Posted by Anton Aylward
Well what would you ask?
These seem to be the kind of questions that might be asked by someone with a strong technical bias. The CISSP cert is supposed to be more oriented towards security management than to the technical aspects, so what would you ask?
We should, I think, be asking about "The Tone At The Top", the organizations attitude towards security and, but what does that mean in terms of interview questions?
My thoughts tend towards Policy and Certification, but them many of my past clients have been financial, so regulatory compliance looms large for them. I'd certainly ask about Policy, how it is formulated, how it is communicated and how it is enforced. That's not as easy as it sounds: most people know what should be done but ask that tactlessly and other than being an opening ("Yes, I can work on that for you") all you've done is embarrassed the interviewer.
So we have a refinement that the article never touched on: this is an interview not an audit.
I am currently available to offer InfoSec & GRC audit and consulting services through my company - System Integrity
Calendar of Posts