Wednesday, 26 August 2015

15 Tough Security Interview Questions, And How To Respond To Them



More often than not, every organization strives to put square pegs in square holes as far as recruitment is concerned and to boost productivity. Even charity organizations are not very charitable; they seldom compromise when it comes to headhunting for the best candidate for a position. As we know, the interview process is part of the mechanism through which an organization shortlists, prunes down and inevitably hires suitable candidates to fill vacant positions. It follows that every organization will hire you because of the value you will be bringing to the table.
The onus is not just on knowing your onion but also been confident and knowing how to market yourself and convince a prospective employer that you are cut out for the role. That is to say it is a quid pro quo. This essay aims to cite real-life scenarios, plausible security interview questions a security professional should expect and how to answer them.

Prior to been interviewed for the job of Vice President of Corporate Security for United Rentals in 2004, Stephen Baird did his homework well. He ascertained the financial filings and the stability of the executive suite of the company, and he networked with a few peers. But Baird also went a step further than this. He visited a branch office of the company to see what customers experience. "I learned how to rent a piece of equipment, and I basically hung around watching and listening," he says. During the interview, when the CFO asked how Baird saw security playing into revenue generation, he had a ready answer. "I told him, 'I will never make security a revenue generator, but it can contribute to cost savings and increased efficiencies,'" he says. Baird then explained how he had watched customers renting equipment and noticed that although they were offered the option to buy insurance on the equipment, there were no security products available onsite. He talked about products United could offer, like security locks for Bobcats that cut down on damage and theft of rented equipment. "The CFO [who would also be his new boss] just sat back and smiled," Baird recalls.

With the increased visibility and co-dependence of the Chief Security Officer (CSO) role with other business functions, applicants for executive security positions can expect a lot tougher job interview questions. Preparation is paramount. We asked several security executives who went through the interview process in recent years what were some of the most challenging questions they had to answer. They shared their advice on crafting the right kinds of answers and the lessons they learned from the interview and selection process.

By the time a CSO has made it to the interview stage, the contents of his resume should be largely moot. Usually both the candidate and company have at least a rough idea of what the other is about. What they are looking for at this stage and what many of the harder questions are getting at is a sense of the unique skills and sensibilities the candidate will bring to the job. They may not always state their questions explicitly, but these are the areas that corporate executives will attempt to mine in an interview.

Security Interview Question 1: What is your vision for our security organization?

"The vision thing," as the first President Bush once termed it, is hugely important in selecting a CSO. The company's executives will have their own vision of what a CSO should be and what he should be able to do for the company, and they'll expect you to have one too. They want to know that you have experience with their particular security issues, that you can craft a plan for where security should be in their enterprise—and how you are going to get it there. "In my case, I had a very complete job description written for them and had brainstormed what I thought a CSO should be able to provide them," says Robert Champion, CSO of WGL Holdings, which owns Washington Gas. CSO candidates should try to learn as much as possible about the company and position, and be prepared to discuss ideas and strategies that match an employer's goals.

Security Interview Question 2: How will you fit in with our corporate culture?

The CSO's role at IBM or GE and that same position at Google or Yahoo are worlds apart. Every company that you interview with wants to know whether you can work comfortably with its corporate personality. Before your interview, talk to employees and, if possible, walk the halls. Is this a straitlaced crew, or will you need reserves of flexibility in order to fit in?

When Champion took a walk through the facility after his interview, he compared what he saw with what he had heard during his conversations with executives. "I was able to get a sense of the level of energy, the diversity picture and the material condition of the facilities," he says. "A little attention to detail will also tell you about the security culture. Do people wear their IDs? Are doors propped open? Do strangers get challenged? Can unattended PCs be accessed?" The answers will help you make a career judgment.

Security Interview Question 3: Do you work well with others?

Hopefully the answer is "Yes!" During the interview process, it's likely that you'll meet with a variety of line-of-business executives from HR, legal, finance, IT and so on. Each will want to assess whether you are going to be a partner or a stumbling block to his goals. They're not looking for a pushover (hopefully), but if the company is a collaborative environment, they want to know that you can play in that sandbox. Have examples ready of projects where you have successfully partnered in the past. And talk to these folks about their responsibilities and security concerns in their own language rather than using technical jargon. "They don't have experience in information security, and these executives are tired of talking to security people that can't talk in business terms," says Sharon O'Bryan, former CISO at ABN Amro and now president of O'Bryan Advisory Services.

O'Bryan also suggests that candidates underscore their business fluency by asking non-IT executives questions about business operations during the interview, such as: What business transactions and processes are key profit generators? How has the company used technology risk management capabilities to reduce operational risk management costs?

