IT Security Interviews Exposed

Ben Rothke writes "Information security is a hot career area and is among the strongest fields within IT for growth and opportunity. With excellent long-term career prospects, increasing cybersecurity vulnerabilities and an increase in security & privacy regulations and legislation, the demand for security professionals is significant. Even with a bright future, that does not necessarily mean that a career in information security is right for everyone. What differentiates an excellent security professional from a mediocre one is their passion for the job. With that, IT Security Interviews Exposed is a mixed bag of a book. For those that are looking for an information security spot and have the requisite passion for the job, much of the information should already be known. For someone who lacks that passion and simply wants a security job, their lack of breadth will show and the information in the book likely won't be helpful, unless they have a photographic memory to remember all of the various data points." Read below for the rest of Ben's review.

IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job
author	Chris Butler
pages	218
publisher	Wiley
rating	8
reviewer	Ben Rothke
ISBN	0471779873
summary	Good review for a pro, but not for newbies.

If you find information security challenging and either want a job in the field or are looking for a better job in the field, the book will be quite valuable. But for those looking for a hot security job, their lackings will likely show through on in interview, even with the help of this book.

As to the actual content, chapter 1 provides a good overview of how to find, interview and get a security job. The chapter contains many bits of helpful information, especially to those whose job seeking skills are deficient. A good piece of advice the author's state is that one should never pay a fee for headhunting services. There are many people that call themselves recruiters, but are nothing more than fax servers who charge for the service. The burden to pay is always on the hiring firm, and a job seeker should be extremely suspicious of anyone requesting a fee to find them a position.

I would hope that in future editions of the book, the authors expand on chapter one. The chapter itself in fact could easily me made into a book in its own right. As part of the job search process, many job searchers often do not ask themselves enough fundamental questions if they are indeed in the right place in their career. Such an approach is taken by Lee Kushner, founder and CEO of the information security recruitment firm LJ Kushner and Associates. Kushner formulated the following 7 questions that every information security job candidate should ask themselves:

1. What are my long and short term plans?

2. What are my strengths and weaknesses?

3. What skills do I need to develop?

4. Have I acquired a new skill during the past year?

5. What are my most significant career accomplishments and will I soon achieve another one?

6. Have I been promoted over the past three years?

7. What investments have I made in my own career?

The other 9 chapters of the book all have the same format; an overview of the topic, and then various questions and interviewer may pose. The reality that these topics of network and security fundamentals, firewalls, regulations, wireless, security tools, and more, are essential knowledge for a security professional. Anyone trying to go through a comprehensive information security interview and wing it by reviewing the material will likely only succeed if the interviewer is inept. Anyone attempting to mimic the questions and answers in the book in a real-world interview will immediately be found to be a sham if the interviewer deviates even slightly from the script, which should be expected.

What really separates a good candidate from a great candidate is hands-on, practical and real-world security experience. Such a candidate won't need a question and answer format to showcase themselves in an interview. Their experience should shine, and not their ability to rattle of security acronyms.

If a company is serious about hiring qualified people, the interview process should not be about short technical questions and acronym definitions. It should entail an open discussion with significant give and take. Having a candidate detail their methodology for deploying and configuring a firewall should be given more credence than their ability to define the TCP the three-way handshake.

Ultimately, the efficacy of the book is in the disposition of the reader. For the security newbie who wants a crash course in security in order to quickly land a security job, heaven help the company that would hire such a person. While one should indeed not judge a book by its cover; this book's cover and title may lead some readers to think that the book is their golden ticket to a quick landing into a great career. The breadth of information that a security professional needs to know precludes and short of cramming or quick introductions. Those with a lack of security experience attempting to use this book to hide their shortcomings will only embarrass themselves on an interview.

On the other hand, for the reader who has a background in information security who wants an update on network and security fundamentals, they will find IT Security Interviews Exposed a helpful title. The book contains a plethora of valuable information written in a clear and easy to read style. In a little over 200 pages, the book is able to provide the reader with a good review of what they know or may have forgotten. Used in such a setting by such a reader makes the book a most helpful tool for the serious security professional looking to advance their career.

Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

My interview process....

[iknownuttin]

...the interview process should not be about short technical questions and acronym definitions. It should entail an open discussion with significant give and take

I tell the candidate that he has 60 seconds to break into the Pentagon while I hold a gun to his head and a really hot chick gives him a blow job. And it's give a take: he breaks into the Pentagon, and he gets a blow job. Win win!

