep those clients, and generate new revenue? I still walk down many times a week, and my wife looks at me and just goes, “Nope, back upstairs, change. Uh-oh, okay. " So yeah, clothes. They tell a story. They absolutely do. And then again, maybe working out of a coffee shop is the only place you can work, but is that coffee shop quiet enough for you to work? If I put you on a call, will you be distracting? Because again, I have to know how much money will you make me? And will you lose any money? Your CRO, in this case, chief revenue officer, is going to ask that question. Maybe not immediately, but eventually, and they will, especially for your mids and your seniors. Can we capture revenue because of you? Can we put you in front of a client? Are you able to speak confidently? Can you still get a message across in a way that will be received and will be meaningful and compelling to the clients? We've talked about quiet and clothing. Let's talk about camera. What's going on in the background? Again, is it distracting? On some calls, it's totally fine to have your kids walk in and jump in on you. On some calls, it's totally fine to have the cattail walk in between you and the camera, the golden retriever pop-up behind and eat the other piece of bacon that you forgot on your plate that you never put away, but do you have it set up to a point where you look professional? Does every practitioner need to go through and invest a couple of thousand dollars in a DSLR and an ND filter and three different lights and get a full setup? No. But should you be going out and looking at industry best practice, and there's so many more now because of the work-from-home shift that is out there that tell you how to do it. And there's also more products on the market, so you don't have to go get an associate's degree in professional lighting in order to get there. Those resources do exist. They're out there, and you can watch Twitch, and YouTube, or Skillshare, or Udemy, or a number of the other different providers and platforms out there where the content does exist to get you to that next little level that might be the difference between a yes or no. Ricky: Yeah, absolutely. Like for 40 bucks, you could turn your phone into a really nice webcam of all things. Stephen: You can. And smartphone cameras have, Oh my gosh, they have come so far in the past few years. The next cameras that are about to come out in 2021 and some of them that you starting to see patents get filed for 2022 or 2024 launch already are ridiculously spec'd for not just the pixel and quality density, but also the lens density. The glass that you put in front of the camera is often far more important than the actual sensor in the background. The phone companies are really putting their money where their mouth is in order to improve that. So it'll be fun to watch. And, if you've got that old Android or iPhone or what have you laying around, get it fired up, please update it and then take a look and see what apps might be out there because a $10 phone holder to get at the right height, $15 light, LED can really go a long way. Ricky: What are some of the biggest candidate fails you've seen during an interview and maybe some reasons why they fail? Stephen: Oh boy. Number one, not showing up, obviously, not getting on the call. Number two, violating camera, quiet, quality, and clothes; just not looking presentable when they come in. Those are all easy fixes, right? Couple of my favorites. Showing up for company A and mentioning that they're interviewing with company B, or worse yet, calling company A company B

on accident during the interview. Consistently mispronouncing the interviewer's name or saying the wrong name completely, being completely unprepared to come in, and not having any of the due diligence. Some of those are pretty easy. Not reading the room, oh my gosh, the emotional intelligence side of this, if you're just completely missing it, and maybe cursing or swearing at the wrong time, showing that you're just not a good person. Unfortunately, man, there's a lot of different ways that you can fail. And many of them exist out there. Honestly, I've seen most of them. I still get surprised occasionally, but this is a big deal. And if you're in an interview, you need to treat it like a big deal. Ricky: So apart from like these more, lower level, easy mistakes. If you do interview, you put forth your best effort, and you do get rejected. Now, how do you deal with rejection? Stephen: Maybe you get information on why from the company; that's pretty rare. It does exist. It could be, "Hey, we thought you were too junior for this. " Surprise in cybersecurity all the time. What do you do when you're too junior? Maybe it's a culture fit. I know everybody loves to hate on the Myers-Briggs Type Indicator. But it's close enough that it can work. So if they're looking for an advocate and you come back as a captain or something else, you're just not a good fit. History says that in this particular position, there's probably 4 of the 16 different indicators that'll do well, and you were positioned completely on the opposite. How much of a risk is it for us to take because if you're that far off, you're probably not going to stick around, remember? be around for a while. You maybe get that answer-back. Maybe you don't, and if you do, you need to do some honest self-reflection and figure out how much of that is realistic. How much of it is hard to work through? What can you change in order to get there? You're probably going to go through the five stages of grief, honestly, so looking at that, anger. Okay, cool. Let's get past anger. Let's get over to acceptance and figure this out and then put a solid mirror up in front of you. A bunch of the systems that are out there now from the HR perspective with the companies that you're at right now, you can just go through, and you can request a 360 review from your teammates, and supervisors, and subordinates, if you have any, and the end leadership and figure out, why am I performing the way that I'm performing? Is it something that I need to change about myself? Is it a perception that