Acing the InfoSec Interview

https://dlogic.ca/comics/Yinterview20161013.png

When you are finally able to land that interview for the perfect job, chances are you will want to get prepared before the big interview day. You will get interview questions that are designed to find out about your past experiences.  These may be fact checking and aptitude testing, or they might be the Situation, Action, Result (SAR) type interview questions.  When all the questions are done it will be your turn to ask a couple and that is another way you can stand out in the interview.

Fact Checking Questions

These first type of questions are used to try to assess your past experience and skills with this particular job.  These might be very specific, such as "have you ever used the XYZ vulnerability scanner in your past roles?" or "how many assessments would you perform per year?"  For these specific questions it might be difficult to judge if more is required, so the best approach is to answer the question and expand a little on your role, for example in using the specific tool or what influenced the number of assessments that you did.  Keep an eye on the interviewer's body language to see if the short answer was sufficient or if they wish you to discuss further.  If you are not sure, it doesn't hurt to ask - "would you like me to tell you more about my specific duties as it relates to tool XYZ?"

Behavioural Questions - Situation, Action, Result 

Another type of interview types of question is sometimes referred to as "SAR" - situation, action and result.  Let's look at how this works:  The hiring manager asks the interviewee to describe a specific experience and outcome.  For example:  "Tell me about a time when you had to deliver a failing security report to a client.  What did you do and what was the outcome."  This is a typical SAR type question, and hopefully you have done your homework before the interview and have an answer already formulated!  Let's work through this example to see how you could answer in an information security interview:

• Situation:  Set the scene for your chosen example "Working for customer ABC (who will remain anonymous), I performed a penetration test over the course of 10 days.  On the first day I found several critical vulnerabilities which I needed to communicate to the customer right away, and then by the end of testing there were more findings than I could list in the time allocated for reporting."
• Action:  What did you do in this case?   "I communicated the critical findings right away, as is customary for these types of engagements and written in the SOW (Statement of Work).  As far as the failing security report goes, I summarized the findings into categories and created a report that stated the facts and included the proof of concept screen shots.  Because there were so many findings, I focused on the most critical and high findings, then provided a listing of the mediums without as many details."
• Result:  What was the outcome.  Was it a successful outcome?  "The customer was obviously very unhappy that report has so many findings, and it was probably a bit of a wake up call.  I was very supportive, and walked through each of the findings with the customer and answered the questions to support my findings.  We were able to sell retesting services to verify the remediation."

Here are some information security specific interview questions that can be answered using the SAR approach:

1. Did you ever have to explain an information security topic to someone who is not in the security field?   While this is asked as a yes/no question, reframe the questions to describe a scenario where you worked with a non-expert, what did you do and what was the outcome?
2. Tell me about a time when you had to take over a security testing procedure and there were no written standard operating procedures in place.
3. Have you ever had to respond to a security incident when you were on call?  What was the incident and what was the outcome?  Note, you should be careful not to give away too many details - it is okay to talk in generalities without giving away the specifics of the employer and their environment. 
4. Security is often seen as an inhibitor of business being able to get projects done.  Tell me about a time when your client thought that you were impeding progress.  How did you handle it and what was the outcome?
5. Did you ever work as a security consultant as part of a cross-functional project team.  What was your role and were you successful in the role?

There are many interview question banks online, and it is worth working though these questions with someone who can help you practice your interview skills.  Here is one example of a question bank:  https://careerservices.wayne.edu/behavioralinterviewinfo.pdf  While some of these questions are not security specific, by preparing your responses, you will begin to find them formulaic to answer and it will be easier to answer SAR questions in interviews even if they are not ones you had prepared.

Human Resource Questions

Of course, you will get questions that are more typical human resource questions.  Don't underestimate the importance of these questions which are designed to see if you are a good fit with the culture of the organization.  One questions that time-after-time candidates bomb is the question:  "Tell me about when you received negative feedback - what was it for and what did you do to improve?"  This may also be asked as simply "Tell me something about yourself where you need to improve."  The interviewer asks this questions to assess your emotional IQ, that is, how well do you really know yourself.  Everyone has faults and people with high emotional IQ have no difficulty discussing their areas of weakness and how the mechanisms they use to keep themselves in check. Here's an example for how one person might answer this question.

• "I am, at times, excitable or passionate at work, which can be off-putting or can overwhelm other people.  So to cope with this, I keep my caffeine intake in check, and am especially cautious when attending meetings with senior management to remain calm so as to not overwhelm them with information or talk too much."

Remember, no one is expecting you to be perfect, just honest.

Final Words of Wisdom

You will get a chance to ask questions at the end of the interview.  For these questions, this is the time that you can really show that you have done your homework.  It is important to ask questions that are specific about the company, recent stories in the news - for example new initiatives or partnerships that might been published on the newswire.  I recommend leaving questions about work days, work from home, number of vacation days and the benefit package until you have an offer (most of these can be negotiated) or you may as the human resources contact who arranged the interview.  Similarly questions about training programs, and whether your employer pays for certifications can wait until you are near an offer, then you can have a call to confirm if this is part of the overall benefit package. One question which is my favorite that you can always ask at the end of the interview is "What keeps you up at night."

Be careful not to expose your previous employer's sensitive information!  You may be talking about your last employer, but in your interviewer's head they hear you talking about their company in the same way.  Will you be slagging them off too in a couple of years?  Be careful not to say anything disrespectful about your previous place of employment, your boss, or your colleagues there.  Security is a small world where you will find colleagues that you will know and work with for years to come.

As we continue to hear of the skills shortage in information security, you may find yourself at the interview table, either to start your new career or to make a change in this highly fluid and dynamic environment.  Many of the interview skills you will need can be practiced and mastered with sufficient preparation.  So grab a buddy (or a video camera) and a notebook to begin practicing your interview questions and responses.  Prepare now to score your next great opportunity!

Do you have sample questions for InfoSec interviews?  Share them in the comments section below.