More
often than not, every organization strives to put square pegs in square holes
as far as recruitment is concerned and to boost productivity. Even charity
organizations are not very charitable; they seldom compromise when it comes to
headhunting for the best candidate for a position. As we know, the interview process
is part of the mechanism through which an organization shortlists, prunes down
and inevitably hires suitable candidates to fill vacant positions. It follows
that every organization will hire you because of the value you will be bringing
to the table.
The onus is not just on knowing your onion but also been
confident and knowing how to market yourself and convince a prospective
employer that you are cut out for the role. That is to say it is a quid pro
quo. This essay aims to cite real-life scenarios, plausible security interview
questions a security professional should expect and how to answer them.
Prior to been interviewed for the job of Vice President of
Corporate Security for United Rentals in 2004, Stephen Baird did his homework
well. He ascertained the financial filings and the stability of the executive
suite of the company, and he networked with a few peers. But Baird also went a
step further than this. He visited a branch office of the company to see what
customers experience. "I learned how to rent a piece of equipment, and I
basically hung around watching and listening," he says. During the
interview, when the CFO asked how Baird saw security playing into revenue
generation, he had a ready answer. "I told him, 'I will never make
security a revenue generator, but it can contribute to cost savings and
increased efficiencies,'" he says. Baird then explained how he had watched
customers renting equipment and noticed that although they were offered the
option to buy insurance on the equipment, there were no security products
available onsite. He talked about products United could offer, like security
locks for Bobcats that cut down on damage and theft of rented equipment.
"The CFO [who would also be his new boss] just sat back and smiled,"
Baird recalls.
With the increased visibility and co-dependence of the Chief Security
Officer (CSO) role with other business functions, applicants for executive
security positions can expect a lot tougher job interview questions.
Preparation is paramount. We asked several security executives who went through
the interview process in recent years what were some of the most challenging
questions they had to answer. They shared their advice on crafting the right
kinds of answers and the lessons they learned from the interview and selection
process.
By the time a CSO has made it to the interview stage, the contents
of his resume should be largely moot. Usually both the candidate and company
have at least a rough idea of what the other is about. What they are looking
for at this stage and what many of the harder questions are getting at is a
sense of the unique skills and sensibilities the candidate will bring to the
job. They may not always state their questions explicitly, but these are the
areas that corporate executives will attempt to mine in an interview.
Security Interview
Question 1: What is your vision for our security organization?
"The vision thing," as the first President Bush once
termed it, is hugely important in selecting a CSO. The company's executives
will have their own vision of what a CSO should be and what he should be able
to do for the company, and they'll expect you to have one too. They want to
know that you have experience with their particular security issues, that you
can craft a plan for where security should be in their enterprise—and how you
are going to get it there. "In my case, I had a very complete job description
written for them and had brainstormed what I thought a CSO should be able to
provide them," says Robert Champion, CSO of WGL Holdings, which owns
Washington Gas. CSO candidates should try to learn as much as possible about
the company and position, and be prepared to discuss ideas
and strategies that match an employer's goals.
Security Interview
Question 2: How will you fit in with our corporate culture?
The CSO's role at IBM or GE and that same position at Google or
Yahoo are worlds apart. Every company that you interview with wants to know
whether you can work comfortably with its corporate personality. Before your
interview, talk to employees and, if possible, walk the halls. Is this a
straitlaced crew, or will you need reserves of flexibility in order to fit in?
When Champion took a walk through the facility after his
interview, he compared what he saw with what he had heard during his
conversations with executives. "I was able to get a sense of the level of
energy, the diversity picture and the material condition of the
facilities," he says. "A little attention to detail will also tell
you about the security culture. Do people wear their IDs? Are doors propped
open? Do strangers get challenged? Can unattended PCs be accessed?" The
answers will help you make a career judgment.
Security Interview
Question 3: Do you work well with others?
Hopefully the answer is "Yes!" During the interview
process, it's likely that you'll meet with a variety of line-of-business
executives from HR, legal, finance, IT and so on. Each will want to assess
whether you are going to be a partner or a stumbling block to his goals.
They're not looking for a pushover (hopefully), but if the company is a
collaborative environment, they want to know that you can play in that sandbox.
Have examples ready of projects where you have successfully partnered in the
past. And talk to these folks about their responsibilities and security
concerns in their own language rather than using technical jargon. "They
don't have experience in information security, and these executives are tired
of talking to security people that can't talk in business terms," says
Sharon O'Bryan, former CISO at ABN Amro and now president of O'Bryan Advisory
Services.
O'Bryan also suggests that candidates underscore their business
fluency by asking non-IT executives questions about business operations during
the interview, such as: What business transactions and processes are key profit
generators? How has the company used technology risk management capabilities to
reduce operational risk management costs?
Security Interview
Question 4: What do you think about security convergence and its
effect on our company?
