Job Interview for a position with "stale" experience

[jeromedawg]

Hey all,

I may be interviewing for a position that relies on a skillset (infosec) that I've really lapsed in during the past 5 years since working my current position (QA). I have a background in both but especially since I started my current position (since 2016), I've been heavily if not all focused on QA. The context of this is that I'm working on a team that is technically in the infosec space but I'm more on the development side and pretty strictly QA which has very little to do with actual infosec practices. I haven't kept current with certs that I obtained years ago (when I was more involved in infosec) and current experience just isn't there; part of me sort of lost 'interest' in the infosec arena as I became more involved with the QA stuff at my current place.


Any suggestions on how to approach the interview with all this in mind? I'm not exactly sure how to respond when they realize that I've had very little actual involvement in the infosec space for the past 5 years (which is a long time).

[AMandM]

I know nothing about infosec specifically, so I'm just brainstorming in general here.

If you're applying for this job, you presumably have some confidence you can do it. What's the basis for your confidence? How can you communicate that to the interviewers?  Is there something you can do that will seem to them like harder evidence--e.g., renew your certification, or at least start the process?

Is the stuff you've missed out on over the last 5 years stuff that you can easily get back up to speed on? Can you point to something in the past 5 years that demonstrates that you can learn fast?

Does your experience of the past 5 years, even if it's not directly in infosec, give you skills or knowledge that would be helpful? Maybe you're more aware than a narrowly infosec-focused person on how X Y or Z affects other areas of a project.

[jeromedawg]

I know nothing about infosec specifically, so I'm just brainstorming in general here.

If you're applying for this job, you presumably have some confidence you can do it. What's the basis for your confidence? How can you communicate that to the interviewers?  Is there something you can do that will seem to them like harder evidence--e.g., renew your certification, or at least start the process?

Is the stuff you've missed out on over the last 5 years stuff that you can easily get back up to speed on? Can you point to something in the past 5 years that demonstrates that you can learn fast?

Does your experience of the past 5 years, even if it's not directly in infosec, give you skills or knowledge that would be helpful? Maybe you're more aware than a narrowly infosec-focused person on how X Y or Z affects other areas of a project.

Great thought-provoking questions. The more I think about it the more I lean towards just not really being motivated. I might be lacking confidence or just burnt out from working in general but I suppose the 'basis' of my confidence in applying in the first place is that this all originated from a mailing list that I'm on (resulting from originally getting certified years ago). Sometimes job postings come up on the mailing list. So by virtue of fact that I'm in the "members club" gets me priority for an interview apparently. The organization I'd be conversing/interviewing with is more or less the same organization who administers the mailing list as well. I pretty much communicated to the person who posted (who is the direct hiring manager) that I'm "interested in learning more about the position" along with my attached resume. At this point I'm trying to think of it more as 'intel' gathering but it's still intimidating either way and the question that repeatedly pops up in my mind is: "If I'm so interested in the position why haven't I renewed my certs or continued doing research/etc in the infosec space these past 5 years?" - this goes back to the "job burnout/boredom" issue I alluded to earlier. My current position is so lax and I've gotten kind of comfy/cozy here that it's hard to even want to look for anything else. The potential issue I'm facing is a combination of being under new management as well as a lot of significant recent changes (layoffs, restructuring, etc) and the anticipation of more of this in the future. It just feels like there's potentially some writing on the wall. I'm trying to keep my head down and work on the same project I've been on the past 5 years because I know it's a pretty important tool to the company. So in a way I'm 'pigeonholed' but job security wise I *think* it's a good place to be amidst the circumstances (of course, there are never guarantees right?). Another side of this I forgot to mention: ironically even though I'm in a "cybersecurity" group at my current company, the prioritization of funding for certifications and renewals of certs is pretty low. I had one cert renewed in 2016 IIRC and that took some teeth-pulling to get funded. In the current atmosphere, I haven't even bothered with it. The "training" they push for us is mostly company-mandated/approved and I consider the certs I have/had to be outside of the scope likely due to budget constraints. So there's a lack of support from my current group when it comes to maintaining my infosec skills and certs based on a real industry standard. When I first started the VP of the group favored these certs a lot but that support has dwindled in the past few years. I suppose I could self-fund these but it starts feeling like a lot of overhead and maintenance IMHO - have to sit to take a fairly intense multiple choice exam every 4 years or so and it costs probably around $400-500 *per* cert nowadays although they will offer multiple cert discounts - I had 3 certs but I think at least one or two of them have expired at this point. They send out a new set of material for you to study and practice tests leading up to the exam but it's definitely a pretty hefty investment of time to study for all this. Not my cup of tea (I'm not inclined to book learning and testing as much as I am hands-on)

