Americas

  • United States

Asia

Oceania

jmporup
Senior Writer

6 questions candidates should ask at every security job interview

Feature
Sep 18, 20197 mins
CareersIT SkillsSecurity

Flip the tables and ask these questions to avoid toxic security culture.

Two business people shake hands with a third at a meeting, surrounded by question marks.
Credit: Getty Images / Thinkstock

“Off with their heads!” the Red Queen cried in Alice in Wonderland, but you could be forgiven for thinking that’s how some enterprises treat security folk after a data breach.

Risk management reduces risk but does not eliminate it. Smart enterprises don’t scapegoat their security leaders. Hiring a CSO or CISO so there’s a head to roll when the inevitable happens is a sign of a toxic work environment, and a place to avoid.

Security folk aren’t blameless, either. The “security jerk” culture is beginning to fade but is still common. A culture of “no” where security folk exist to make everyone else’s life difficult is not a great work environment, either — especially considering the shadow IT problem that’s going to come back to bite you.

Given the extreme cybersecurity skills shortage, security pros can be picky about where they work. So how do you suss out work environments to avoid? Here are some interview questions to ask potential employers.

1. Tell me about a time when the CEO had security’s back

Security culture begins at the top. If the CEO does not understand and support smart security within the organization, you’ll be fighting a losing battle in an environment with misplaced incentives. How much does the CEO know about security? You can read up on their background on the organization’s website, of course, but you really want to know if security is a board-level priority or not.

“Make sure to understand the leadership team and board’s vision, interest and commitment to security,” Kelly Doyle, managing director at Heller Search Associates, an executive search firm specializing in CISOs, CIOs and other IT leaders, tells CSO. “You want to hear that security is a priority at the top. That will help the message cascade down.”

If you are interviewing for a CISO-level position, “Make sure your interviews include members of the C-suite leadership team,” she adds, “and maybe even a board member, so you get to hear their views and concerns around security. If they want to be educated, are committed to a strong security culture, and understand that in today’s world it is a board level concern, then it may be the right role for you.”

2. How does the organization deal with security failure?

Bad things happen. How does the organization deal with security failure? Firing people for making honest mistakes is almost never the right answer. Avoid companies that fire people who fall for phishing emails. How to find this out? You might ask, “An employee gets phished, and the company loses $5 million. How does the company respond?”

Avoid questions that can be answered with a yes or a no. Enterprises will try to spin you. The bigger the lie they have to invent, the easier it will be for you to spot.

Another way to get at the same issue would be to ask, “Tell me about a time when management became aware of a serious security incident. How did management respond?”

Don’t expect an interviewer to share confidential details with you — that alone could be a red flag — but they should be able to speak in general terms about how the organization responds to inevitable security failures.

3. Why is this position open?

Did the last person get the Red Queen treatment? Why did they leave? Is the position new? Teasing out the why behind the hiring can give you a glimpse into what your future might look like if you take the job.

“If it’s a replacement then ask tactfully how that person did, what they did well and what the organization wants to see the new person do,” Alka Bhargava, a senior manager at Deloitte’s Cyber Risk consulting practice, tells CSO.

Security roles often remain open for many months because of the skills shortage, and it’s common for good employees to jump from company to company collecting large pay raises with each leap. High churn rates or long vacancies don’t necessarily mean the organization is a toxic place to work. Still, asking how long security employees tend to stick around can tell you a lot about the work environment.

4. Is there a business culture of “move fast and break things”?

Security exists to enable the business, not hinder it. Without a profitable and successful business, there is nothing to secure.

However, there’s a risk of racing so far ahead in pursuit of profit that you leave your flanks wide open to attack. Is there a culture of “move fast and break things?” or “move at a medium pace and fix things when they break?”

One way to determine this out is to be indirect. “How much time do we spend on maintenance versus building new things?” Bryson Bort, founder and CEO of Scythe, suggested to CSO on Twitter.

The more time spent on building new things, and the less on maintenance, the less the organization likely prioritizes security. That’s not necessarily a bad thing, but could indicate an immature security posture, and management unprepared for when a crisis inevitably hits.

5. Does the organization view security as the department of no?

We’ve inherited a legacy security culture of “no,” and an unpleasant attitude that often left the rest of the company gritting their teeth and fumbling to plug in their shadow IT. This “security jerk” culture is ultimately counterproductive to good security though. Besides not being a security jerk yourself (hint, hint), learning how the rest of the organization views the security team can be eye-opening.

Ask, “Can you describe the security awareness program?” You want to know if it’s a token fig leaf doled out once every six months with click-through slides that nobody reads or remembers? Or are ordinary employees encouraged to take ownership and responsibility for the security of the organization?

Try to figure out what the existing sources of tension or frustration are. If you’re interviewing with a security hiring manager, you might try to get them onside by asking, “What’s the number one complaint you hear from your security team?”

If their answer is “those stupid users,” then maybe you don’t want to work there.

6. What’s the security budget?

Getting stuck in a security role where you are expected to be effective without adequate resources is enough to make anyone grind their teeth in frustration. Ask “What is the budget for this role?” Kelly tells CSO. “You want to ensure that there is a budget for security so you can be successful in your role and have the resources to prevent a breach. Is there budget to support the strategy and roadmap that you’ll be asked to present and then implement?”

How much budget is enough budget is relative to the organization and its threat model, of course. Another way to tease out budget constraints is to ask a security hiring manager, “What keeps you up at night?” or “What’s the biggest challenge you’ve experienced in the last 12 months?”

Good security practitioners are in short supply and high demand. If you’ve got multiple offers, that’s a great time to flip the tables on potential employers and ask them — politely — some of these questions to find out more about their security culture. Better to dodge a bullet then spend a year in a job you hate.

jmporup
Senior Writer

J.M. Porup got his start in security working as a Linux sysadmin in 2002. Since then he's covered national security and information security for a variety of publications, and now calls CSO Online home. He previously reported from Colombia for four years, where he wrote travel guidebooks to Latin America, and speaks Spanish fluently with a hilarious gringo-Colombian accent. He holds a Masters degree in Information and Cybersecurity (MICS) from UC Berkeley.

More from this author