Executives may not use the word convergence, but you can bet they
have heard about or have thought about the movement that security is making
toward being part of a larger risk management strategy. It is likely that they
will try to suss out your perspective and experience in this area at some point
during the interview. "You need to be prepared to discuss convergence,
what the pros and cons are, and what your vision is for how to get there,"
says Champion.
Security Interview
Question 5: How do you sell security to other executives?
Good sales and leadership skills are critically important. After
all, what good is all that vision and experience if you can't persuade others
to your way of thinking? Veteran security executive Pamela Fusco, an adviser to
the Information Systems Security Association, has often been asked to make a
sales pitch for a particular business case during an interview. "Executive
management needs to know that you can talk at multiple levels and build a
business case," says Fusco.
Security Interview
Question 6: How do you sell security to the company at large?
Influencing the average employee also comes with the job, and it's
often the greatest challenge for security executives. "You have to
demonstrate that you can make people change even when they don't want to,"
says Robert Garigue, vice president for information integrity and chief security
executive for Bell Canada. Candidates should go into an interview with examples
of situations in which they were able to change ingrained behaviors and
long-established processes to accomplish a security goal.
Security Interview
Question 7: Why are you leaving your current job?
This is a question where CSO candidates can sabotage themselves by
going negative. It's important to be honest but to also stay positive. Perhaps
you are looking for greater opportunities for development, a new career challenge
or to launch into a different industry or type of company. Don't use the
interview to vent about the inadequacies of your current job.
"I've witnessed a lot of senior security position interviews
where the individual was crying over spilled milk," says Kevin Lampeter,
chief security and fraud officer with a global financial services firm.
"If the conversation is about what everyone did to make their job harder,
that tells me that they didn't take ownership. That reflects on a candidate's
ability to be collaborative and their interpersonal skills." Airing dirty
laundry is also poor judgment, says Lampeter. If a candidate is speaking poorly
of his current employer, chances are good he'll do the same thing to the next
one.
Security Interview
Question 8: Are you willing to be accountable for security?
This question digs into your knowledge about government
regulations that apply to the prospective employer. A candidate needs to be
conversant with any regulations that affect the company he's interviewing with,
and must show he can integrate business requirements into an overall security
program and organization. "They take for granted that you understand all
the baseline physical and IT security stuff," says Champion.
"They want to know: [Do] you understand their compliance environment
and Sarbanes-Oxley? Can you interpret aSAS 70 report from an IT
vendor? How will you keep them out of hot water with regulators, auditors and
shareholders?"
Security Interview
Question 9: Are you a risk-taker?
Security executives are often walking a fine line when they talk
about risk with business owners. Business leaders want a CSO who is a
risk-taker because they want to do more, do it faster, and they don't want a
security executive who constantly says no. In the interview you have to
demonstrate that you have a balanced approach to risk and that you are willing
to explore ways that the company can take on more risk if that's what it wants
to do. "We've all got great examples about how we said no," says
Garigue. "What we need are examples of how we said 'yes, take the risk,'
but in a controlled way."
Security Interview
Question 10: What does this role mean to you?
Once you've gotten through some of the more technical and
strategic questions, it's likely that at least one interviewer will throw you
an open-ended question like this one. This is your chance to talk about what
makes you unique. When Baird was asked this question at United Rentals, it was
a welcome opportunity to lay out his perspective. "I explained what I
could bring to the table, how I would fit in, and I was candid about the type
of organization that I wanted to build. It was a chance to then turn the
question back to them and ask if that was the kind of security organization
they wanted in their company," he says.
One final thought: CSOs are still the new kids on the block. So
don't get hung up on giving the "right" answer or projecting yourself
as a traditional CSO, because there is no such thing. "Remember,"
says Garigue, "the different organizations, problems and laws that you
have had to work with have evolved you into the person you are today."
5 Additional Tough Security
Interview Questions, Tips On Answering Them
At first glance, Eric Cowperthwaite, Chief Security Officer
at Providence Health and Services in Renton, Washington, doesn't care how
excellent a job candidate's credentials and experience look on paper. He wants
to see how much of an impression they make on his team.
"It doesn't matter how much I like you or how impressed I am
by your skills. Show up and rub the team the wrong way, that's the end of the
line."
That's is why when Cowperthwaite is vetting candidates for
the security department at Providence, a not-for-profit Catholic health care
services organization, he has every one of them meet with the team they will be
working with BEFORE they get to sit down with him. He believes their impression
is what matters most.
"It costs a lot in terms of team dynamics and effort and work
that goes undone if you bring someone in that doesn't fit," said Cowperthwaite.
"If someone doesn't fit, you have to start all over again in six months
and hire someone else."
That said, if a perspective job candidate does get in front of
Cowperthwaite, it is fair to say they have proven themselves to a large extent
already. But he still has three important questions he wants to ask.
