When it comes to hiring a network security manager, organizations want to find not only someone well-versed in IT security and business practices, but someone who stays abreast of new threats and ways to counteract them. Also high on the list: a personal passion for security.
Here are nine questions you could face in an interview:
How do you stay current with IT security best practices?
Variations: Where do you get your IT security news from? What do you see as the future of IT security and how do you plan to be prepared?
Network security managers can't be complacent with their skills. They need to stay on top of new security threats, trends and preventative measures. "What I'm looking for is somebody who's able to respond with multiple IT security sources, such as user groups online, conferences and IT security groups," says Kelly O'Connell, branch manager for Robert Half International. "I'm not looking for one in particular, but I want to know the candidate has multiple ways to stay on top of industry best practices for IT security."
What kind of network do you have at home?
This is intended to weed out the true enthusiast from someone who leaves their work at the office. Interviewers want to know you're passionate enough about IT security to play with it at home. "What I'm looking for is essentially somebody to say, 'I have a practice environment at home,' where they can play and try things out."
How would you conduct a penetration test with these IT addresses?
A problem-solving question is often used for network security managers. It's intended to test your knowledge and problem solving abilities. Mike Davis, principle scientist for IOActive, a computer security firm, asks this and similar questions including: If a customer gives you these 20 addresses, where would you start your security assessment and how? If a company uses clear text protocol to check e-mail over HTTP, what are your concerns?
Give an example, outside of technology solutions, of business solutions you implemented as a security manager.
A similar question: Explain how security and risk technologies are integrated into a business?
Network security managers need to know how to implement successful security approaches in all business processes. "The candidate should explain their knowledge of security technology and what its effect is with a business," says Wils Bell, president of Security Headhunter.com, a national IT security search firm. "I'm seeing a trend of people with IT security background and degrees, now getting a master's in business."
Explain the difference between a threat, risk and vulnerability.
There's no right answer to this question, according to Robert Half, since there are various schools of thought. Yet how you answer will reveal your management perspective, ability to assess, and knowledge of best practices. A similar question that may be asked is: When planning a network security environment, what's more important, a threat or a vulnerability?
What do you feel your biggest accomplishment has been in network security?
Similar questions: What has been your biggest failure in a network security environment? What did you learn from that mistake? What has been your biggest challenge in network security?
Explain the security environment and the level of complexity you previously managed.
For this one give an overview of previous networks, including the number of servers and users, network security protocols implemented, and business process management.
How do you respond to a situation where your boss indicates a direction should be taken that you disagree with from a security perspective?
"If someone gives you a directive and you disagree and think it will put the company at risk, you need to make management aware and go in there and explain why and what solutions you have," says Bell.
Describe the last program or script you wrote and what problems you encountered.
"I want to make sure they have hands-on network security experience and can write script rather than only have planning or strategic experience," O'Connell explains.
Some other questions you may be asked:
How do you present needs to upper management for new resources, staff or equipment?
If you need to encrypt and compress data for transmission, which would you do first and why?
Explain a time when you didn't see a vulnerability or virus and what did you do to make sure it didn't happen again?
What steps did you take and what drove you to network security over other careers?
Tell me how you mentor/motivate your staff.
-- Chandler Harris