Mike Kearn, principal security architect at US Bank, cited what job seekers don't do when it comes to the basics of interviewing. "When I offer them an opportunity near the end of the interview to ask me anything, and I emphasize the word 'anything,' the majority ask me softball kinds of questions about culture or why I like working there. Missed opportunity on their part," he says.
4. Believe certifications and degrees matter more than practical skills
"Many think that I care more about their degree or certifications than actual skills," Kearn says, while others are under the misguided assumption that a degree or a certification equals a job. It doesn't."
Likewise, many entry-level applicants think technology is the hammer to squash every security risk nail. "Too many think that the solution to most problems is a technology control, rather than people and processes," says Eric Cowperthwaite, former CISO for Providence Health and Services and currently advanced security and strategy VP at Core Security Inc.
Ben Rothke, senior eGRC consultant at Nettitude Group and former CISO, agrees. "The technology tools they have experience with are the definitive techniques for approaching information security. Not every security problem can be fixed by a firewall or IDS," says Rothke.
5. Stretch the truth
This one certainly isn't exclusive to information security, but it is especially silly to try to pull this off on experience security professionals who tend to be a suspicious bunch by nature. "You'll notice that they tend to exaggerate their experience to impress hiring managers; some range from slight fibs to full-blown lies," says Sverdlik.
Kearn concurs:"A lot of them attempt to inflate or enhance their resume by saying they know someone and are connected via LinkedIn. But when I press them on it, because I actually know the individual personally, they cave almost immediately."
6. Don't understand the highly interpersonal nature of infosec
Many entry-level applications come from workers in small businesses, and they are not prepared for or do't seem to understand how large enterprises function. That's fine, and part of the learning process for new professionals -- but keep an open and learning mindset when it comes to practicing information security at a larger enterprise. "A lot of people have expressed ways to do business that simply won't work in a large enterprise. Typically, the person would be very direct toward people who want an exception to security policy, avoid collaboration, avoid discovering why the person wants the exception, and just dictate behavior" says Cowperthwaite.
"They often don't realize that their excitement and sometimes irrational exuberance around all things information security is not shared by most people in the organization" Rothke says.
In the end, perhaps the most important thing is to be one's self. "Show that you have a passion for security, be it examining logs, performing code review or risk assessments, or even administering security appliances. If you are good at critical thinking and have a good technical background, learning the rest is easy," says Sverdlik.
Sign up for MIS Asia eNewsletters.