Slashdot Mirror
IT Security Interviews Exposed
Ben Rothke writes "Information security is a hot career area and is among
the strongest fields within IT for growth and opportunity. With excellent long-term career prospects,
increasing cybersecurity vulnerabilities and an increase in security &
privacy regulations and legislation, the demand for security professionals is
significant. Even with a bright future, that does not necessarily mean
that a career in information security is right for everyone. What differentiates an excellent security
professional from a mediocre one is their passion for the job. With that, IT
Security Interviews Exposed is a mixed bag of a book. For those that are looking for an information
security spot and have the requisite passion for the job, much of the
information should already be known. For
someone who lacks that passion and simply wants a security job, their lack of
breadth will show and the information in the book likely won't be helpful,
unless they have a photographic memory to remember all of the various data
points." Read below for the rest of Ben's review.
IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job
author
Chris Butler
pages
218
publisher
Wiley
rating
8
reviewer
Ben Rothke
ISBN
0471779873
summary
Good review for a pro, but not for newbies.
If you find information security challenging and either
want a job in the field or are looking for a better job in the field, the book
will be quite valuable. But for those
looking for a hot security job, their lackings will likely show through on in
interview, even with the help of this book.
As to the actual content, chapter 1 provides a good overview of how to find, interview and get a security job. The chapter contains many bits of helpful information, especially to those whose job seeking skills are deficient. A good piece of advice the author's state is that one should never pay a fee for headhunting services. There are many people that call themselves recruiters, but are nothing more than fax servers who charge for the service. The burden to pay is always on the hiring firm, and a job seeker should be extremely suspicious of anyone requesting a fee to find them a position.
I would hope that in future editions of the book, the authors expand on chapter one. The chapter itself in fact could easily me made into a book in its own right. As part of the job search process, many job searchers often do not ask themselves enough fundamental questions if they are indeed in the right place in their career. Such an approach is taken by Lee Kushner, founder and CEO of the information security recruitment firm LJ Kushner and Associates. Kushner formulated the following 7 questions that every information security job candidate should ask themselves:
1. What are my long and short term plans?
2. What are my strengths and weaknesses?
3. What skills do I need to develop?
4. Have I acquired a new skill during the past year?
5. What are my most significant career accomplishments and will I soon achieve another one?
6. Have I been promoted over the past three years?
7. What investments have I made in my own career?
The other 9 chapters of the book all have the same format; an overview of the topic, and then various questions and interviewer may pose. The reality that these topics of network and security fundamentals, firewalls, regulations, wireless, security tools, and more, are essential knowledge for a security professional. Anyone trying to go through a comprehensive information security interview and wing it by reviewing the material will likely only succeed if the interviewer is inept. Anyone attempting to mimic the questions and answers in the book in a real-world interview will immediately be found to be a sham if the interviewer deviates even slightly from the script, which should be expected.
What really separates a good candidate from a great candidate is hands-on, practical and real-world security experience. Such a candidate won't need a question and answer format to showcase themselves in an interview. Their experience should shine, and not their ability to rattle of security acronyms.
If a company is serious about hiring qualified people, the interview process should not be about short technical questions and acronym definitions. It should entail an open discussion with significant give and take. Having a candidate detail their methodology for deploying and configuring a firewall should be given more credence than their ability to define the TCP the three-way handshake.
Ultimately, the efficacy of the book is in the disposition of the reader. For the security newbie who wants a crash course in security in order to quickly land a security job, heaven help the company that would hire such a person. While one should indeed not judge a book by its cover; this book's cover and title may lead some readers to think that the book is their golden ticket to a quick landing into a great career. The breadth of information that a security professional needs to know precludes and short of cramming or quick introductions. Those with a lack of security experience attempting to use this book to hide their shortcomings will only embarrass themselves on an interview.
On the other hand, for the reader who has a background in information security who wants an update on network and security fundamentals, they will find IT Security Interviews Exposed a helpful title. The book contains a plethora of valuable information written in a clear and easy to read style. In a little over 200 pages, the book is able to provide the reader with a good review of what they know or may have forgotten. Used in such a setting by such a reader makes the book a most helpful tool for the serious security professional looking to advance their career.
Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
As to the actual content, chapter 1 provides a good overview of how to find, interview and get a security job. The chapter contains many bits of helpful information, especially to those whose job seeking skills are deficient. A good piece of advice the author's state is that one should never pay a fee for headhunting services. There are many people that call themselves recruiters, but are nothing more than fax servers who charge for the service. The burden to pay is always on the hiring firm, and a job seeker should be extremely suspicious of anyone requesting a fee to find them a position.
I would hope that in future editions of the book, the authors expand on chapter one. The chapter itself in fact could easily me made into a book in its own right. As part of the job search process, many job searchers often do not ask themselves enough fundamental questions if they are indeed in the right place in their career. Such an approach is taken by Lee Kushner, founder and CEO of the information security recruitment firm LJ Kushner and Associates. Kushner formulated the following 7 questions that every information security job candidate should ask themselves:
1. What are my long and short term plans?
2. What are my strengths and weaknesses?
3. What skills do I need to develop?
4. Have I acquired a new skill during the past year?
5. What are my most significant career accomplishments and will I soon achieve another one?
6. Have I been promoted over the past three years?
7. What investments have I made in my own career?
The other 9 chapters of the book all have the same format; an overview of the topic, and then various questions and interviewer may pose. The reality that these topics of network and security fundamentals, firewalls, regulations, wireless, security tools, and more, are essential knowledge for a security professional. Anyone trying to go through a comprehensive information security interview and wing it by reviewing the material will likely only succeed if the interviewer is inept. Anyone attempting to mimic the questions and answers in the book in a real-world interview will immediately be found to be a sham if the interviewer deviates even slightly from the script, which should be expected.
