In this episode, Jason and Kip are focused on how you can demonstrate true passion for cybersecurity. They discuss the six things that you must avoid as they are considered red flags by a hiring manager. These red flags must be avoided at all costs, otherwise they will instantly land you in a hiring manager’s “reject” pile.
Make sure you avoid doing these six things during your next interview, because hiring managers are listening to see if you fall into any of these common traps.
Other Relevant Episodes
Jason Dion:
Hi and welcome to another episode of Your Cyber Path. In today’s episode, we’re going to talk about whether or not you can demonstrate too much passion for cybersecurity when you’re in an interview. And so today I’m going to talk with Kip Boyle who’s my co-host and I’m Jason Dion. And we’re going to talk all about passion. Now, passion is a great thing for you to have, especially for your future career, but you also don’t want to take it too far. Sometimes, there are things you can do that step over the line and as hiring managers, it really sets us off. So, today we’re going to talk about the six things that you need to avoid doing that can actually turn off recruiters and hiring managers when you’re in an interview.
Now, before we do that, though, I just want us do a special shout out to Tom Smith, who was kind enough to leave a review for the show on iTunes for us. He wrote that he has learned many things and many details about cybersecurity careers by listening to the show. He has so much actionable insights that he’s gathered and he really thanks us for the show and we thank you, Tom, for listening. And if you want to have your name called on the show, feel free to leave us to review at iTunes as well. All right. So, today, like I said, we’re going to jump right in and we’re going to talk about the top six things that you don’t want to do in an interview that can really set people off. Kip, what are your feelings on this before we even get started?
Kip Boyle:
So, there’s a balancing act here. Okay. There’s something we talk about all the time, which is, hey, you have to show some passion. Because a lot of people out there are feeling nervous or they have like imposter syndrome going on or whatever and they’re not showing enough enthusiasm and enough eagerness and so, we’re trying to coach those people, but then there’s a small number of people who unfortunately just like, let that run crazy and wild and it doesn’t happen too much, but it happens enough that I felt like we needed to say something about this and these six things, I haven’t seen all six of these things, but I’ve seen some of them and the other ones on the list are stories that other hiring managers have told me. So when you hear these six things and you might think, oh my gosh, who would ever do that, that sounds so out of bounds and crazy, but I’m telling you this stuff happens and you got to not do it.
Jason Dion:
Yeah. I mean, totally. And the thing is there’s passion and there’s desperation and sometimes you cross the line when you are trying to appear passionate that you can come off as a little bit too desperate sometimes. And to be honest, nobody wants a desperate person. And so if you smell of desperation, it’s not going to go well for you in that interview. So let’s go ahead and kick this off with our six things and we’re going to start talking about these things to start turning recruiters and hiring managers off. Because again, you don’t want them to start questioning your honesty, your trustworthiness, or your good judgment. So let’s start with the first one. What’s your first one, Kip?
Kip Boyle:
All right. So, the first thing you do not want to do in the interview or even in a cover letter, or whatever, anything, don’t do it so that I can see it, but you don’t want to tell me about all of the different websites and organizations that you hacked uninvited, because you are performing some kind of a public service and so you think this is going to impress me because you’ve been going around basically telling people that their fly is undone. And they’re going to react the way they react.
But look, don’t show up. For example, with a vulnerability scan of my website to the interview or don’t show me a vulnerability scan of my competitors website either. So, if you’re at all feeling motivated to do this as a way of impressing me or demonstrating that you’ve got great skills, please don’t do that. But, I love where this idea comes from, is that you’ve got skills and you want to demonstrate those to me. I think that’s wonderful. Let me tell you what I would rather have you do is contribute to a bug bounty program, one where your talents are going to be put to good use and you’re going to get public acknowledgement for that and then show me that. That’s what I want to see instead. So, there’s my first one.
Jason Dion:
Yeah. I totally agree. I get emails probably about once a month, twice a month from somebody who goes, hey, I looked at your website, I saw this vulnerability and do you offer a bug bounty program or are you looking to hire somebody to fix your problems? It’s like, well, you’re going and scanning my website, you’re not supposed to be, that’s illegal in most countries. So, you need to ask permission before you start scanning. Always remember that here in the United States, scanning somebody’s websites for vulnerability is classified as criminal hacking if you’re doing it without permission. The difference between a hacker and a pen tester is really just that it’s permission. And so if you don’t have permission, you shouldn’t be doing it.