Security Interview Question 4: What do you think about security convergence and its effect on our company?

Executives may not use the word convergence, but you can bet they have heard about or have thought about the movement that security is making toward being part of a larger risk management strategy. It is likely that they will try to suss out your perspective and experience in this area at some point during the interview. "You need to be prepared to discuss convergence, what the pros and cons are, and what your vision is for how to get there," says Champion.

Security Interview Question 5: How do you sell security to other executives?

Good sales and leadership skills are critically important. After all, what good is all that vision and experience if you can't persuade others to your way of thinking? Veteran security executive Pamela Fusco, an adviser to the Information Systems Security Association, has often been asked to make a sales pitch for a particular business case during an interview. "Executive management needs to know that you can talk at multiple levels and build a business case," says Fusco.

Security Interview Question 6: How do you sell security to the company at large?

Influencing the average employee also comes with the job, and it's often the greatest challenge for security executives. "You have to demonstrate that you can make people change even when they don't want to," says Robert Garigue, vice president for information integrity and chief security executive for Bell Canada. Candidates should go into an interview with examples of situations in which they were able to change ingrained behaviors and long-established processes to accomplish a security goal.

Security Interview Question 7: Why are you leaving your current job?

This is a question where CSO candidates can sabotage themselves by going negative. It's important to be honest but to also stay positive. Perhaps you are looking for greater opportunities for development, a new career challenge or to launch into a different industry or type of company. Don't use the interview to vent about the inadequacies of your current job.

"I've witnessed a lot of senior security position interviews where the individual was crying over spilled milk," says Kevin Lampeter, chief security and fraud officer with a global financial services firm. "If the conversation is about what everyone did to make their job harder, that tells me that they didn't take ownership. That reflects on a candidate's ability to be collaborative and their interpersonal skills." Airing dirty laundry is also poor judgment, says Lampeter. If a candidate is speaking poorly of his current employer, chances are good he'll do the same thing to the next one.

Security Interview Question 8: Are you willing to be accountable for security?

This question digs into your knowledge about government regulations that apply to the prospective employer. A candidate needs to be conversant with any regulations that affect the company he's interviewing with, and must show he can integrate business requirements into an overall security program and organization. "They take for granted that you understand all the baseline physical and IT security stuff," says Champion. "They want to know: [Do] you understand their compliance environment and Sarbanes-Oxley? Can you interpret aSAS 70 report from an IT vendor? How will you keep them out of hot water with regulators, auditors and shareholders?"

Security Interview Question 9: Are you a risk-taker?

Security executives are often walking a fine line when they talk about risk with business owners. Business leaders want a CSO who is a risk-taker because they want to do more, do it faster, and they don't want a security executive who constantly says no. In the interview you have to demonstrate that you have a balanced approach to risk and that you are willing to explore ways that the company can take on more risk if that's what it wants to do. "We've all got great examples about how we said no," says Garigue. "What we need are examples of how we said 'yes, take the risk,' but in a controlled way."

Security Interview Question 10: What does this role mean to you?

Once you've gotten through some of the more technical and strategic questions, it's likely that at least one interviewer will throw you an open-ended question like this one. This is your chance to talk about what makes you unique. When Baird was asked this question at United Rentals, it was a welcome opportunity to lay out his perspective. "I explained what I could bring to the table, how I would fit in, and I was candid about the type of organization that I wanted to build. It was a chance to then turn the question back to them and ask if that was the kind of security organization they wanted in their company," he says.

One final thought: CSOs are still the new kids on the block. So don't get hung up on giving the "right" answer or projecting yourself as a traditional CSO, because there is no such thing. "Remember," says Garigue, "the different organizations, problems and laws that you have had to work with have evolved you into the person you are today."

5 Additional Tough Security Interview Questions, Tips On Answering Them

At first glance, Eric Cowperthwaite, Chief Security Officer at Providence Health and Services in Renton, Washington, doesn't care how excellent a job candidate's credentials and experience look on paper. He wants to see how much of an impression they make on his team.

"It doesn't matter how much I like you or how impressed I am by your skills. Show up and rub the team the wrong way, that's the end of the line."

That's is why when Cowperthwaite is vetting candidates for the security department at Providence, a not-for-profit Catholic health care services organization, he has every one of them meet with the team they will be working with BEFORE they get to sit down with him. He believes their impression is what matters most.

"It costs a lot in terms of team dynamics and effort and work that goes undone if you bring someone in that doesn't fit," said Cowperthwaite. "If someone doesn't fit, you have to start all over again in six months and hire someone else."