Re:

[morgan_greywolf]

My interview process.... (Score:0, Flamebait)
by iknownuttin (1099999) Alter Relationship on Wednesday December 19, @01:51PM (#21754446) ...the interview process should not be about short technical questions and acronym definitions. It should entail an open discussion with significant give and take

I tell the candidate that he has 60 seconds to break into the Pentagon while I hold a gun to his head and a really hot chick gives him a blow job. And it's give a take: he breaks into the Pentagon, and he gets a blow job. Win win!

Obvious Swordfish [imdb.com] reference, for those of you that missed it. *cough*mods*cough*

Re:

[iknownuttin]

Obvious Swordfish [imdb.com] reference, for those of you that missed it. *cough*mods*cough*

My interview process was in a movie? I mean, yeah, it's a reference.

Re:

[$RANDOMLUSER]

Yes, and Swordfish was a terrible movie.

I can think of two redeeming features.

Re:

[morgan_greywolf]

I can think of two redeeming features.

Are they both somehow connected to Halle Berry?

Re:

[$RANDOMLUSER]

Shall we say firmly connected?

Re:

[Jansingal]

which are...????

Re:

[camusflage]

I can think of two redeeming features.

A dead John Travolta and a very pissed off Don Cheadle?

Re:

[dotgain]

Yeah, but they're separately downloadable, so there's still no compelling reason to watch that pile of trash movie.

I'd never seen it myself (because I'd heard it's rubbish) until a year ago, when a friend of a friend insisted that they apparently hired a technical 'expert' to try not to make seasoned techs piss themselves laughing, and that the story was fulfilling, moving, and worthy of a watch. Holy shit what an unbelievable waste of time.

Re:

[dotgain]

Swordfish references are inherently flamebait, since it implies the author believes Swordfish is worthy of reference.

Re:

[jollyreaper]

I tell the candidate that he has 60 seconds to break into the Pentagon while I hold a gun to his head and a really hot chick gives him a blow job. And it's give a take: he breaks into the Pentagon, and he gets a blow job. Win win!

That's a lot better than the security test at my last job: there it was a hot chick holding a gun to your head but the threat of failure was that you'd get a blowjob from the bearded unix guy. Tell you what, that bullet started looking awful friendly.

Isn't that the problem, though?

[morgan_greywolf]

Anyone trying to go through a comprehensive information security interview and wing it by reviewing the material will likely only succeed if the interviewer is inept.

I find a lot of times, interviewers are inept. I've sat on both sides of the interview table and I can tell you that the decision makers rarely have much technical background, and technical people rarely have much insight into reading a person's level of fitness for the job from a personal skills or personality point of view. And it's rare that a decision-making manager is both a fantastic manager with keen personal insights and a technical person with up-to-date skills and experience.

Re:Isn't that the problem, though?

[orclevegam]

There are really three possibilities for who is going to interview you, and only one of them is likely to do a good job. The first, and worst case as some middle manager with no clue about what your job is actually going to entail. Not sure how they can possibly hope to do a good job interviewing, but presumably they're just scoping out your attitude and basing their decision on if they like you and if your resume has all the correct buzzwords (and the proper length to satisfy their sensibilities). The second possibility is a co-worker or direct manager, but one who is hopelessly clueless. This is depressing in that not only will they be a poor judge of candidates, but if you do get hired you'll most likely have to work with this moron, and odds are he's an indication of the type of environment you're getting into. The last and final possibility is a co-worker or direct manager who actually knows what they're doing. This is the only one of the three that can do a good job interviewing candidates. You can usually tell if you've got someone like this because you can ask questions during the interview and get intelligent responses in addition to further questions based on your answers. Sometimes it can be difficult to determine if you have someone who knows what they're talking about because often times the clueless and middle managers simply have a list of standard questions they run down, but a good indication is if they deviate from the list when you ask them questions about it, or if some of the questions don't necessarily make sense in the context they're being used.

The best system of course is one in which management sits in on the interview and observes, but the technical people conduct the interview. After the interview management can receive a review of the candidates technical merits from the interviewer(s), and base their decision on that as well as any non-technical observations they made during the interview. If the potential hire is also being interviewed by potential co-workers this can also offer some insight into how well they'll interact in the future.

Obligatory Project Manager joke...

[SpzToid]

...and I can tell you that the decision makers rarely have much technical background

Oh please, let me insert my Project Manager joke here (thank you):

So there's a software engineer, a hardware engineer, and a project manager washed up on a desert island. They've been stuck there for years and years, and an interesting bottle washes ashore and someone pulls the cork off, as a genie appears from within.

The genie says, "Thank you for opening the bottle, I've been stuck in there for 4000 years. As a reward for

Re:

[Jansingal]

Hey, I think I am going to tell this joke during the interview.