That said, if that company has a public bug bounty program, definitely go and scan their website. See if you can find something and then tell me about that in the interview. Because if my company has a public bug bounty program, I am now giving you permission to do that and now it’s not something that’s off limits. Now, it is something that is showing passion. And so, again, this really is contextual and you have to make that distinction in your head when you start thinking about different companies [crosstalk].
Kip Boyle:
Hold on, Jason. One more thing, I just want to be super clear about this. If you sign up for a bug bounty program, read the terms of service. You have to know what’s in bounds and what’s out of bounds because companies will set up boundaries and they’ll tell you, it’s okay to hack over here, it’s not okay to hack over there and don’t make the mistake of thinking, oh, they’ve got a bug bounty program, so it’s free game. I can go for anything and do anything. That’s not the way it works. So, I know that we hate reading the owner’s manuals when we buy stuff. And we hate reading the contracts that we signed, but you’ve really got to be careful here. All right. That’s my last comment.
Jason Dion:
Definitely. And that just goes right back to permission. What are the rules of engagement? The second one we’re going to talk about here, Kip is telling me what you think I want to hear. Now, this is one that really drives me crazy. And I hear it all the time in interviews. Really, when it comes down to it, I don’t want you to make stuff up. If you don’t know the answer during the interview, if I ask you a question that’s really technical and in depth, and maybe you’re not really smart on that particular tool or that particular thing, don’t start BSing me and just filling me full of hot wind. Instead, you should actually do something else. And what should they do, Kip? If I asked you a question, you don’t know the answer during interview, what would you do?
Kip Boyle:
Okay. So, a candidate with high integrity and high confidence is going to say to me, point blank, I don’t know that. And then, they’re going to follow it up with this. Would it be okay if I figure it out after we finish the interview and then, I follow up with you? Oh my gosh, when a candidate does that, I’m super impressed. Again, it shows integrity and it shows confidence and I need both of those attributes by the basket full.
Jason Dion:
Yeah, I actually was just hiring for a position in my company for a new chief technical officer. It’s a new position we created as we’re growing. We decided we needed somebody who was really focused on the technical side, because up to this point, I was doing the CEO job. I was doing the COO job. I was doing the CTO job, all combined into one.
Kip Boyle:
I’ve noticed.
Jason Dion:
Last year, I hired a COO and she’s been doing great. And I said, you know what, it’s time for me to offload this technical side too. Can I do it? Sure. Am I smart at it? Yeah. But I can’t do that and be an instructor and be the CEO and do everything else that I do. So, I decided I was going to hire somebody. And during the interviews, I found somebody who I really liked and I asked them a question and when I asked the question, they did this exact thing. They didn’t fill me full of BS. I asked a question about AWS because that’s what our infrastructure is built on. And he told me flat out, he goes, “My experience in the past has been on Azure, so, I don’t know the exact answer of how I would do that in AWS, but I know I can figure it out for you. If you give me 24 hours, I’ll come back with an answer to that particular question.”
Perfectly fine, because I’ll tell you as a CTO, I don’t need an answer within 30 seconds if I ask you something, but I do need it this week. And so, he went off, he found the answer and he said, “Yeah, in Azure, we do it this way, in AWS, it’s the equivalent of this thing” and that was it. And now he is hired on the team. He actually started this Monday or last Monday and he’s doing a great job for us. But again, he’s not an AWS expert, but he’s learning. And he is bringing up the speed because he already had equivalent experience that he was able to use and again, not trying to blow smoke and say, oh yeah, yeah, this, this, this and this, because that might have worked and he probably would’ve gotten that past my COO because she’s not technical, but he wasn’t getting past me because I know AWS. And so that’s a difference there.
Kip Boyle:
Yeah, I also want to tack on one of the thought here, which is, not only are you showing integrity and confidence, but you’re actually displaying another really key skill, which is, you’ll never know everything. You’ll never be able to solve every problem that comes at you and I don’t want you BSing your way through really important problems that show up unexpectedly. I want you to pause. I want you to do the research. I want you to reach out for help and I want you to figure it out. And again, that’s just like a key skill that we need to have on my team.
Jason Dion:
Yeah. The next one is one that just drives me nuts, but I’m going to let you cover it, Kip, what’s number three?
