top of page
Search
  • Phil Venables
    • 7 minutes ago
    • 11 min read

Job Interviews: Part 1 Acing the Security Interview - 10 Top Tips

This is the first of two posts about interviews. In this one I’ll focus on interviewing for a role. In the next one we’ll look at how to conduct better interviews. I’m going to make both of these posts more about general tips rather than specific points about particular skills or roles for which there are plenty of great resources already.


I suspect many of you reading this might be well practiced but many more of you might be starting out in your career and hopefully will pick up some useful insights here. But having said that, I’ve interviewed a lot of experienced people for senior roles over the years who actually could have done with a refresher on these very topics so this subject is always worth approaching with a bit of humility no matter how much experience and self-regard you have. 


1.Research, Research, Research

Research the organization you are applying for. This might be obvious but it is astounding how often people don’t do this. Your, hopefully, intelligent and curious questions will be informed most by such research. The organization’s web site is an obvious good place to start, but so are the blogs and other publications of the key people in leadership or other levels of the particular team you are seeking to join. 


When doing this, think of how you might fit in, what you could bring to that team and how you can connect your skills and experience to their challenges and objectives. I’ve never found jobs boards and other forums that useful, but they can give you a color of how a particular organization is perceived by its employees. However, I’m often wary about how much of the negative commentary is disproportionately represented on those forums. It’s also worth looking at public incident reports or other disclosures. 


Similarly, research the industry the organization is in. There are likely industry associations, analyst reports and other publications that help with this. A big, underutilized, source is financial industry research reports (like Wall Street research analyst reports). Whether or not you agree with their Buy / Sell recommendations they often come with a deep review of a sector, its commercial dynamics and challenges, and the comparative strength and weaknesses of the organizations in that sector. If you have a brokerage account your financial services provider may well provide access to their own research, but if not a lot is available in summary form in open access anyway. 


If you’re going into an entirely new field, for example you’ve been in financial services for a long time and are looking to move into a security role in, say, a pharmaceutical company then it’s worth researching some broader challenges in that field. In this example, what are the research challenges, the manufacturing, people, structural and other dynamics. Again, this might come from industry reports and other sources but there’s also a surprising amount on Government and academic websites. A particularly good source on a myriad of topics is the National Academy of Sciences whose downloadable reports are free. 


When reviewing all of these sources, form a view as to not just what questions you might want to ask that are prompted by your research but also think about how to frame your possible answers, goals and expertise in the context of the organization's mission, values and current strategy. 


It can be especially useful to cast your experience into those challenges. For example, if the organization you are applying for is migrating to the cloud then highlight your experience on that, if they’re expanding into new geographic markets then talk that up, and if they’re moving into regulated sectors then highlight your experience in managing the efficiencies of assuring compliance. This is all pretty obvious once you’ve done the research but, again, it’s shocking how many people don’t do this - and as a result those who do even the modicum of this can actually stand out. Turns out common sense ain’t always that common. 


2.Research the Interviewer(s)

Having researched the organization then the next natural step is to research your interviewers. Thinking about their experience, their background and what you might have in common is a good launching point for questions and discussion. Although, if you go too far with this it can be a bit creepy or come across as too ingratiating (e.g. “I like to think of myself as a younger version of you when you did X, Y and Z”). 


The main goal of this type of research is to be prepared for their questions. Often knowing who the people are and what their role is can help predict this. Similarly, for organizations that assign particular objectives to interviewers - one interviewer assesses technical skills, another managerial skills etc. - then try and find out what formal objective your interviewer has for that particular session. In many cases you don’t need to intuit this, often the recruiting team contact will know that and will tell you if you ask. 


3. Be Yourself 

This might be super obvious, but a lot of people start by putting their best self forward in an interview then slip into putting on an act to be the best candidate they think the organization wants. This can be counterproductive in the interview. Signals of inauthenticity are kicked off pretty quickly. Besides, skilled interviewers can ask questions that quickly determine when this is happening. 


You don’t want to get a role by acting a part you can never hope to sustain when you’ve actually landed the role. But, there is an important caveat here that it is important not to be too humble. Many people are conditioned by personality, culture (prior organization or inherent culture) or otherwise to overly share credit. This is admirable when you’re actually in a role but in an interview it can sow doubt as to whether you were the person who was instrumental in something vs. being a part of a wider group. So, if you were the catalyst for something, the leader of a project, or otherwise key to some major change then say so - clearly. I spent most of my career in an organization ruthlessly conditioned to remove ego and encourage the use of the word “we” vs. “I” even when it was “I” that did the stuff. In talking about things I’ve done I still feel very uncomfortable saying ”I” rather than “we”. 


