Category Archives: softskill

As a consultant for an incident response firm, the engagements we get are typically fairly fleshed out in terms of being a security or operational incident. Every once in a while, we have calls come in that seem very security focused when described by the customer contact but after arriving onsite they work out to be an operational incident. It can take a lot of experience to really take the problem down to its roots to even make an approach at root cause.

There have been a lot of discussions flying around about various skill levels required for InfoSec jobs. Along with that, many have expressed concerns about the job postings and the requirements that get listed, and I joined in a little while back. Others have made bold statements that InfoSec jobs shouldn’t be entry level jobs since the skills needed are gained through other roles. I am in the middle on that feeling. I have met some very smart people that seem to just ‘get it’ and do well in InfoSec without other prior experience, and I have also met people that have spent 20 years in IT that don’t understand some of the basic concepts. It really goes both ways.

Although I do not hold the opinion that InfoSec is not an entry level job, I do think there is a lot to learn that can be extremely beneficial to a role in InfoSec. I recently went out on an engagement that required an incredibly deep understanding of routing and switching concepts. I am not talking about having the magical skill of being able to calculate subnets in your head (although I was able to do that at one point in my past). I was facing one of those security vs operational incidents I mentioned above.

I spent a lot of time in a network admin role. I took over management of a medium sized business nationwide network. The network had previously been built (incorrectly) by a supposed networking expert. I spent a lot of time understanding what the problems were and addressed each of them as components to an overall problem. The result was a lot of positive comments from end users about the improved speed and reliability of the network. I ended up rebuilding about 90% of that network at another point later during a move from Frame Relay to MPLS. I spent time studying proper network design and function to make sure I was doing things correctly.

I mention this because the recent engagement I went out on involved a few components that at a glance could easily appear like very serious security issues. A proper understanding of networking principals, and along with that the OSI model, was absolutely essential. There were a ton of components that when viewed as a whole would lead down a ton of rabbit holes.

In Incident Response especially, we need to have the ability to view the problem as a whole, but also be able to break the problem down into the various smaller components. That is what an investigative / analytical mind does. Those components often times are not all contributing to the problem. They are often times a symptom or result of another problem. If you don’t have the knowledge to separate those components from the overall problem, then your incident is going to be much more difficult to resolve.

To those of you that are considered entry level:

1. You can learn on the job, but you need to make sure that you take on a job that will give you that opportunity. Make sure that your role will be involved in technology across the board to get the exposure.
2. Find a mentor that seems to be the right personality for you. That mentor can guide you to various topics that would be very beneficial to your career in InfoSec.
3. Understand that there will be jobs that are requiring skills that you don’t posses. The postings don’t always reflect the true picture of what that company is willing to hire.
4. Ask your mentor for help in applying. Ideally, that mentor will be well connected in the industry and would have already started to expose you to various people around the industry. If that hasn’t happened yet, there might be a reason for it (maybe you aren’t ready), or your mentor might not be supporting you as well as needed.
5. Show your efforts in learning. Make sure that people understand the time you are putting into improving yourself. This doesn’t mean that you constantly brag about your self, but you can demonstrate your learning in many different ways.

InfoSec can be a tough place to work since we have to know a little about a lot. Embrace your curiosity.

James Habben
@JamesHabben Continue reading Skills and Knowledge for InfoSec→

As a consultant for an incident response firm, the engagements we get are typically fairly fleshed out in terms of being a security or operational incident. Every once in a while, we have calls come in that seem very security focused when described by the customer contact but after arriving onsite they work out to … Continue reading “Skills and Knowledge for InfoSec” Continue reading Skills and Knowledge for InfoSec→

As a consultant for an incident response firm, the engagements we get are typically fairly fleshed out in terms of being a security or operational incident. Every once in a while, we have calls come in that seem very security focused when described by the customer contact but after arriving onsite they work out to … Continue reading “Skills and Knowledge for InfoSec” Continue reading Skills and Knowledge for InfoSec→

I unintentionally started a small storm on #infosec twitter the other day. In that storm I received responses in extremes that I didn’t even know existed. I wanted to give a bit more depth to that thread than what 140 characters can convey.