Kip Boyle:
Yeah. Number three is telling me that you’ve got either certifications or experience that you really don’t have or telling me that you’ve attended certain trainings that you haven’t actually gone to. And I know why a lot of people do this. They’re nervous. Again, they want to impress, they want the job. And so they figure, well, I’ll just fudge this, right? Because it’s just a short interview. There’s no way that this stuff can be sorted out in the interview. And you’re right in the interview, I probably am not going to know this, even though if I suspect that you’re not telling me the truth, I could start asking you some pointed questions and maybe figure out that you don’t know it, but listen, the bottom line here is don’t lie, that creates an integrity problem, which we’ve mentioned is completely unacceptable.
If I can’t trust you, you’re gone off my team. And it doesn’t matter if it’s a small, I can’t trust you or a big, I can’t trust you. So, don’t start off on this. Don’t start off this way with lies or even exaggerating the truth that may be okay in marketing, but it’s not okay in the information security and cybersecurity world, because what’s going to happen is you’re going to tell me this and then, I’m going to go do the background check. So, I’m hiring, I found a person that I want to hire for my team right now. And I am really, really like anxious to pull the trigger. But I’m doing a background check on this person because I don’t know who they are. I’ve never met them before. There’s nobody that I know who knows them. And so, to protect my company, to protect my customers, I’m running a background check.
Well guess what, I’m going to do that. Whether it’s a formal background check or whether I’m going to just like talk to your prior supervisor and I’m going to find out if you’ve done these things and if you’ve gone to these trainings or if you have these certifications, it’s very, very easy for me to discover. So, you may think that you’re going to get away with something, but you’re not. So Jason, what would you rather see a candidate do when they feel they’re missing a certain certification or a certain experience?
Jason Dion:
Yeah. I think this is really an easy one, don’t lie to me, be honest, list of certifications and experience that you have that are relevant to that position. This is one that I talk about all the time, because I look at my own resume and I’ve got 30 something certifications. Now, do I think you need 30 something certifications? Absolutely not. I think you need three to five key certifications. Now if you have 10, 20, 30 certifications, that’s fine. But what I would do is only list the ones that are relevant to the position you’re going for. If you’re trying to go and become a cybersecurity analyst, don’t tell me about the fact that you have an A plus certification. I really couldn’t care less. I care that you have security plus CySA plus, maybe PenTest plus or CEH or CISSP or something like that. Something in that security realm-
Kip Boyle:
It’ll be in the job description.
Jason Dion:
…so, keep the things relevant. Exactly. And it’s going to be based on the job description and you’re going to make sure that it’s matching those keywords. Now this is where a lot of people start lying about things on their resume though, because they’re trying to keyword stuff. I’ve told the story before. I know I’ve told you, Kip. But I’ll share it with the audience here. I was hiring for a government position about 10 years ago. And for this GS-13 position, they were going to be responsible to be the assistant of director of operations for a large IT network. This was crossing about four countries, 10, 15,000 endpoints, big, big network, multiple domains, multiple classifications. And one of the requirements said, must have CISSP or equivalent. So when I got all the resumes from HR, they did their basic filtering and they got it to me who was the hiring manager.
And by the time they had a thousand applicants, they got it to me, I got 83 job resumes. Out of those 83, how many had the word CISSP on it, all 83. How many had a CISSP, three people. So, who do you think I interviewed? It’s really quick for me as a hiring manager to figure out whether or not you’re telling the truth or not. And most of the people did this as a way of keyword stuffing. They put in things like attended a CISSP training, planning to take my CISSP in six months, whatever it was, something like that to try to get that keyword of CISSP and it got through HR, but it didn’t get through me because I know the difference.
And most hiring managers know the difference. And one of the big things that just drove me crazy, and I wouldn’t even have put this on my resume was I had people who wrote down, attended a CISSP bootcamp, two years ago was the date on it. And I’m thinking to myself, if you attended the training two years ago, but you’re not certified yet, either A, you’re lazy and you don’t want to go take the test or B, you’ve taken the test multiple times in the last two years and you’ve failed. Either way, you’re not meeting my job requirement because my requirement was you had to have a CISSP because the government has a rule that says, you must be an IAM level three, which means you have to have this certification to meet those requirements. And so for me, it was a non-starter, you weren’t even getting an interview. So, you wasted your time, you wasted my time and you wasted HR’s basic filtering time. But that’s the kind of thing that, to me, it’s a lie or embellishing the truth, because you’re just trying to keyword stuff. So, please don’t do that.