Another useful technique is to behave as you would in a work setting. You’ve had some success in your career thus far and this is likely built on asking good questions, asking clarification when facing questions, and rephrasing points to ensure you and the interviewer are on the same page. Building on this, if you don’t know the answer to something no matter whether it’s part of a technical question or a broader managerial / strategy question, then you can - as you likely would in a work setting - state some assumptions, and hypothesize how you might approach the problem. Most of the time the interview question wasn’t actually testing whether you knew something, it was testing your critical thinking and ability to deal with ambiguity. This is an opportunity to shine - even if you don’t know the precise answer. 


4.Prepare for the Specific Interview 

As touched on earlier, many organizations have different types of interviews in a multi-interview process to assess different qualities (management, technical, strategic, etc.)  Spend time preparing differently for each type. 


When preparing for any of the interviews, re-read your resume and make sure that it is true and, importantly, that you can actually talk reasonably about what you claim to have done. It’s not vital to remember the precise details about something you did 20 years ago, but it’s reasonable to expect you could articulate it in broad terms. For example, I can’t reasonably remember the details of work I did early in my career e.g. I’d struggle to write a good C++ program now, but I can articulate the architectural design choices of the systems I built in C++. 


Resumes often have a degree of polish or slight embellishment, showing the best version of yourself, but be careful on simply listing expertise you don’t have versus things you might be conceptually familiar with. For example, if you’re saying you’re an “AI expert” on your resume and you can’t, even at a basic level describe training, tuning and other key steps then it’s going to cast doubts on the rest of your resume.


It’s also worth reviewing the job description. Many are pro-forma, but a reasonable number are actually precise descriptions of the role attributes. In other words, they’re telling you what they want to hear. This doesn’t mean you should make up a narrative to satisfy this, but it does give you a framework to pin your actual experience and skills to, to make sure the boxes you need to check are well and truly checked. 


Also, for many companies (especially technology companies) the role and level rubrics are out there on the web that can be used to cross reference with how you plan to show the best of your experience for a specific interview. For this, be prepared to quantify your achievements e.g. delivered vs. budget, delivered to schedule, performance improved, security risks burned down etc. 


Also, be prepared and ready if you don’t naturally think about this, to discuss trends. For example: What’s the world going to be like in 3 years? Where will security have improved or not improved? What new risks might we be facing? What technology developments will most help or hinder security risk reduction?  You will be wrong, because there’s no right answer to these types of questions, but the interviewer wants to know if you’ve even prepared or can exhibit any thoughtfulness. 


5.Practice Good Answers to Obvious Questions

The interviewer might not ask the obvious questions, but they invariably do. Therefore it’s inexcusable not to have some great answers to these in your back pocket. These questions include:


  • Why do you want this role?

  • Why do you want to work here? Or the common variant: What excites you about our mission?

  • What’s wrong with your current role that’s causing you to look for a new role? (Assuming you’ve not been headhunted, in which case it might be: Why did you respond to our reach out?)

  • What do you think our biggest challenges are?

  • How have you built good teams?

  • What will you bring to this role and our wider team?

  • What do you envisage your first 90 days looking like?

  • What are your strengths and weaknesses? 

  • How would others describe your management style?

  • What do you think people on your team think of you? Does that match how you are assessed?

  • How do you motivate and lead teams?

  • How do you manage stakeholders?

  • What are you passionate about?

  • What’s been your interaction (positive and negative) with your Board? What lessons did you learn?

  • Describe a failure you’ve had and what you learnt from it?


Oh, and on the classic "what are your weaknesses" question, everyone should stop it with the humble bragging like: “My biggest fault is I’m too focused on details and I’m too professional”. Everyone has weaknesses, talk about them and how you compensate for them with your team, colleagues or peers. 


Come up with some responses that might be different from everyone’s standard answers, to make you stand out. The more authentic, of course, the better. For example, if you think you build good teams then talk about how many people join your teams having worked for you before, or whether people who used to work for you have recommended you into the organization they are now in.


6.Never Complain 

Like many things on this list, most of you might be thinking who on earth would do this? But you’d be surprised. It might actually be true that you are wanting to leave your current role because you simply hate it for many reasons - but don’t talk about it. You should always be seen to be running toward something rather than running away - even if the motivation to find the thing you are running toward stemmed from a desire to run away from the current thing. 