As far skills/knowledge that can crossover I'm not 100% certain. The thing that comes to mind most is a relatively good eye for detail, which I would think this new position requires as well. The position is more analytical/theory-based than it is hands-on infosec work (e.g. responding to breaches or pentesting). It's higher level in the sense that you have to know the concepts and relay them well (basically, it's a position where I'd be writing exam questions which is ironic considering I don't like taking exams LOL - I think it's possible for someone to like coming up with questions but not having to answer any though hahahaha!)
As far as getting caught up on things fast, that's a good thing to point out and I'll have to think through some examples of that with the current place. It's a bit hard because I've been doing the same thing over and over but I guess one 'parallel' would be the ability to formulate use/test cases often given very vague or rough requirement details (and often not formalized).

[ender]

Are you going for another infosec role?

[jeromedawg]

Are you going for another infosec role?

Looking to get my foot back in the door if possible but not 100% enthused as far as interest is concerned (to me, it would just be a pretty secure job and paycheck with some level of minor interest. Barista FIRE is preferable but I think right now there are other 'priorities' I have the big one being potentially buying a home and settling in a relatively HCOL area). 

Anyway, for a while now I've been in the QA world but working on and testing either security related apps or the security specific components of an app.

The other thing about this new position is that I anticipate it being a pay-cut even if I were to get far enough along to have an offer made. It just sounds slightly more interesting than what I'm currently doing and still allows me to WFH.

[Uturn]

It might depend on what "infosec role" you are going for.  GRC/audit/assessments, that should be easy to get back into, just brush up on new regs.  Malware reverse engineering or IR forensics, you might have to start at the bottom again due to stale skills. SOC analyst, companies are damn near begging for those.

[jeromedawg]

It might depend on what "infosec role" you are going for.  GRC/audit/assessments, that should be easy to get back into, just brush up on new regs.  Malware reverse engineering or IR forensics, you might have to start at the bottom again due to stale skills. SOC analyst, companies are damn near begging for those.

Yea, I'm not sure how to classify this one. There's a lot of involvement with exam question writing and review but also something pertaining to exam bank audit (not sure if this is regarding a bank audit cert exam or if this is actually an audit checklist/reference when bank audits are taking place). So it *seems* higher level and not really as hands-on. But I think there is some expectation of having hands-on experience (for me it has just been a while). In theory, I should be able to have a relatively coherent conversation about infosec without getting into the nitty gritty details like how to setup a netcat tunnel off the top of my head or how to open a reverse shell via metasploit etc. That lower level stuff I kind of have a love-hate relationship with because it reminds me a lot of troubleshooting/problem-solving which completely drains me...
I don't think I'd want to be an SOC Analyst - I knew NOC guys two companies ago and it did *not* sound like fun to me at all :(

[Uturn]

you have to play to your strengths.  I tried to get out of engineering a few years ago, and begged to be demoted back.  Troubleshooting gets my juices flowing.  Digging through artifacts in an audit to verify if policy/procedure was followed is a kick in nuts.

Keep in mind that no matter what job you are going for, the company is ultimately trying to solve a business problem. If the conversation starts getting into areas where you might not be as strong, keep it on how you can help solve their business problem. 

[jeromedawg]

you have to play to your strengths.  I tried to get out of engineering a few years ago, and begged to be demoted back.  Troubleshooting gets my juices flowing.  Digging through artifacts in an audit to verify if policy/procedure was followed is a kick in nuts.

Keep in mind that no matter what job you are going for, the company is ultimately trying to solve a business problem. If the conversation starts getting into areas where you might not be as strong, keep it on how you can help solve their business problem.

Agreed - I can really get on a roll with troubleshooting and problem-solving but it's extremely draining to me. The rigor of dealing with audits and checklists is slightly less appealing (since I've been on the 'receiving end' where I've had to work with an auditor to step through things) and I suppose is draining in other ways hahaha.