Kip Boyle:
Yeah. And you’ve also ruined your reputation with me, because if your resume comes back around sometime in the future and if I remember that I tossed you out of consideration because of that game that you played, well, you’ve shut a door with me possibly forever. So, don’t do it.
Jason Dion:
Yeah. And in my case, 80 resumes, I don’t remember those 80 people’s names. There’s no way I would. Really, it made my searching process pretty quick, because I was thinking I was going to have 80 people to consider and have to pick the top five to interview. You made my job easy. There was only three who got an interview.
Kip Boyle:
Jason, sometimes people get further along than that. And they’re getting along because they’ve told this lie. And at some point that could get discovered. And the further you get through the funnel, the more likely it is, I am going to remember your name. So, there’s no way for you to know, so just don’t play that game.
Jason Dion:
Yep. What is the number four thing that just drives you crazy, Kip?
Kip Boyle:
Okay. So, I’ve seen this over and over and over again. And it happens a lot actually after people come on board or if I join an organization and I can just see it, there’s people who during daylight hours, during working hours, they pretend to be very conservative about hacking and breaking into systems and so forth. But then you encounter them outside of work hours or you find their social media feeds. And you realize that this person is showing up two completely different ways. They’re saying what they think they want me to hear about the legality and the ethics of breaking into systems. But their reality is way different and they’re way more permissive about the ideas of that they can go wherever they want to go. And I think the reason why they believe they can get away with this is because on the scene they’re using their handle.
And so they figure, oh, well, I’m anonymous. Well, no you’re pseudonymous, which means you’re kind of, sort of anonymous, but guess what? It’s not that difficult to figure out your handle. So if you think that you can get away with this and it’s another form of lying. So, you’re lying to me and you’re pretending that, oh, yes, I’m on the straight narrow and I’m a law abiding. And I would never think to even do something that was skirting the law. But then, I find out your handle because I do that background check. How do you think I’m going to feel? Jason, how would you feel?
Jason Dion:
Oh, I would feel betrayed. Because I feel like you lied to me. And again, that just goes right to the trustworthiness. Now, I may not even care about the fact that you have these ethical question abilities depending on the position I’m hiring for and those type of things and the organization I’m in and whether or not we have to have a clearance or not and all those kind of things. But the fact that you lied to me, that really is a thing that I feel like you’re putting on this false front and this goes with anything. If you have to hide who you really are to get the job either A, you shouldn’t be in that job anyway or B, you probably don’t want to be in that job because if you’re somebody who is, I don’t know, a far right person, are you going to go get a job with a far left organization? No, you would just hate it every day. Or vice versa, the same thing.
If you are an anti-social anarchist, you don’t go want to go work for the NSA, who’s part of Big Brother. These are the things you have to make sure your conscience is clear. And so whatever that conscience is, I’m not going to tell you ethically, what’s right and what’s wrong, but you need to know who you are and be in an organization that appreciates you for who you are.
Kip Boyle:
Yeah. Eventually, it’s going to slip. Eventually, no matter how good you are at pretending that you’re somebody different on the job, sooner or later, people are going to find out. And that’s when they’re going to start feeling betrayed. Some people are going to feel really betrayed. Some people are just going to be, eh, whatever I knew it or what have you. But this is about getting a job, this podcast is about getting a job. It’s about thinking like a hiring manager. And so just, boy, don’t do this. This is a bad idea. This is a really bad idea. And listen, if you disclose who you really are and you don’t get the job, that’s not a fail. Okay. That is not a fail. That is called fit. That means checking for fit to make sure not only, as a hiring manager, I’m checking for fit constantly. And I’m expecting you to do that too.
Jason Dion:
Yeah, exactly. You want to make sure you’re a good fit and that they’re a good fit and that you’re going to be happy in that organization, right?
Kip Boyle:
Yeah.
Jason Dion:
Because I can tell you there’s some organizations, I would go crazy if I had to go work at, even though they might pay me a lot of money to go do it, because I’m just not a good fit for them and they’re not a good fit for me. So, keep that in mind. Number five-
Kip Boyle:
Ready for number five?