If they laugh hysterically, they are hired on the spot.
If they don't think it's funny, then they really lack experience and are not invited back for further interviews.

Re:

[SpzToid]

Thank you so much. This joke was passed on to me by a true veteran; bless him.

Re:

[Jansingal]

Only a veteran could come up with such a joke, so true a joke!

well, maybe I can get you a dream job

[Malloc Arena]

Management is technical all the way to the top. (a CEO with a pair of engineering degrees and a COO with a PhD in CS) The top isn't very far; it's a small place with a very flat structure. So far it seems we've avoided collecting the sort of people who make others miserable. Technically we're at the top of the field.

We're a hacker-friendly company, despite doing contracts for the man. We have extreme flex hours. We don't have layers of corporate crud. Business is booming.

We write our own tools. (exotic inst

Re:

[morgan_greywolf]

Um, where on the east coast?

Re:

[Malloc Arena]

1. Melbourne, FL (two dozen miles south of NASA) 2. a couple dozen miles northeast of D.C. (much nicer area than D.C. itself)

Re:

[morgan_greywolf]

Send me mail with some job openings. I'll send a resume to whomever I need to. I currently live in the Tampa Bay area in FL, so Melbourne isn't that much of a big move for me. morgan***dot***greywolf***at***gmail***dot***com

Re:

[morgan_greywolf]

morgan***dot***greywolf***at***gmail***dot***com

True of all professions

[SiriusStarr]

Isn't it true of all professions that passion is what distinguishes the okay from the excellent? There might be some exceptions, but it holds in the vast majority of cases. It's always about your devotion to the job and what you bring to it. I don't think IT Security is unique in this sense. This is most certainly a ripe and growing profession, however, with the proliferation of cyber-crimes.

Re:

[SparkleMotion88]

Isn't it true of all professions that passion is what distinguishes the okay from the excellent?

No. Ability is what distinguishes the okay from the excellent. Whether that ability was gained through passionate dedication to your job, a good education, years of experience, or innate skills is irrelevant. A professional can be highly successful at a job that he isn't passionate about. Companies like to employ passionate people, though. These people can be paid less because they gain the additional bene

Seven Questions

[kilo_foxtrot84]

Don't those seven questions mentioned in the summary apply to any job, and not just information security?

speaking from personal experience

[mraudigy]

Sadly, the company I work for often made policy out of hiring on acronym knowledge. This was nice if they ever ended up on Jeopardy, but it doesn't amount to a hill of beans in practice. From a managerial aspect, a good employee should be knowledgeable and dedicated to the subject and work area. When our initial information security officer was hired, he was hired on his acronym knowledge. However, his lackadaisical dismissal of not only effective but common sense IT security jeopardized the company's livel

Re:

[angus_rg]

I've been having this coversation alot lately. The problem with security, or any field is that it's not what you know, it's how you use what you know. If I had a nickle everytime someone in my department asked me a question that I did not know the answer to, and in 30 seconds on google I got the answer, I'd be rich. When I first started in security almost a decade ago, it was on a newly formed firewall team(firewalls are the easiest way to get your foot in the door), and there was no one in the company w

Sounds like my 2nd phone interview with Google.

[Almahtar]

I was really disappointed. I hope I just got the freak lame interview and most of their interviews are a little more relevant (for Google's sake), but my 2nd phone interview with them was random trivia. No problem solving, no brainstorming, no thought process at all, just information retrieval.

You'd think the company that revolutionized fast information retrieval would understand that "man " or Googling something is almost instant, but creativity and intelligence are priceless. The interviewer asked me

Re:

[HappyEngineer]

The face to face interviews are probably deeper. In my experience, very basic questions like "what is polymorphism" have a tendency to filter out most applicants (for a programming position). I sometimes hear my coworkers give phone interviews and it's utterly pathetic how many people have problems with the simplest of questions. I sometimes wonder why these people even bothered becoming programmers.

It isn't until face to face interviews when deeper questions are needed.

Re:

[Jansingal]

did u get the job?

More important than passion...

[dada21]

...is building your reputation and experience to the level that a CEO or other top-level manager understands your talent, combined with understanding the need for security as part of their company's overhead.

Being passionate is great. But that is a small part of the demand that employers have for a security professional. If they don't understand the demand, there is no supply in this case, pertaining to that particular employer.

We have many customers with great security needs, but they were not aware of them until we briefed them on it. In some cases, we specifically turned down contracts because they lacked security. In other cases, we negotiated to REMOVE some security burdens because the customer was wasting their money, shooting off big words that didn't pertain to their industry.