That said, if a perspective job candidate does get in front of Cowperthwaite, it is fair to say they have proven themselves to a large extent already. But he still has three important questions he wants to ask.

Security Interview Question 11: How do you collaborate?

Cowperthwaite asks this to gauge a candidate's attitude. Are they easy to get along with? Or do they use an "I'm in charge" attitude when collaborating with other team members, as well as people outside of security?

"It's a pretty open ended question," said Cowperthwaite. "I want to know: how do they build teams? What is their approach to working with others? Probably the most common thing I run into is folks whose approach to collaboration is to try to force teamwork from a position of assumed authority. They show up and say 'I'm from security and we are running a security project and I need you to do X, Y, and Z.'"

This kind of answer rubs Cowperthwaite the wrong way. That is not how he wants his team to collaborate with others. Instead, he'd rather hear that the candidate has a skill in team building that gives them a less abrasive edge when approaching others.

"The better answer is: 'I sit down with them and explain what my needs are and ask if they can help.' That's a far better answer."

Security Interview Question 12: Why do you want this job?

"Whether they are employed or unemployed, I'm curious," said Cowperthwaite. "While I happen to think working in my organization is a great thing, I'm curious what attracts them to the job."

For obvious reasons, Cowperthwaite said this can help weed out the frequent job jumpers simply looking for a short term opportunity to advance their resume credentials.

"I like the idea of people who are committed to doing great security work and being part of a team and contributing to my corporate mission and culture," he noted.

He's also received many bizarre answers.

"I had one candidate tell me they were applying for the job because it would solve their commute and toll problems. Call me crazy, but those don't seem like reasons why I should hire you. At no point did they tell me they were excited to be part of my team and to do great information-security work."

Security Interview Question 13: What questions do you have for me?

Cowperthwaite likes this other open-ended question because it also offers him a lot of insight into the job-seeker's motivations for wanting the job.

"If you're wanting to know about pay, benefits and promotions, that's' a red flag. I'm not the guy to ask those questions. I'm the guy to ask about the mission of the security department. How do we go about accomplishment? What are the opportunities to learn within the company? I want to hear: 'What do you envision my role to be and how I can contribute to the mission of this company?' Those are all questions I like to hear."

Cowperthwaite also noted the way the interviewee asks the questions gives him some further idea on how they might work.

"Someone who is looking for independence and broad boundaries when they ask these questions also tend to be people who are very motivated, commitment and strategic contributors."

Top-level hiring

Daniel Kennedy, Research Director for Information Security and Networking at TheInfoPro, a division of 451 Research, previously interviewed perspective security job candidates as Global Head of Information Security for D.B. Zwirn & Co., as well as when he was Vice President of Application Security and Development Manager at Pershing LLC, a division of the Bank of New York. Kennedy's style of questioning is a bit more pointed than Cowperthwaite's, and also more appropriate for hiring at the top level; for executive positions such as CSO and CISO. He offered these two favorite questions.

Security Interview Question 14: How will you earn and keep your seat at the table with other senior executives?

Kennedy said he likes to ask this question because it tells the interviewer about the prospective security manager's ability to remain relevant within an organization.

"Too often the CISO is buried in the company's organizational structure, in too junior a role, an acknowledgment that as a company 'we need a CISO' to keep up appearances, but not exactly a vote of confidence in the CISO's ability to make an impact on the corporate DNA to improve security."

While he notes there is no one right answer to this question, there are a number of wrong answers that reveal the interviewee has no strategic plan, or experience talking to senior managers.

"The CISO position is a strategic one, there is a strong technical component but a CISO must be able to communicate an ongoing vision for security within a company early and often. It isn't easy; it means getting invited to the right steering meetings, maintaining the confidence of fellow senior managers, and speaking in a language that informs those without a security background without overwhelming."

Security Interview Question 15: What are ways you've prioritized and shepherded information security projects through your previous organization?

Another Kennedy favorite. He said it gives him a perspective on a candidate's record of success in past positions.

"The fact is most large companies have a lot of moving parts that must be accessed to get anything done, and a CISO must be an effective project manager, able to tap into and motivate resources they don't always organizationally 'own,'" he said.

"If someone responds that their job was only to recommend a course of action or to write policies without follow-through, I view that as a possible warning sign of someone who isn't "looking to make a difference" in the corporate culture, but would rather work on their own and isn't particularly concerned with the actual posture of security at their company as long as they remain employed and are asked what they think now and then. On the other hand, responses that talk about developing requirements with business units, presenting potential cost savings to project steering committees, or working closely with Compliance/Audit to resolve security deficiencies indicates some level of experience in working through the political landscapes of large organizations."

Culled from: