What Applicants Should Ask When Interviewing For An Information Security Role

By   Ryan Farmer
, SHL Group | Apr 21, 2014 02:40 am PST

If you have attended a number of job interviews in your time, you will doubtless be familiar with a kind of recurring nightmare – ‘kind of”, because the experience unfolds in cruel reality and you’re actually fully awake at the time. You reach the point in an interview when the tables are elegantly turned, and you are expected to ask some questions.

The problem is that you’ve researched the company to death, and any questions you had have already been answered during the session, so reiterating them would only make you look silly. For all the world, it feels like there’s nothing left to say – but to ask nothing would seem impolite at the least.

When interviewing for an IT security role, this socially awkward situation is enhanced by the nature of the role. You cannot be too probing or pushy, owing to the very nature of the subject (some things will be strictly confidential to visitors), yet you have to find ways in which to demonstrate your personality and your professional concerns at their best. It also pays not to be too technical in your questions, as this risks boxing out the non-techie managerial and HR folk who may also be in attendance.

Bearing the above in mind, here then are some sample questions you may want to hold in reserve for your next IT security job interview.

How committed are your employees to IT security best practice?

This demonstrates to the interview board your awareness that a security policy is not worth the paper it’s written on unless it is actually carried out – regularly executed as part of a daily routine by the hundreds (even thousands) of people to whom it relates. The question also hints that you would be keen in helping to drive up employee commitment to IT security during your time at the role.

What is your company’s policy on BYOD (Bring Your Own Device)?

This question conveys the fact that you are up to date on current trends, and also have a real concern for their security implications. Meanwhile, the answer provided will help you gauge the extent of the company’s flexibility and openness.

Have you had a penetration test done and what did the business learn from it?

This will send a message that you are serious about your profession; you know what’s genuinely effective. A pen test is a bit like having a tooth extracted; it can really hurt, but it’s essential, and should not be shirked by any business that is in earnest about its cyber security strategy.

Do you have any business continuity and/or disaster planning in place?

This will convey that you are a realist, and also are keen to think about the long-term. You are realistic about the fact that 100 per cent security is not achievable, but, on the other hand, with future planning the worst effects of any breach can be dealt with smoothly and seamlessly.

What are, in your views, the main IT security challenges this organisation faces?

This suggests again that you are forward-looking and, on your side of the table, will help you further get the measure of the company. The answer you receive will demonstrate to you the company’s awareness of current hot topics, such as industrial espionage, and the increased threat to mobile devices.

How does this company have fun?

This is something of a parting shot, but also shows you’re not all about work and have an approachable human side, enjoying letting your hair down. Whilst taking part in corporate fun days is not everyone’s cup of tea, the interview is not the time to reveal that you’re always in the kitchen at parties.

[su_box title=”About Ryan Farmer” style=”noise” box_color=”#336588″]

Ryan FarmerRyan Farmer has worked at Acumin for the past five and a half years as a Senior Consultant and now a Senior Resourcer. With a strong understanding of the InfoSecurity industry and the latest market developments, Ryan sources leading information security candidates for some of the world’s largest End User security teams, start up security vendors and global consultancies.Ryan is heavily involved in the Risk and Network Threat forum, has a keen interest in Mobile Security and is an active blogger and InfoSec writer.[/su_box]