I have that I need to change? Is it a difference in knowledge, skills, abilities, behavior that I don't have that are mismatch? Or do I just lack the ability to communicate my abilities to the client in order to help them understand where I fit? And the faster that you can get to that acceptance, and inputting that hard mirror up in front of yourself and asking for feedback, and it can be very painful, especially depending on your type indicator. If your love languages are words of affirmation, and you're not getting words of affirmation, you will literally not feel loved as you go through this process. So understanding that the people that you trust and respect are coming to you with that information from a lens of love in mind, and actually letting their words sink in and then building a plan to get to where you want to go and reminding yourself that is a gap of where you are and where you want to be and not necessarily who you are, and where you want to be because those are two very different things and if that is a failure in who you are, you'll probably going to want to go see a counselor because that is much, much harder to deal with than where you are and what your knowledge and skills and abilities are. Ricky: What are some of the most Successful Candidates you've seen on the opposite side of the spectrum? Stephen: Oh, absolutely. The most successful candidates that I have seen are the ones that are generally decisive. And I say that for a number of reasons, that decisiveness factor drives into business credibility, but when a candidate comes across, I'll take anything in cyber. " Okay, well, what? We kind of talked about the differences between an incident response analyst versus a legal advisor that happens to work in the cyber context versus an application security engineer versus a developer versus a vulnerability researcher? "I could do them all. I spend lots of time doing them, but I'm not sure which direction I'll go. I'll take anything that you give me, and I'll perform at it. " I'm hiring you because I have a niche that I need to fill. Do you feel that niche? Because I have a specific area that I need fill and I'm looking for a specialist. I don't need somebody that is a generalist that can do it all. So either you want this, or you don't: decisiveness. The second one's how coachable do you want to be? And then how much are you willing to learn on your own? Again, getting back to your home lab, right? I've had numerous candidates that we've talked to, even just this year

that they've said, "I can learn. " Okay, go learn. "No, I want the company to teach me. I don't want to learn and not get paid for it. I see that as a risk. " Go take the risk. Go take it. If the company is telling you that you need to know this for this job, go learn it, period. Or you are not a candidate for it. I'll give them a little bit on decisiveness and frank candid discussion. And then, we take a look at how much of a competitor are they? If we look at, say, just the venture capital industry, some of the best venture capitalists are ones that moved in from a different industry that looked like they didn't fit the model. But they had abilities that were apparent and sublimed to the surface that allowed them to get there, and that is the case in cybersecurity as well. So not just showing that you're capable and that you're competent, but literally showing that you are a competitor in the space and that when I say I'm going to go learn something because I can do it all, I'm going to do it, and this is how I've shown that I have done it. So competing at the national level for things like capture-the-flag exercises, whether they happen to be incident response focused, or red team focused, or blue team focused, or maybe there's a bunch of really fun AI and ML different challenges that are out there, but really going through and say, "I compete. " The reason I know that I can do this is because in that 48-hour CTF that I had last weekend, there was a challenge that was based on this particular subset of skills. And I didn't know them, but I was one of only four people out of 60 that was able to successfully get that flag and get those points. And because of just that one thing, it took me to third place, and I stood on the podium because I was willing to learn, grasp that information, the subset in the discipline that I don't know, and succeed. Ricky: Stephen, thanks so much for sharing your thoughts and your experience on interviews with cybersecurity. Where can people find and connect with you? Stephen: Oh, yeah. Great question. I'm on Twitter @diodepack; that's an old name from when I was learning about electricity and electronics from way, way long ago, when I couldn't even be on camera, I was so small. @diodepack, one word on Twitter. LinkedIn, Stephen Semmelroth. YouTube, of course, as well, a nascent early growing channel. Mostly LinkedIn and Twitter is where I'm the most active, because again, working in the recruiting space, the vast majority of candidates are on LinkedIn and Twitter. And I try to put out content that resonates with the industry but also pushes the industry and aligns with both your juniors and people that are trying to break into the industry, but also content that will push the CISOs and fellow leaders that are out there to that next step as well. And focus on the different roles of security practitioners in the organization. It's a lot of fun. And then, of course, Medium, and those places as well, but usually you'll find links to those on Twitter and LinkedIn. This is fun, and I really hope it does help your audience increase their skills, their abilities and make sure that they can show that they're competitors because in this field, rising tides lift all ships. And if we hoard that information and keep it to ourselves, it does nothing for the other organizations that are out there protecting our data. So if we can push the industry and we can move in the right direction, and we can align skills with business outcomes, we can really move forward and have a high impact. Ricky: Well, thanks so much again, and hope to see you soon. Stephen: Love it, man.