Jason Dion:
…yeah. Number five. What do you got, Kip?
Kip Boyle:
Yeah. So look, don’t pretend that you have never worked on or maybe even led a project that didn’t live up to expectations. Okay. So, it’s inevitable. When I talk to you in the interviewing process, I’m going to want to know about your failures. All right. Everybody fails. It’s part of life. It’s okay. I know some people think that failure is the worst possible thing in the world. And there’s hiring managers out there that actually believe that as well. And they’re not interested in hearing about failure. And if you tell them about failures, they’re going to be like, oh, what a loser, I’m not going to hire them, but you can’t know that when you come into the interview, so you just have to be okay with the fact that you have failed. Look, failure is the best possible instructor. You will learn more from failure than from any success or any 10 successes. Everyone fails sooner or later, no matter how hard they tried to avoid it. So, don’t pretend that you’ve never failed.
And I can’t tell you how many times I’ve said to somebody, please tell me about a time that you worked on a project that failed or that you made a big mistake. What happened? Tell me about it. And they’re like, oh, I’ve never really made a big mistake before, I made little mistakes, but you know, nobody cared and blah, blah, blah. And I’m just like, oh my God, what a poser?
Jason Dion:
Yeah. I mean, when you look at these stats, I teach project management certifications. And one of the stats we find as we look at the best practices across the project management industry is that 80% of projects fail to deliver on time or on budget.
Kip Boyle:
80%.
Jason Dion:
So that means 80% are failing. That’s four out of five, which means out of every five candidates, four of them should be able to tell me what they did wrong that made something fail or what project they were involved with that made it fail. And so I think it’s really important that you’re honest with yourself. And you think about this before you go into an interview because inevitably, I hear this question asked all the time, what project did you have that failed? What rollout did you have that failed? What installation did you have that failed? What configurations? Have that in your mind where you already have a canned response.
And just like Kip said, you need to focus on the key point of this. It’s not the failure. It’s what you learned from that experience. I have failed a lot both before my company and during my company where we have put things out, we’ve decided to go down a certain path, I’ve rolled out a project, we’ve done things. And we realized, oops, we screwed that up. And so, we learned from those experiences. So, we don’t do the same mistake next time. And you need to do the same thing. So, you need to be able to coach that in the, here’s what I did, here’s what went wrong, here’s how we never had that problem again, because I’ll tell you if you’ve never failed as a hiring manager, that scares me because it means you’re due and you’re going to fail in my organization. If you’ve already failed before you’ve learned from those mistakes on somebody else’s dime and hopefully you’re not going to make those same mistakes again.
Kip Boyle:
Yeah. And I expect people on my team to learn all the time. You cannot be in this career field without learning new stuff every single day, there’s just too much changing. I’ve got a customer right now that’s that’s saying, “Hey, Kip, we’re thinking about getting into non-fungible tokens, but we don’t really know enough about it. So can you help us get smart on it?” Oh my gosh, I really wasn’t interested in NFTs, but because my customer wanted to know, guess what NFTs are now my new favorite thing to learn about. And I turned on a dime because that was just part of how I serve my customers. And if you work for me, then you’re going to be serving me, you’re going to be serving your teammates, you’re going to be serving the organization, you’re going to be serving customers.
And if that’s what they say is important, you need to be prepared to learn something. And guess what? You’re probably going to fail. Every now and then, your judgment, you’re just not going to have any because you get judgment by making mistakes. So anyway, you’ve got to be willing to tell me that you know how to learn. And one final thing here is what did you learn from the experience, I got to know that you can learn from your mistakes. That’s number five. Ready for number six?
Jason Dion:
I’m ready for number six.
Kip Boyle:
Okay. We’ve almost brought this episode home here. Okay. So number six, our industry is rife with this attitude and it is so self-defeating and we are shooting ourselves in the foot every single time we say or do anything that has to do with number six. And that’s this, describing information security or cybersecurity as an absolute must have, must do at all costs function for a company, which is to say like, hey, if we don’t secure everything, then, while those leaders are a bunch of idiots, contempt, contempt, contempt, and, oh, and then by the way, a corollary to this is making it sound like cybersecurity is all technical. That there’s no people stuff involved here. It’s all about dialing the knobs, getting the bits exactly correct. And anybody who gets in the way is an idiot. I hate that attitude. It’s so self-defeating. Jason, you’ve seen that before, haven’t you?