What really separates a good candidate from a great candidate is hands-on, practical and real-world security experience. Such a candidate won't need a question and answer format to showcase themselves in an interview. Their experience should shine, and not their ability to rattle of security acronyms.
If a company is serious about hiring qualified people, the interview process should not be about short technical questions and acronym definitions. It should entail an open discussion with significant give and take. Having a candidate detail their methodology for deploying and configuring a firewall should be given more credence than their ability to define the TCP the three-way handshake.
Ultimately, the efficacy of the book is in the disposition of the reader. For the security newbie who wants a crash course in security in order to quickly land a security job, heaven help the company that would hire such a person. While one should indeed not judge a book by its cover; this book's cover and title may lead some readers to think that the book is their golden ticket to a quick landing into a great career. The breadth of information that a security professional needs to know precludes and short of cramming or quick introductions. Those with a lack of security experience attempting to use this book to hide their shortcomings will only embarrass themselves on an interview.
On the other hand, for the reader who has a background in information security who wants an update on network and security fundamentals, they will find IT Security Interviews Exposed a helpful title. The book contains a plethora of valuable information written in a clear and easy to read style. In a little over 200 pages, the book is able to provide the reader with a good review of what they know or may have forgotten. Used in such a setting by such a reader makes the book a most helpful tool for the serious security professional looking to advance their career.
Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Sadly, the company I work for often made policy out of hiring on acronym knowledge. This was nice if they ever ended up on Jeopardy, but it doesn't amount to a hill of beans in practice. From a managerial aspect, a good employee should be knowledgeable and dedicated to the subject and work area. When our initial information security officer was hired, he was hired on his acronym knowledge. However, his lackadaisical dismissal of not only effective but common sense IT security jeopardized the company's livelihood: he was look for a cushy check, not a passion. Thankfully, he is long gone, but others like him aren't.
...is building your reputation and experience to the level that a CEO or other top-level manager understands your talent, combined with understanding the need for security as part of their company's overhead.
Being passionate is great. But that is a small part of the demand that employers have for a security professional. If they don't understand the demand, there is no supply in this case, pertaining to that particular employer.
We have many customers with great security needs, but they were not aware of them until we briefed them on it. In some cases, we specifically turned down contracts because they lacked security. In other cases, we negotiated to REMOVE some security burdens because the customer was wasting their money, shooting off big words that didn't pertain to their industry.
It is rare that I meet a security professional without passion. It isn't rare when I meet one who doesn't have the business skill to sell their job security to their employer. I've also met my share of security professionals (W2) who are so embedded in their network(s) that they're ignorant of other security flaws that are evident to a consultant. Passion doesn't necessarily mean efficient.
Without the management on board, your job will suck, even if you're passionate about it. Here's a place where being proactive will keep you employed. Being reactive will get you canned. Passionate or not.
There are really three possibilities for who is going to interview you, and only one of them is likely to do a good job. The first, and worst case as some middle manager with no clue about what your job is actually going to entail. Not sure how they can possibly hope to do a good job interviewing, but presumably they're just scoping out your attitude and basing their decision on if they like you and if your resume has all the correct buzzwords (and the proper length to satisfy their sensibilities). The second possibility is a co-worker or direct manager, but one who is hopelessly clueless. This is depressing in that not only will they be a poor judge of candidates, but if you do get hired you'll most likely have to work with this moron, and odds are he's an indication of the type of environment you're getting into. The last and final possibility is a co-worker or direct manager who actually knows what they're doing. This is the only one of the three that can do a good job interviewing candidates. You can usually tell if you've got someone like this because you can ask questions during the interview and get intelligent responses in addition to further questions based on your answers. Sometimes it can be difficult to determine if you have someone who knows what they're talking about because often times the clueless and middle managers simply have a list of standard questions they run down, but a good indication is if they deviate from the list when you ask them questions about it, or if some of the questions don't necessarily make sense in the context they're being used.
The best system of course is one in which management sits in on the interview and observes, but the technical people conduct the interview. After the interview management can receive a review of the candidates technical merits from the interviewer(s), and base their decision on that as well as any non-technical observations they made during the interview. If the potential hire is also being interviewed by potential co-workers this can also offer some insight into how well they'll interact in the future.
Curiosity was framed, Ignorance killed the cat.
I think you are confusing "glorified network analyst who know how to setup a firewall" with "information security professional". The former is outsourced because it is tighly coupled with the whole IT outsourcing business. The latter is much more difficult to outsource, because you want your infosec peoples to intimately know your business processes, your assets, and the nature of your risks. And most company won't trust people they barely know in making important decisions on these matters.
I couldn't bring myself to respond to each inane attempt at a bulletpoint :)
While there are some security professionals who think "deny, deny, deny" is a sound policy, the better one's understand that the "IT" in "IT Security Professional" means that ultimately, technology is used to enable the business process (and if you're able to enable it better than your competitor's, you gain a strategic advantage on them). Thus, "deny, deny" doesn't rationally fit that approach, which just means we get to have fun engineering solutions that enable the business, yet are secure.