It is rare that I meet a security professional without passion. It isn't rare when I meet one who doesn't have the business skill to sell their job security to their employer. I've also met my share of security professionals (W2) who are so embedded in their network(s) that they're ignorant of other security flaws that are evident to a consultant. Passion doesn't necessarily mean efficient.

Without the management on board, your job will suck, even if you're passionate about it. Here's a place where being proactive will keep you employed. Being reactive will get you canned. Passionate or not.

Re:

[orclevegam]

.In other cases, we negotiated to REMOVE some security burdens because the customer was wasting their money, shooting off big words that didn't pertain to their industry.

You mean management makes decisions about technical issues based solely on buzzwords without understanding what they mean? Nah, that could never happen</sarcasm>

Rain, Parades, and Outsourcing

[deweycheetham]

| "Information security is a hot career area and is among the strongest fields within IT for growth and opportunity. With excellent long-term career prospects, increasing cybersecurity vulnerabilities and an increase in security & privacy regulations and legislation, the demand for security professionals is significant..." |

Not to rain on Chris Butler's parade or anything, but this position can be outsourced to anywhere in the world with a communications line and a back office, event thou your Security

Thousands outsource their IT security every day

[Skapare]

Thousands of businesses outsource their IT security every day. Lots of it goes overseas, too. And the best part of it is that it's free. The bad part is they don't know they are outsourcing it at all.

Re:

[Anonymous Coward]

I think you are confusing "glorified network analyst who know how to setup a firewall" with "information security professional". The former is outsourced because it is tighly coupled with the whole IT outsourcing business. The latter is much more difficult to outsource, because you want your infosec peoples to intimately know your business processes, your assets, and the nature of your risks. And most company won't trust people they barely know in making important decisions on these matters.

Re:

[Jansingal]

Not really.

We all know how incompetant the Bangalore/Mumbai call centers are. they are good at basic tech support.

but things like app level security, crypto, authentication... neva!!!!

your security job is safe in the US of A dudes!

Re:

[StickyWidget]

| "Information security is a hot career area and is among the strongest fields within IT for growth and opportunity. With excellent long-term career prospects, increasing cybersecurity vulnerabilities and an increase in security & privacy regulations and legislation, the demand for security professionals is significant..." |

Sounds like you have an easy job, Chris. Like the kind robots will be doing soon.

~Sticky

Qualifications...

[Anonymous Coward]

What really separates a good candidate from a great candidate is hands-on, practical and real-world security experience.

As a self made high level infosec professional, albeit one who of his own volition too a promotion to a maangement level in a different IT area, I would like to say that this is not true. Here are a few things that makes a great infosec candidate:

1. Communication skills: A proper infosec pro does not do much technical work outside of running security systems. Even this is irrelevant in larger orgs - you have offshore resources for this work. What a security pro does do, however, is interface with all manner of technical and non-technical cross-functional teams. A normal day could include techincal meetings with networkops teams to go over firewall pinhole rules, a governance meeting with controllers, presentations to upper management on new initiatives, and policy making decision with lawyers. Communication is key.

2. Ability to see the larger picture: One of my favorite sayings was that infosec's job was not to say "no", but to say "yes, and here's how to do it safely". Too many infosec practitioners, including ones with years and years of experience, turn into technology luddites. That is 180 degrees off what a true infosec practitioner does. Your job isn't to limit people, but to enable them to do their jobs better and safer - better is true for all IT roles, safer is true for infosec.

3. Adequate technical background: I don't care what your background is in, but I would like to see a solid technical background. I don't want you doing risk analysis on firewalls, application security reviews, or hardware/software recommendations without being able to understamd the bsic concepts behind the technology.

So, given the above and no security experience versus a complete nerd with no social skills and an attitude honed from 10 years of treating his "security" job as an excuse to say "no" to every request so he can go back to web surfing... ERRR, "keeping abreast of vulnerabilities", I take the former every time. Infosec experience be damned.

Re:

[HardcorePooka]

So... you're hiring right?

Re:

[dave562]

What has your career path looked like? What is your education level like? I've been doing IT since 1996 and before that most of my interest in computers came from 2600 meetings and all of the associated subject matter that comes with that. I've done most of my work in the SMB sector for clients with 20-250 employees and single to multiple sites. I'm interested in stepping into a more senior position where I can oversee other people because I truly believe that is where my strengths lie. I've had the go

Re:

[ZonkerWilliam]

Really? Being an Infosec Professional and a published author who's worked with several Fortune 50 and Government Agencies, I would question your thinking. It sounds that your relating to much of being a Infosec pro to the executive branch. Most Infosec pro's are Firewall-IPS-Endpoint Security type individuals, who carry a lot of valuable experience, much more than the executive branch. I've dealt with to many executives who have no concept of the environment they are trying to protect. I've had to deal

Re:

[Jansingal]

>>>and a published author

what did you write?