Jason Dion:
Yeah. And I think this is interesting because when you just made that statement, you made the statement of describing cybersecurity as an absolute must have, must do at all costs, business function in an organization. And you talked about it being a business thing. Well, my experience for the last 20 years was not in a for-profit business environment. I worked in the government sector. We’re not in the business to make money. That’s not our goal. And so for us, it was a completely different mindset. And I had to struggle a lot of times with people where they tried to bring in this, we must do this at all cost mentality inside of this nonprofit making machine called the government. And one of the things is that when we would bring up a concept, like you need to make sure you have a good ROI on this investment.
They’re like, well, we don’t make any money. So, it’s not an ROI. And I’m like, well, no, that’s not true. There is a business case to be made inside of this. Because let’s say I have a budget of, I don’t know, $1 billion a year, which some of the places in the government spend a billion dollars a year on cybersecurity. What are you getting back for that billion dollars? And if it’s not something worthwhile, then you probably shouldn’t be spending the money on it. And so we had to go through and start making the business case inside of the government of why we needed this new server, this new tool set, these new people, whatever those things were and say, this is the return on value we’re going to get. We’re going to be this much more secure. We’re going to have this many less hacks.
And it wasn’t just about profit in that case, but really it does come into whether you’re in a nonprofit organization, whether you’re in the government, whether you’re in a business, it does come down to a return on investment. And so you have to describe cybersecurity as a business issue. And I know you spend a lot of your day especially using the NIST cybersecurity framework to explain this to your customers of how cybersecurity is a business issue.
Kip Boyle:
Yeah, absolutely. So, a big part of our work is helping people understand that there is business value in cybersecurity spend because there’s a lot of confusion about this. A lot of people are like, well, I just want to do like a straight ROI calculation to prove that I’m going to get X percent of internal return on this money that we’re going to spend on a password manager or whatever. And I have to say, “No, first of all, you’re never going to be able to pencil this in a traditional business case way.” So, there’s other ways to do it though. And so, I do spend a lot of my time explaining about our business value framework and all the different dimensions.
We’ve got a four dimension model. I’m not going to unpack it here, but yeah, I spend a lot of time explaining to people, what is the value of cybersecurity? And I can tell you that when I was on F-22. I was at the system program office for F-22. And I remember being told all these crazy stories about people who spent money on security, like they were, pardon the pun here, Jason, drunken sailors. And often [crosstalk]
Jason Dion:
I really don’t like that term because I hear people talk about Congress spending like drunken sailors. And the problem is drunken sailors stop drinking when they run out of money. Congress and the government on the other hand, they don’t, they just keep [crosstalk] find more, so drunken sailors don’t drink that much, I’m sorry.
Kip Boyle:
That’s a great point.
Jason Dion:
Anyway, you can go on.
Kip Boyle:
No. Thank you. That’s excellent. So, but look, if you’re in the government, it’s taxpayer money. Okay. Don’t spend my taxpayer money foolishly and with no justification. And if you’re in a for-profit organization, this is going to get you bounced and you’ll be perceived as completely un-incredible if you have this attitude of, we have to do security at all costs and that damn the torpedoes full speed ahead, another naval saying there, I guess, but look in business in the private sector, there are huge risks that organizations are facing. Like product market fit, especially in a small company. Am I selling something that people want and can I sell it for a price that will create enough profit that we can keep going, that we can meet payroll and we can pay our bills?
And there’s no way that a senior decision maker who’s worried about product market fit is going to have a good reaction to you coming around saying, oh my God, we need a security information and event monitor. And I don’t care how much it costs, hundred thousand dollars, whatever, we can’t live without it, everything, the sky’s falling if we don’t have this thing. Or another cardinal sin in my view is saying, oh, we have to deploy two-factor authentication. And we need to train everybody on PGP because we need to encrypt our email. What? You expect customer service agents to figure out how to use PGP and still get their job done, you are on another planet. So, there you go. Be careful.
