5 more tough security questions (and tips on answering them)
- — 09 January, 2013 17:47
At first glance, Eric Cowperthwaite, Chief Security Officer at Providence Health and Services in Renton, Washington, doesn't care how excellent a job candidate's credentials and experience look on paper. He wants to see how much of an impression they make on his team.
"It doesn't matter how much I like you or how impressed I am by your skills. Show up and rub the team the wrong way, that's the end of the line."
That's is why when Cowperthwaite is vetting candidates for the security department at Providence, a not-for-profit Catholic health care services organization, he has every one of them meet with the team they will be working with BEFORE they get to sit down with him. He believes their impression is what matters most.
"It costs a lot in terms of team dynamics and effort and work that goes undone if you bring someone in that doesn't fit," said Cowperthwaite. "If someone doesn't fit, you have to start all over again in six months and hire someone else."
That said, if a perspective job candidate does get in front of Cowperthwaite, it is fair to say they have proven themselves to a large extent already. But he still has three important questions he wants to ask.
How do you collaborate?
Cowperthwaite asks this to gauge a candidate's attitude. Are they easy to get along with? Or do they use an "I'm in charge" attitude when collaborating with other team members, as well as people outside of security?
"It's a pretty open ended question," said Cowperthwaite. "I want to know: how do they build teams? What is their approach to working with others? Probably the most common thing I run into is folks whose approach to collaboration is to try to force teamwork from a position of assumed authority. They show up and say 'I'm from security and we are running a security project and I need you to do X,Y, and Z.'"
This kind of answer rubs Cowperthwaite the wrong way. That is not how he wants his team to collaborate with others. Instead, he'd rather hear that the candidate has a skill in team building that gives them a less abrasive edge when approaching others.
"The better answer is: 'I sit down with them and explain what my needs are and ask if they can help.' That's a far better answer."
Why do you want this job?
"Whether they are employed or unemployed, I'm curious," said Cowperthwaite. "While I happen to think working in my organization is a great thing, I'm curious what attracts them to the job."
For obvious reasons, Cowperthwaite said this can help weed out the frequent job jumpers simply looking for a short term opportunity to advance their resume credentials.
"I like the idea of people who are committed to doing great security work and being part of a team and contributing to my corporate mission and culture," he noted.
He's also received many bizarre answers.
"I had one candidate tell me they were applying for the job because it would solve their commute and toll problems. Call me crazy, but those don't seem like reasons why I should hire you. At no point did they tell me they were excited to be part of my team and to do great information-security work."
What questions do you have for me?
Cowperthwaite likes this other open-ended question because it also offers him a lot of insight into the job-seeker's motivations for wanting the job.
"If you're wanting to know about pay, benefits and promotions, that's' a red flag. I'm not the guy to ask those questions. I'm the guy to ask about the mission of the security department. How do we go about accomplishment? What are the opportunities to learn within the company? I want to hear: 'What do you envision my role to be and how I can contribute to the mission of this company?' Those are all questions I like to hear."
Cowperthwaite also noted the way the interviewee asks the questions gives him some further idea on how they might work.
"Someone who is looking for independence and broad boundaries when they ask these questions also tend to be people who are very motivated, commitment and strategic contributors."
Daniel Kennedy, Research Director for Information Security and Networking at TheInfoPro, a division of 451 Research, previously interviewed perspective security job candidates as Global Head of Information Security for D.B. Zwirn & Co., as well as when he was Vice President of Application Security and Development Manager at Pershing LLC, a division of the Bank of New York. Kennedy's style of questioning is a bit more pointed than Cowperthwaite's, and also more appropriate for hiring at the top level; for executive positions such as CSO and CISO. He offered these two favorite questions.
How will you earn and keep your seat at the table with other senior executives?
Kennedy said he likes to ask this question because it tells the interviewer about the prospective security manager's ability to remain relevant within an organization.
"Too often the CISO is buried in the company's organizational structure, in too junior a role, an acknowledgment that as a company 'we need a CISO' to keep up appearances, but not exactly a vote of confidence in the CISO's ability to make an impact on the corporate DNA to improve security."
While he notes there is no one right answer to this question, there are a number of wrong answers that reveal the interviewee has no strategic plan, or experience talking to senior managers.
"The CISO position is a strategic one, there is a strong technical component but a CISO must be able to communicate an ongoing vision for security within a company early and often. It isn't easy; it means getting invited to the right steering meetings, maintaining the confidence of fellow senior managers, and speaking in a language that informs those without a security background without overwhelming."
What are ways you've prioritized and shepherded information security projects through your previous organization?
Another Kennedy favorite. He said it gives him a perspective on a candidate's record of success in past positions.
"The fact is most large companies have a lot of moving parts that must be accessed to get anything done, and a CISO must be an effective project manager, able to tap into and motivate resources they don't always organizationally 'own,'" he said.
"If someone responds that their job was only to recommend a course of action or to write policies without follow-through, I view that as a possible warning sign of someone who isn't "looking to make a difference" in the corporate culture, but would rather work on their own and isn't particularly concerned with the actual posture of security at their company as long as they remain employed and are asked what they think now and then. On the other hand, responses that talk about developing requirements with business units, presenting potential cost savings to project steering committees, or working closely with Compliance/Audit to resolve security deficiencies indicates some level of experience in working through the political landscapes of large organizations."