Let me clear the air a bit first. That was not an attempt to broadcast me searching for a job. I am not ‘on the market’ and no I didn’t apply to any of those jobs that I tweeted about. That was also not an attempt to phish for compliments, ego inflation, or many other interesting things I was accused of in private messages and subtweets.

The Backstory

Here is what happened. As a Senior Consultant for an Incident Response firm, I periodically take a look at other jobs that show up on the market for situational awareness. I have found that the industry titles seem to vary quite a bit as the responsibilities of my Senior title seem to be equivalent to other firms’ Principle, Lead, Manager, or even Director titles. There are Managers that don’t manage, and there are Leads who do. It is pretty spread out.

While looking at one of those postings, I said to myself “Hmmf. I can’t qualify for this job with the same title at a different firm.” I then did a mental inventory of my professional network and started identifying people I have connected with in the past that I could reach out to if I were to go through the application process for that job. That took me to another statement to myself, “How does someone with less time in the industry (and likely less connections) make it past any of these requirements.” Naturally, this mostly applies to folks that are very new to the industry. Then off to twitter I went.

The Response

The responses that I received came in through all different avenues: text, LinkedIn, Twitter, Email, even one on Instagram. I would have probably seen a few on Facebook, however I do not currently possess any credentials to logon to that god-forsaken website.

The responses also varied in their messages. I got a few that definitely do not need repeating, and I’m not exactly sure where the motivation came from behind them. On the other extreme, I received a response from someone (or someones) in my network at every one of those companies that I mentioned in a tweet. Many have very graciously offered to put me in touch with someone to get me hired there, and this would bypass the HR and recruiters to ensure that I was considered. I am thankful for all of those responses since it shows how much of a community I have with those individuals. That wasn’t my intent though, and I hope this post makes that more clear.

The Bypass

What makes me so special? Why did so many people offer to take me around the filters?

I have been in the industry for a really long time
This doesn’t mean I know what I am doing. At the most basic level, it means I have been able to fool enough people for a long enough time to stay employed. While that is not an accurate representation of me as a whole, my length of time makes no other indication.

I work for BigName firm
Yup, I do. I also know a lot of people that are very new to the industry and still have a lot more to learn that also work for big name firms. This also does not show anything about me.

I have followers on Twitter
Ya, I have some. There are plenty of people that have tons more followers than I do. There are also folks that I know who are extremely knowledgable and very good at their jobs with a double digit follower count or no Twitter account at all. It is quite easy to look smart on the internet when I have time to plan and research what I decide to make public.

I have a blog to share my thoughts and research
Now we are getting somewhere. My posts on this blog are a far better representation of who I am than some of the things mentioned above this. Although, it is still quite easy to look smart here because of the time allowed for planning and research. What is more difficult to fake, however, is my communication skills. My writing here is a clear demonstration of my abilities to convey points to a widely varied audience, although the majority of readers here seem to be more technically focused. We are finally looking at something that employers could use in their evaluation of me as a potential candidate.

I have spoken at conferences
Another point that gets more into who I am. We are also getting into an area that is a bit harder to fake. Sure, there is still prep and research involved ahead of the point in which I am delivering my talk, and I certainly do plenty of that. What is nearly impossible to fake is my presence in the room and my authority on a topic. As a bonus, there have even been recorded sessions I have delivered that are available publicly on the internet, and this allows me to provide another demonstration of me to a potential employer.

I know lots of people
This seems to be the most significant point in this list. My time in this industry has put me in contact with a large amount of people. People I have made enough personal connection with to where they care about my wellbeing in terms of being employed. People that have calculated the risk involved, and are still willing to put their reputation and connections on the line to help me.

The Takeaway

Every job I have held has been through some connection. I have not received any jobs where I applied through some web portal. I have tried some of those in the past, and have many times not even received a courtesy rejection letter. My experience is often not categorized as ‘cybersecurity’ or ‘infosec’ depending on which recruiter I talk to.

