What Applicants Should Ask When Interviewing For An InfoSecurity Position


Well what would you ask?

These seem to be the kind of questions that might be asked by someone with a strong technical bias. The CISSP cert is supposed to be more oriented towards security management than to the technical aspects, so what would you ask?

We should, I think, be asking about “The Tone At The Top“, the organizations attitude towards security and, but what does that mean in terms of interview questions?

My thoughts tend towards Policy and Certification, but them many of my past clients have been financial, so regulatory compliance looms large for them. I’d certainly ask about Policy, how it is formulated, how it is communicated and how it is enforced. That’s not as easy as it sounds: most people know what should be done but ask that tactlessly and other than being an opening (“Yes, I can work on that for you”) all you’ve done is embarrassed the interviewer.

So we have a refinement that the article never touched on: this is an interview not an audit.


Does the Certified Ethical Hacker add value to a CISSP

A young colleague asked about the value of the CEH certification. Would it “Add Value” to his existing CISSP? The syllabus looked interesting to him and he wondered how prospective employers would view this.

This was my reply:

There are TEN domains to the CISSP’s CBK. People come to security from
many walks of life and fields of endeavour and information security has
many facets beyond protecting networks and hosts from malicious attack.

There have been times in my career when the work covered by the CEH
would have been relevant, but back then neither the CEH not the CISSP
existed. But even back then I realized that the real problem was not
the networks or the hosts or the system administrators.

Each decision you make, each certification and specialization you focus
on leads you down a career path. I’ve often criticised “reactive mode”
security. The same I’d apply to your career. Is this a proactive move?
Is there a career plan here? Where do you see yourself in five or ten
years? How long do you expect to be doing Pen Testing?

Many of us took the CISSP not as a learning exercise but to validate our
already existing skills and experience. You can read in the archives
tales of people at the seminars that pre-dated “boot camps” who wrote
the books that the exam questions were based on. I mention this
because of the way you have worded your question. Are you interested in
the CEH as a validation of your experience or do you expect the course
to teach you Pen Testing? If the latter, then I’d think again.

But ultimately it boils down to the issue of your career. Many of the
older members of this forum, and older CISSPs in general, have very
diverse backgrounds. There is an old joke about a Phd being a ‘delta
function’, you know more an more about less and less. Many career moves
are like that. I mention this because I, and others, feel there is a
point in a career where it is the width of experience, the 20-20
peripheral vision, the understanding of context, the ability to avoid
Errors of the Third Kind, that employers value.

Yes, it depends on your age – which you didn’t mention – and other
factors. Context is, as I keep saying, everything.

Maybe one day I’ll go back an finish my degree in Social Anthropology.
All in all I feel understanding people and the social dynamics of
organizations is more relevant to communicating and effecting the
changes needed to bring about good security practices. But that’s me,
my context an my career objectives.

You need to make it clear what are yours before you can say whether a
CEH – or any other certification for that matter, is relevant to you.

As Robert Heinlein said:

A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders, give
orders, cooperate, act alone, solve equations, analyze a new problem,
pitch manure, program a computer, cook a tasty meal, fight efficiently,
die gallantly. Specialization is for insects.

Reblog this post [with Zemanta]



Its one of those bootstrap problems – the new CISSPs who need to read the information can’t get at the FAQ on how to sign up for the CISSPForum because they need to be members of the forum in order to read the instructions.

Yes, I know the information is at the (ISC)2 web site, but that’s an incredibly difficult site to navigate.

Because of this, Gary Hinson and myself, each quite independently, took the CISSP Forum FAQ and converted it to a web page, adding hyperlinks etc. The two pages are at:

Both sites are very rich, but very different in nature. Gary makes use of custom mind-maps to assisit in navigation, whereas the Wiki allows for registered members – CISSPs – to contribute.

The CISSP Forum at YahooGroups is very active. It is not a purely technical group, but an active support group for CISSPs. It handles well over 1,000 messages a month and is the kind of “social network” that some vendors would pay millions of dollars to own – if it wasn’t a closed group that spurns advertising.

The astounding thing is that so few CISSPs know about it. (ISC)2 seems to make no effort to publicise it to people as they gain their certification.
If you are a CISSP, visit either of those two pages, or better still go directly to the (ISC)2 web page for registration – https://www.isc2.org/cgi/cissp_forum.cgi – and sign up.

Technorati Tags: , , , ,

Enhanced by Zemanta