Many times, this information can be determined by researching information security issues within the potential employer's industry. Retailers may be concerned with the PCI Data Security Standard, for example, while a health care organization will have to focus on HIPAA and securing medical records, and a technology company may require particular knowledge in secure software development. It is also a good idea to read recent news articles about the company or even its annual report to investors to pick up any current events that emphasize information security-related issues. Even corporate marketing brochures can be useful in determining how security is used as a selling point.
Use the job description as a guide, but do not treat it as gospel. One of the most common requests from candidates prior to an information security job interview is to receive a copy of the job description. Job descriptions are good at providing guidelines, but they often fail to communicate the true essence of what the employer is searching for. There are many reasons why relying on an information security job description as a sole source of preparation is a big mistake.
First of all, it's rarely clear who wrote the job description. Many times, job descriptions are outlined by hiring managers, but are written by human resources. Like in many communication processes, certain items get "lost in translation." The result is that the information on the job description is sometimes misleading and will cause a candidate to emphasize information security skills that are less relevant to the interview team. In addition, reliance on the job description will often inadvertently narrow one's preparation, limiting it to only the information security topics mentioned. Since job descriptions often evolve over time, it is possible that the current job description may be outdated, and that the information security skills in demand have changed.
Finally, job descriptions commonly list the information security skills requirements, but they cannot prepare an interviewee for the company's culture. Often when candidates rely on job descriptions, their responses come across as scripted and robotic, and fail to demonstrate their passion. Passion is viewed as a requirement for most information security leadership positions.
Understand your audience. When interviewing for an information security leadership position, it is likely that the team conducting the interview will be comprised of many different stakeholders. These interviewers are all looking for the interviewee to make their lives easier. Understanding how information security touches their specific areas of expertise, as well as how one's experience as an information security professional can help solve their specific problems, will be a determining factor in receiving their endorsement. It is important for a job candidate to learn as much as possible about the interviewers and their roles before interviewing.
Brush up on technical skills listed on your resume. At some point during your interview process, interviewers will seek to test an interviewee's technical information security knowledge. Most likely, the interviewer will refer back to the candidate's resume, and gear his or her technical questions to the skills that are listed. As a general rule, if it is on a resume, it is fair game. Prior to going on the information security job interview, make sure that you review your resume and be prepared to answer questions on these topics. It never hurts to whip out old technical manuals and study guides if necessary to get back up to speed on these topics.
Generally speaking, interviews are stressful situations. Properly preparing for an interview and following the advice listed above should help keep nerves calm and provide an extra sense of confidence. Displaying confidence enables one to better engage interviewers and leave them with a favorable impression, increasing the likelihood of landing that next great gig.
About the authors:
The columnists, Lee Kushner and Mike Murray, bring with them different perspectives on career related topics. Together Lee and Mike have advised many information security professionals in various stages of their career development and are regular speakers at industry conferences on information security career-related topics. Their blog can be found at www.infosecleaders.com.
Lee Kushner is the President of LJ Kushner and Associates, an executive search firm that has been dedicated to the information security profession since 1999.
Mike Murray is an information security professional and career coach. Mike has held leadership positions in environments that include professional services, security product vendors, and corporate environments.
This was first published in September 2009