If you are struggling with breaking into the industry, here are my pointers (which is really an echo of so many others’ great advice as well):

1. Start a blog and post about stuff. it can be research, thoughts, infosec challenges, or a number of any other topics. If you would like some help getting started on this, please feel free to reach out to me. I enjoy helping motivated people. The information you put in public can give employers more data to consume when you are short on other requirements.
2. Work on your soft skills. I have a few posts up here about how soft skills can be improved in various ways, and I intend to continue these posts. You need soft skills in this industry if you want to get into the better jobs. Interviews will make or break your job application in the end.
3. Go out and meet people. This can be virtually or physically. There are quite a number of people who I would consider to be a step above acquaintance in terms of relationship who I have never met. Some I might not even know their real names! Connections will get you in the door.

Last point, I am in no way criticizing the companies that put up those job listings. They have reasons for asking for those requirements, probably because something has bit them in the past. I am not saying they should relax their requirements either. What you as an applicant has to recognize is that the requirements are not always requirements. You need to make meaningful connections to get access to the people that are making the hiring decisions.

I hesitated about initially sending those tweets, and again about writing this post. I am sure another round of hatemail will be heading my way soon. Also, it is not easy to publicly admit that I don’t qualify for so many positions in the industry I have been in for so long. I probably don’t even qualify for the requirements of my current position either. As someone facing the challenges of the hiring process, I hope this can give some comfort and help in your quest.

Good Luck!

James Habben
@JamesHabben Continue reading Infosec Jobs→

I unintentionally started a small storm on #infosec twitter the other day. In that storm I received responses in extremes that I didn’t even know existed. I wanted to give a bit more depth to that thread than what 140 characters can convey. Let me clear the air a bit first. That was not an … Continue reading “Infosec Jobs” Continue reading Infosec Jobs→

I unintentionally started a small storm on #infosec twitter the other day. In that storm I received responses in extremes that I didn’t even know existed. I wanted to give a bit more depth to that thread than what 140 characters can convey. Let me clear the air a bit first. That was not an … Continue reading “Infosec Jobs” Continue reading Infosec Jobs→

I’m sorry that you interpreted our discussion in the way that you did

I was recently the recipient of this statement. In the best case, it is frustration to hear or read this. In the worst case, it can be depressing and completely demoralizing. Let me provide a few examples with a little elaboration:

As a teacher:
I’m sorry that you didn’t understand what I was saying. It is only my job to talk at you and you are responsible for listening and figuring out the message I was intending to deliver.

As a consultant:
I’m sorry that you didn’t get what I explained. I do this on a daily basis and know so much. I also don’t have time to explain these things to you.

As a friend:
I’m sorry you didn’t interpret that conversation correctly. I was trying to help you to be a better person, but you couldn’t get over yourself enough to hear what I was saying.

As a potential employer:
I’m sorry you understood my statement incorrectly. I hold all the power here and you should be bowing to me to show that you are worthy of a job here.

As a boss:
I’m sorry you misunderstood my instructions. You should have listened better. I know exactly what I was saying and it is your fault you don’t.

Own It

When you decide to take on the task of explaining something, it has become your responsibility to ensure that all of the recipients correctly understand the message. If they don’t, it is YOUR FAULT. This may come as a news flash to some people, but there is no such thing as a mind reader. If you do not explain things in a way that people can understand, you are setting someone (or someones) up for failure.

From Jessica Hyde:
The phrase “I’m sorry” is absolutely meaningless when the onus is then placed back on the party being apologized to in the qualifier. Apologies should be formatted ” I am sorry I…” not “I am sorry you…”. Argh. The second is just rude.

From Mitch Impey:
the basic rules are valid in every industry and respect is key 🙂

Treat everyone with respect. Someday it will bite you.

James Habben
@JamesHabben Continue reading Soft Skills: Respect→

I’m sorry that you interpreted our discussion in the way that you did I was recently the recipient of this statement. In the best case, it is frustration to hear or read this. In the worst case, it can be depressing and completely demoralizing. Let me provide a few examples with a little elaboration: As … Continue reading “Soft Skills: Respect” Continue reading Soft Skills: Respect→

I’m sorry that you interpreted our discussion in the way that you did I was recently the recipient of this statement. In the best case, it is frustration to hear or read this. In the worst case, it can be depressing and completely demoralizing. Let me provide a few examples with a little elaboration: As … Continue reading “Soft Skills: Respect” Continue reading Soft Skills: Respect→