You don’t have to make your current thing sound perfect, you can matter of factly reveal the challenges and what you have done. This may even be a positive quality to the interviewers as they will likely have exactly the same issues. The grass is rarely greener and you’re always running toward something that is or can be portrayed as opportunity for growth. 


7.Have Good Questions

There’s usually a point in the interview where you have an opportunity to ask questions. You should have prepared these. Some great questions might be spontaneous and triggered by the discussion, in fact it’s even better if the interview felt more like a conversation than a question and answer session. But no matter what, you want to close out by having some great questions that further illustrate why you are right for the role. Actually, the questions don’t even have to be that great, they just need to show you have put some thought into the process, are serious about the opportunity and you are curious about the role and context. These might include:


  • Questions that show a connection between the various interviews you’d had e.g. “When I spoke with [X] last week they said their challenge was [Y], I’ve thought about that and was curious if you see that impacting your function, perhaps like [Z]”.

  • How does the security team interact with other businesses and functions?

  • What would other parts of the business want more or less of the security teams?

  • What do the Board / Exec leadership prioritize in relation to overall risk reduction (not necessarily security)?

  • What are the must not fail business initiatives?

  • What do you think success looks like for this role in the short term and long term?


And, after each interview, follow up with a thank you email. But this, often vanilla part of the process, is yet another opportunity to distinguish yourself especially if there was some spark in the interview e.g. “Great to meet you, I enjoyed our conversation especially the point about [X], I wrote about that here [add link] that you might find useful to share with your team(s)”.


8.In Person Interviews

There are many tips for in person interviews, some of which are very dated but nevertheless there are some rules to stick by for most professional environments:


  • Dress somewhat smartly. Gone are the days of suits and ties (for most roles) but even if the environment is very casual and you can wear whatever the hell you want when you actually land a role you will be unlikely to be taken seriously if you turn up looking like a hobo or like you’ve just rolled out of an all night drinking club.  

  • Be on time, and by on time that means early because (a) sh*t happens unless you really know where you’re going and you live close by and (b) in any large company logistically getting through security and navigating to the actual place of interview can take a lot of time. 

  • If you happen to be having a bad day on the day of the interview then do something, anything, that will get you in the right frame of mind. It’s often helpful not to do things like checking your work email right before going in for an interview. Murphy’s law dictates the minute before you meet the interviewer you’ll have got one of those emails about something going wrong that will wreck your frame of mind. 

  • Finally, to the point before, about developing good questions. Often you’ll be sitting around in an area with a bunch of corporate stuff like annual reports, prizes, house magazines, interactive displays and so on. These are good places, if you pay attention, to get some final inspiration. 


9.Remote Interviews

Likewise, I nearly didn’t include this section because there’s a lot of hints and tips about remote interviews now this is the default way for most situations. But some, perhaps obvious, but quite often violated rules:


  • Look at the camera. 

  • Make sure you have a good sound and video set up. 

  • If you don’t have a good background then put on a virtual background. 

  • If you are not fortunate enough to have a solid enough home / remote working environment (including reliable connectivity) then consider whether it’s worth renting a shared office for a day, some last minute rates in all the usual places are pretty reasonable. 


10.Prepare Referees 

Finally, you may have been asked to provide a number of referees/references such that your prospective employer can seek some feedback on you. Make sure you have sought the approval of people you list. Of course, this is a common courtesy but also in doing so you have the opportunity to educate them about the role you are seeking. This will help them recall what to say about you and in all likelihood will also make their points about you land more positively with more context. There’s nothing worse than a surprised referee. I occasionally get calls to provide a reference where people haven’t asked my permission and so there’s no way I can be helpful even if I otherwise would have been very supportive. 


Bottom line: doing interviews well might be obvious and common sense, but often the common sense ain’t that common. This might be especially true for people who’ve worked in a role for a long time and are out there for the first time in years and need to get back up to speed. 

12 views0 comments

Recent Posts

See All

6 Truths of Cyber Risk Quantification

I wrote the original version of this post over 4 years ago. In revisiting this it is interesting to note that not much has actually...

Ethics and Computer Security Research

If we are to keep advancing the fields of information / cybersecurity, technology risk management and resilience then we need to apply...

Subscribe for updates.

Thanks for submitting!

© 2020 Philip Venables. 

bottom of page