Re:

[ZonkerWilliam]

I actually write for Information Security Magazine http://searchsecurity.techtarget.com/magazineCurrent/0,296884,sid14,00.html [techtarget.com]

Re:

[Jansingal]

Under what name do you write?

Re:

[ZonkerWilliam]

Please post your email and I will send it to you, in private.

Re:

[Jansingal]

jayshreesingala@gmail.com

Re:

[ZonkerWilliam]

I've forwarded my info.

Re:

[Jansingal]

thanX!

I remember cleary a Price Waterhouse interview

[gelfling]

The interviewer opened a phone book sized tome and read questions w/o looking up once. The next level up was with an associate partner who essentially shouted at me for 30 minutes about how great it was to work there how partners at any other firm would happily take a lower level job at PW but at the same time anyone who didn't work at PW was a moron and a loser.

Re:

[Jansingal]

That must have been years ago during the internet era.

The folks at PWC still have their head in their air, but that are not THAT POMPOUS, at least the ones that have been in our firm.

A hot career? Passion?

[Anonymous Coward]

If you're getting into infosec for any other reason than the fact that you're a natural paranoid who's horrified at the careless stupidity of the majority; you're wasting everyones time!

you can't flunk a security interview

[petes_PoV]

First of all, there are no standards in IT security. You can't say "I'm trained in the XYZ" methodology. The only underlying principle in IT security is "Deny everything to everyone all the time" (Is there an acronym for that?). So as long as you keep this principle in mind you can't fail.

Here's the really good bit: the interviewer can't ask you questions about your past experience or clients, because that's confidential. If pressed you just need to say that "You wouldn't want me to talk to future employers about your security setup, so you must respect previous clients' confidentiality".

Now if you think this leads to:

• no means of checking credentials
• a job for life
• the worse things get, the greater the need for security
• an industry filled with the clueless (see #1)
• a universal policy of "when in doubt reduce access even further"
• ... and if that didn't work, tighten it even more
• total chaos, due to the lack of rigour and standards

You'd be right. Now where do I sign ...

Re:

[Bill, Shooter of Bul]

total chaos, due to the lack of rigour and standards

The industry tried using rigor and standards, but abandoned them due to their insecure nature.

Re:

[apparently]

The only underlying principle in IT security is "Deny everything to everyone all the time"

You're either really bad at snark, or have little concept of (and great contempt for) true IT security work. Did a network admin forbid you from logging into your hotmail account, or what?

Re:

[g1zmo]

I read his comment as an only slightly snarky one-line summary of the basic principles of shutting off unnecessary services and maintaining access control via things like tcp_wrappers and firewalls. Your interpretation didn't even cross my mind, although I now see it.

Re:

[Jansingal]

apparently (756613),

you are much more to the point than I :)

Jay

Re:

[apparently]

I couldn't bring myself to respond to each inane attempt at a bulletpoint :)
While there are some security professionals who think "deny, deny, deny" is a sound policy, the better one's understand that the "IT" in "IT Security Professional" means that ultimately, technology is used to enable the business process (and if you're able to enable it better than your competitor's, you gain a strategic advantage on them). Thus, "deny, deny" doesn't rationally fit that approach, which just means we get to have fun

Re:

[Jansingal]

point well taken

Re:

[Jansingal]

Dude, you are soooo wrong!!!

What do you mean that there are no standards in IT security? Ever hear of ISO-17799? There are standards from NIST, VISA and tons more.

>>>You can't say "I'm trained in the XYZ" methodology.

Sure you can!!! There are security methodologies that train people.

>>The only underlying principle in IT security is "Deny everything to everyone all the time" (Is there an acronym for that?)

That is a sub principle in the methodologies you just denied existed :)

>>>Her

I have this book!!!

[jtrav14]

I bought this book and I recommend it to those that are experienced in the field. This book was exactly I needed. It was a brief refresher on topics that I had previously learned, and certified on in the past. For example the CISSP is massive exam that covers a lot of topics. No one uses all the topics covered on a day to day basis. This book brought those things I dont normally use back to the front of my mind so I could be sharp during the interview. However, this book would bear little fruit to those not

But if candidate is certified, there is no need

[walterbyrd]

to test technical knowledge. I mean, isn't that the whole point of having dozens of different security certifications?

If a candidate has the gold standard: CISSP. Then there can be no question of his/her technical knowledge, or experperience.

Right?