Security Professional’s Guide to Interviewing your Potential New Company

Posted on July 15th, 2008 by Drazen Drazic

Another friend in the industry is leaving his company at the end of this week. Sadly, it’s for the same reasons everyone else I know in recent years have left their employers (to test the waters elsewhere) – “this place just doesn’t really care about security!”, “It’s all lip service!”, “they just don’t understand nor want to listen!”, “the security team has no support” etc etc etc…..same old stuff.

I don’t blame any of them. I’ve been in that position before myself a few times. You just get to a stage where you think it’s just not worth it anymore and surely there’s something better for me. But the grass is not always greener elsewhere as we know. Chances are, particularly in Australia, the next employer is not going to be much better if you’re looking for a place that takes Information Security seriously. But there are exceptions…. So how do you find out whether the potential new company is going to be any better based upon a 1 hour interview?

In the post: “The 7 Reasons why Businesses are Insecure”, I put forward a theory on why Information Security fails within most organisations. Taking the layers of the Strategic Security Management Framework documented in this post as the basis for assessing a potential employer also makes sense. Ask the questions:

———————————-
1. Management and Governance – How is the management and governance of Information Security structured with the organisation?

If the CEO and Senior Officers of the business do not ultimately own the responsibility and accountability for the security of the business, then it just does not get the appropriate attention. If the organisation cannot instill confidence in you with their response to this question, you should probably be thanking them for their time and making your way to the door. Go through the motions of the following questions if you must……but if it’s not taken seriously at the senior management level, it ain’t magically going to be taken seriously elsewhere within the organisation aside from yourself.

2. Environment Awareness – Is Information Security viewed as an enterprise-wide ongoing concern?

It never ceases to amaze me how many organisations will promote being secure and having strong IT security practices and controls in place, yet not have a clear understanding of their environment. You don’t want Information Security and yourself sitting in a silo. You’ll continue to battle to get your messages through to people in the organisation.

3. Policies and Standards – Does the organisation have enterprise-wide Information Security Policies and Standards? (ie; expected and required levels of practice)?

Most companies now have security policies and standards but are they of much value? If you don’t have an effective management and governance layer in place to own, manage, maintain and enforce good practice and if you have gaps in awareness of what makes up the corporate environment, how good are they? If there isn’t anything in place or if they are not taken seriously, are you going to be able to make a big difference?

4. Policy Compliance and Awareness - How does the organisation enforce good practice?

Policies and standards are all good and well but if you’re not doing what you say you should be doing, the security program is useless. What’s lip service and what’s real is key! Do you want your new role to be a battle in getting the company to adopt good practice?

5 . Assurance Program – Does the organisation have a security assurance program in place?

Few organisations “test” to confirm they are doing what they say they should be doing. ie; testing the effectiveness of the above mentioned layers of the framework. An ongoing assurance program helps to identify issues arising from the deployment of new technologies and problems from weak practices in existing technologies. Few organisations do:

- Ongoing environmental scoping – mapping and keeping up to date records of what their environment is.
- Ongoing vulnerability assessment and management – a proactive VA program helps identify issues before they become a problem.
- Regular security testing of key systems and applications, including penetration testing and application reviews.
- Security review of new systems before they go into testing and production. 90% of newly deployed web applications in our experience have critical security issues yet organisations still trust that their developers understand security and don’t test….scary!
- Review of the their policies and standards – are they relevant, up to date and cover the scope of the complete business environment?
- Review of the effectiveness of the compliance program(s). Testing to see if what the organisation says should be done is being done.

This covers the core of much of the work that Information Security professionals get involved in. If this isn’t happening, what is the make-up of the job description/role?

6. Incident Management and Response – What does the organisation have in place for Incident Management?

If any of the above fails and an incident occurs. (Assuming the organisation knows an incident has actually taken place, and take the tip, most companies have no idea unless it’s one that has walked right up to them and slapped them in the face). Most organisations have little or nothing in the way of documented and tested response plans. (Lets add DR to this also). How can an organisation quickly and effectively respond to something if there is no plan? How serious is an organisation if they have no plans in place?

7. Strategy and Performance Assessment – How are the Information Security strategy and plans; developed, maintained, tested and reviewed?

In any strategic planning cycle, performance and strategy re-assessments are a vital component in keeping a strategy effective and up to date. Few organisations take a holistic view when assessing the effectiveness of their IT security strategy. I know “metrics” and performance assessment in the IT security industry has been debated since day 1, but lets not confuse systems and detection metrics, as a couple of examples, with “strategy” level review. Will the new role see you as a key player in strategy and change within the organisation?
————————————–

Now if money is your driver, disregard most of this and go for it, but if you’re really looking for a better working environment where your passion for your work and the industry will be appreciated and put to good use, don’t be afraid to ask the questions. If the organisation can answer most of the above confidently, you may be onto a good thing!