This article can also be found in the Premium Editorial Download "Information Security magazine: Exclusive: Security salary and careers guide."
Download it now to read this article plus other related content.
How to Answer the Tough Questions
Your heart is pounding as the interviewer pelts you with questions and hypothetical conundrums. We asked security pros what was the best and toughest interview question they've ever answered.
Read on to prepare yourself before your next big interview.
What accomplishments are you most proud of, both in business and personally, and why?
Suzanne Hall, director of IT operations for AARP, suggests that all interviewees be ready. "Sometimes people just aren't prepared when you ask this question, which surprises me," she says.
How well do you think you'll fit in with this company?
James Christiansen, CISO of Experian, warns not to let a question of culture knock you sideways. He says that the toughest question is one where "the answer to the question is directly related to the culture of the company, which you don't yet know."
Please give an example of a project that did not go as well as expected.
Says LJ Johnson, CISO of Nike, "People think it's a trick question when they're asked about failures, but what you want to know is what they learned from the experience."
Will you be willing to travel?
"Who wants to be away from the family?" says Don Ainslie, global security officer for Deloitte & Touche. "[Travel] is a balancing act I struggle with." Know the answer before you go in to help make the decision easier.
Why do you want to work for this company?
Rebecca Norlander, general manager of Microsoft's Security Technology Unit, recalls the epiphany she had when asked this question: "I realized that, actually, I didn't.... Start by being true to yourself. Don't compromise your own moral compass--you have to live with yourself your whole life."
Why are you the best person for the job?
"There are many qualified and great people that come to the table for roles in security and business at large," says Adrienne L. Hall, senior director of Microsoft's Trustworthy Computing. "You need to be clear on what you bring to the position that no one else does."
How can you help this organization?
Debby Fry Wilson, director of security engineering and communications for Microsoft's Security Technology Unit, suggests that you do your homework. "A candidate who is well prepared and genuinely seems to understand the challenges of my organization and can articulate how he or she will help advance our strategy is ideal."
--Compiled By Amber Plante from interviews by Michael S. Mimoso, Marcia Savage & Anne Saita
In my experience, I have collected some of the requirements that are associated with all senior information security positions:
Vision: When a company is looking for an information security leader, often it will be for the first time: Management wants someone who can lay out the corporate blueprint for all its future security plans. Having a clear plan on the role the information security team should play as it relates to the core business practices of the company is key. In most cases, companies will search for someone who has successfully implemented a vision at another company, or who has witnessed the successful implementation of a security program in a company within the same industry.
Range of information security knowledge: It may sound obvious, but companies look to their information security leader for the answers to all of their information security-related problems. Regardless of whether the issues are technical, personnel, procedural or regulatory, the CISO is expected to address all of these angles. Businesses want people who have developed an excellent foundation within the information security industry and who have illustrated the ability to solve information security-related problems. In addition, when organizations are hiring a CISO, they are traditionally searching for someone who can address the current issues facing the organization and see future ones before they cause problems.
Communication: Communication is not only the hardest skill to measure, but also the most critical to have. CISOs serve many different constituencies within an organization, and they are asked to communicate at different levels and to people with different degrees of technical skill; they have to effectively express ideas up and down the management chain. Successful CISOs are those who've earned the respect of the people leading the technical functions and can translate the advantages of security controls to business unit leaders.
During the interview process, it is common for a potential CISO to be interviewed by a number of people representing different functions within the organization. In these meetings, it is essential that the candidate develop a consensus and establish a good feeling of collaboration. If this interaction is successful, it will serve as a solid predictor of the CISO's ability to understand the complex needs of all constituents.
This was first published in July 2006