Jason Dion:
Yeah, exactly. And one of the things I think that has really made me successful in my career even in the government sector is I could speak the language of the executives and I could sell them what I needed to do in terms that they could understand. And on the business side, it’s the same thing. You need to take the time to learn the language of the C-suite. And we talk about the C-suite, we’re talking about the CEOs, the COOs, the CTOs, because they are really focused on what is that budget? What is it going to cost me? What’s my return? What am I saving? And all those type of things. It’s very rare that you’re going to find an executive or senior officer if you’re in the government side or the military who is going to bother learning cyber speak. And so you need to be able to translate things from your technical mind into languages that they understand.
And this is one of the things that I see that some people who are really successful and a lot of the really good IT and cybersecurity master’s degree programs are actually very similar to a lot of the MBA programs. And the reason is at that level, you need to start learning how to speak executive and be able to run the numbers and run the accounting and the actuarials and the return on investments and the future cost of the money you’re spending today and what it would’ve been worth in five years, if we invested it in something else. And because if I’m spending a hundred thousand dollars on that new doohickey that keeps selling me, that’s a hundred thousand dollars that I can’t put into hiring another employee who can be a salesman that might generate half a million dollars a year in sales.
And so, it is an either or, money is finite, and we have to figure out what we’re going to do. So when it comes down to it during the interview, you really need to make sure that you’re thinking about these things and show that you can communicate at this higher level if you want to have a long-term employment at that company.
Kip Boyle:
Now, if you’re being hired to just twist some knobs and pull some levers, this is probably not going to be as big of a deal, but I’ll tell you the warning here is that if you start talking about this as a must have, must do it all costs function, even though, that’s not really what I’m hiring you for, still going to bounce you. Okay. Because, boy, it’s really hard to reprogram people on this point. So, just be careful about what you say. Now, look, those are the six things we wanted to share with you. And as we wrap up the episode, I want to tell you one more thing that’s really, really important. So if you are violating any of these six and God help you, if it’s more than one of them, okay, I have a trump card that I can use in order to make this point to you without being rude.
And it’s this question, so if I think you’re like not telling me the whole truth, if I think you’re lying, I might ask you, “Hey, would you please describe a time when you either accidentally or intentionally violated a security policy?” When I ask that question to people who I think are lying to me, you should see the looks on their faces. They go white and they’re freaked out because that’s usually when they realize that they’ve already crossed the line in the interview, what’s even worse is actually when I ask that question and the person doesn’t even flinch and that tells me that they are totally clueless. They don’t even realize that they’ve been over the line with me. And so it’s like, okay, I think this interview is over.
Jason Dion:
Yeah. If you go and do a government security clearance, one of the questions they love to ask you is, have you ever destroyed government equipment or government IT? And I’ve had to say yes to that every single time. And the interviewer looks at me like what? And a little spikes on the dial starts going off. And it’s like, well, yeah, I have, because that was part of my job was disposal of government property. And one of the ways we did that was we took out the hard drives, we put drill bits through them. We incinerated things. We destroyed that stuff. And to be honest in the polygraph, I had to say, yes, I have intentionally destroyed government equipment. And so, there is times that you will intentionally violate a security policy, because the security policy says don’t destroy this stuff or don’t take it home. And sometimes you get home and you’re like, oh, I have this secret piece of information in my pocket that I forgot from my work.
And so these are the things you have to think about and just be honest about it. That’s really what it comes down to is, can I trust you? Are you trustworthy? Are you going to be honest with me? And if you do something wrong in my company, are you going to tell me about it so that we can then fix it and move forward?
Kip Boyle:
So, I hope these six things are really going to help you avoid making mistakes. It’s possible that you heard one of these six and you went, oh my Lord, I think I’ve done that. If you’ve ever done that, you should tell us your story. Send your story over. We’d love to hear about it. Hopefully, you can laugh at yourself a little bit over it, but anyway, so hope these six really help you.
Jason Dion:
Yeah. If you want to share your story, go ahead and just email that to support@35.167.158.44. As Kip said, we’d love to hear it. And if we get a couple of them, we will share them on the show as well with your permission. When you tell us your story, tell us if we can share it on the show or not. We won’t share it unless you tell us you can. But we’d love to hear what you have to say about this episode. Please do share it and let us know. With that said, I want to thank you for joining us for another episode of Your Cyber Path. I hope you found it informative as you start working through and trying to get on your path to your dream cybersecurity career. We’ll see you next time.
Kip Boyle:
See you next time.
YOUR HOST:
Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!
YOUR CO-HOST:
Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.
Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!