Good pointer at the higher level though - I think it comes down to me looking to ask more questions about what their needs are see if there are ways in which I can help. Hopefully I can frame it that way during the talks. Honestly, as I mentioned before, I'm really just trying to look at this as an opportunity for me to probe and learn *exactly* what they want/need more than I am applying for a position. It sounds somewhat interesting to me but I don't really have that great of an idea based on the job description.

[Uturn]

In infosec, things can be rather ambiguous.  Let's take my job for instance. My title is Security Engineer. What I do is mostly write SIEM rules, tune customer firewalls and IPS, a bit of working with customers to improve their security posture through configuration of their existing equipment.  We have another employee whose title is Security Engineer and his job is tuning various manufacturer  EDR and working incident response.  A third person whose title is Security Engineer, but she works with customers to determine what tech and SOP they need to reduce their risk.

So now we have three people whose title is the same, but the job is different. My job is to detect what happened.  The second person is to prevent the happening. The third person determines where the deficient is.  Yet we all have the same title, Security Engineer.

You need to determine what your strengths are, what you want to do, and make sure during the interview that there is a match.   

[jeromedawg]

In infosec, things can be rather ambiguous.  Let's take my job for instance. My title is Security Engineer. What I do is mostly write SIEM rules, tune customer firewalls and IPS, a bit of working with customers to improve their security posture through configuration of their existing equipment.  We have another employee whose title is Security Engineer and his job is tuning various manufacturer  EDR and working incident response.  A third person whose title is Security Engineer, but she works with customers to determine what tech and SOP they need to reduce their risk.

So now we have three people whose title is the same, but the job is different. My job is to detect what happened.  The second person is to prevent the happening. The third person determines where the deficient is.  Yet we all have the same title, Security Engineer.

You need to determine what your strengths are, what you want to do, and make sure during the interview that there is a match.   

Agreed. I was hired on as an "info sec engineer" despite primarily doing QA work for a internal inventory/audit related app but after recent changes in management and a significant org structure in 2020, I was basically demoted (without it being said) to QA Associate. What happened was they shifted a lot of us into a lower pay grade where the midrange salary point is actually lower. So while I didn't get a pay-cut, I'm now even higher in the upper range of the salary cap which means less chance of getting a significant raise. I've also been hearing rumors and speculation of the current performance reviews really sucking this year - a lot of ppl who usually "exceed expectations" are now just barely meeting them per the new performance review structure, so a lot of people aren't getting really good bonuses and even COL increases seem like they'll be limited.

The CEO even stated on all-hands calls that they're looking at ways to cut budget by reducing the workforce through attrition... talk about a big morale boost lol. I have my performance review tomorrow and I'm setting the bar low.

All that said, I really can't complain about my current work schedule. There's a lot of downtime and it's extremely flexible. For the most part, the element of "just get your tasks/work done" is pretty huge.
But all these little 'auxiliary' changes seem to ultimately be unraveling a new culture that could result in more of a watchdog-like environment with overlord managers peering down your throat (there are elements of this with my new manager, which is another story). I think what's going to happen with this attrition strategy is that the company is going to be stripped of all its talent and they're going to be driven into the ground (the current CEO is an axe man and I bet he will ditch once it gets to that point or perhaps soon before). One red flag was my peer telling me about the troubles they were having interviewing for a backfill position. They ended up hiring on a contractor who was working in a different group at the company because all the outside candidates were horrible. Seems most of the desirable talent is smart enough to avoid this company so it gets left with slim to no pickings. If this is any sign of what things will look like when the company has to hire on a new workforce after this attrition plan works out, the outlook is pretty grim.

Anyway... I digress. I think I'm so tired and burnt out from working for companies that don't treat their employees well (this company and my last in fact... I mean, they started out really well but just went downhill) that I've been demoralized to the point that recognizing my value and strengths is a challenge. For me it feels like status quo...

It is tempting just to to ride it out and milk it, then trying to doctor up a severance package... although, this might be at the risk of ending up being in a crap environment where morale is nearly non-existent in the last days (I've been thinking about the possibility of pressing the "F-U Money" button in that sense)