Security Interview
Question 11: How do you collaborate?
Cowperthwaite asks this to gauge a candidate's attitude. Are they
easy to get along with? Or do they use an "I'm in charge" attitude
when collaborating with other team members, as well as people outside of
security?
"It's a pretty open ended question," said Cowperthwaite.
"I want to know: how do they build teams? What is their approach to
working with others? Probably the most common thing I run into is folks
whose approach to collaboration is to try to force teamwork from a
position of assumed authority. They show up and say 'I'm from security and we
are running a security project and I need you to do X, Y, and Z.'"
This kind of answer rubs Cowperthwaite the wrong way. That is not
how he wants his team to collaborate with others. Instead, he'd rather hear
that the candidate has a skill in team building that gives them a less abrasive
edge when approaching others.
"The better answer is: 'I sit down with them and explain what
my needs are and ask if they can help.' That's a far better answer."
Security Interview
Question 12: Why do you want this job?
"Whether they are employed or unemployed, I'm curious,"
said Cowperthwaite. "While I happen to think working in my organization is
a great thing, I'm curious what attracts them to the job."
For obvious reasons, Cowperthwaite said this can help weed out the
frequent job jumpers simply looking for a short term opportunity to advance
their resume credentials.
"I like the idea of people who are committed to doing great
security work and being part of a team and contributing to my corporate mission
and culture," he noted.
He's also received many bizarre answers.
"I had one candidate tell me they were applying for the job
because it would solve their commute and toll problems. Call me crazy, but
those don't seem like reasons why I should hire you. At no point did they tell
me they were excited to be part of my team and to do great information-security
work."
Security Interview
Question 13: What questions do you have for me?
Cowperthwaite likes this other open-ended question because it also
offers him a lot of insight into the job-seeker's motivations for wanting the
job.
"If you're wanting to know about pay, benefits and
promotions, that's' a red flag. I'm not the guy to ask those questions. I'm the
guy to ask about the mission of the security department. How do we go about
accomplishment? What are the opportunities to learn within the company? I want
to hear: 'What do you envision my role to be and how I can contribute to the
mission of this company?' Those are all questions I like to hear."
Cowperthwaite also noted the way the interviewee asks the
questions gives him some further idea on how they might work.
"Someone who is looking for independence and broad boundaries
when they ask these questions also tend to be people who are very motivated,
commitment and strategic contributors."
Top-level hiring
Daniel Kennedy, Research Director for Information Security and
Networking at TheInfoPro, a division of 451 Research, previously interviewed
perspective security job candidates as Global Head of Information Security for
D.B. Zwirn & Co., as well as when he was Vice President of Application
Security and Development Manager at Pershing LLC, a division of the Bank of New
York. Kennedy's style of questioning is a bit more pointed than
Cowperthwaite's, and also more appropriate for hiring at the top level; for
executive positions such as CSO and CISO. He offered these two favorite
questions.
Security Interview
Question 14: How will you earn and keep your seat at the table with other
senior executives?
Kennedy said he likes to ask this question because it tells the
interviewer about the prospective security manager's ability to remain relevant
within an organization.
"Too often the CISO is buried in the company's organizational
structure, in too junior a role, an acknowledgment that as a company 'we need a
CISO' to keep up appearances, but not exactly a vote of confidence in the
CISO's ability to make an impact on the corporate DNA to improve
security."
While he notes there is no one right answer to this question,
there are a number of wrong answers that reveal the interviewee has no
strategic plan, or experience talking to senior managers.
"The CISO position is a strategic one, there is a strong
technical component but a CISO must be able to communicate an ongoing vision
for security within a company early and often. It isn't easy; it means getting
invited to the right steering meetings, maintaining the confidence of fellow
senior managers, and speaking in a language that informs those without a
security background without overwhelming."
Security Interview
Question 15: What are ways you've prioritized and shepherded information
security projects through your previous organization?
Another Kennedy favorite. He said it gives him a perspective on a candidate's
record of success in past positions.
"The fact is most large companies have a lot of moving parts
that must be accessed to get anything done, and a CISO must be an effective
project manager, able to tap into and motivate resources they don't always
organizationally 'own,'" he said.
"If someone responds that their job was only to recommend a
course of action or to write policies without follow-through, I view that as a
possible warning sign of someone who isn't "looking to make a
difference" in the corporate culture, but would rather work on their own
and isn't particularly concerned with the actual posture of security at their
company as long as they remain employed and are asked what they think now and
then. On the other hand, responses that talk about developing requirements with
business units, presenting potential cost savings to project steering
committees, or working closely with Compliance/Audit to resolve security
deficiencies indicates some level of experience in working through the political
landscapes of large organizations."
Culled from:
Thanks so very much for your contribution and the link.
ReplyDeleteBest regards