good questions to know for security interviews?

jkstech

what do you all think are some pretty good things you should or must know when interviewing for a security position?

I know you can really guess all things they may ask, but what are some things that you just "shouldn't go in without knowing" ?

thanks

Smallguy

most of the time your interview atleast initally will not be very technical


your best bet is to call the company and ask if it wil be a technical interview so yo can properly prepare

but in my experience it is usually just question liek what is your greatest flaw what is your greatest strength... etc all behavorial questions

if you have a 2nd interview thne you will probalby be asked technical questions.

keatron

Your best move here is to make sure you don't over state your experience. If you have no security experience, make sure you say that. In most cases your interviewer won't try to ask you stuff that would be clearly outside the scope of your stated experience. However, if you state you have 3 years of security experience and have none, get ready for a painful interview.

I've had way to many interviews where the potential candidate sends us a resume that reads like he's a security god, then get to interview and realize he's being interviewed by myself and a couple other people. They usually end up back pedaling and saying stuff like "I really don't have any real security experience..." I only make this point to make sure you understand that you yourself have a lot of power in dictating how the interview goes. Your resume, your statement, etc. For example, when I sit down to interview you and I look at your resume and I see no mention of any Pix experience, then I probably wont start hitting you with a bunch of Pix questions. I might ask if you've ever configured a Pix, or if you're familiar with it. Some candidates put Cisco 8550, Pix Appliances, etc etc on their resume, when in reality all they've ever done is watched someone configure one. So if you're clear in communicating your experiences on your resume, then the interview shouldn't be a problem (from a technical standpoint). If the experiences on your resume are not what the employer wants to talk about, chances are you wouldn't be in the interview to begin with. Just always be ready to explain in detail your resume and to explain how your experiences (as stated on your resume) will map to what's needed in the organization you're interviewing for. And make sure you ask as many questions as you can as well. This is another way for you to dictate the flow of some of the interview process.

Keatron.

jkstech

thanks alot fellas

yeah, it's a job that I want to apply for, I do not have extensive security experience outside of school (MCSE:SECURITY) and normal daily security stuff, but it is where I am trying to go, the reason I want to apply for the job is because they had so many and/or statements

like, degree or 3 yrs experience or certification or get certified within 3 yrs

so, I figured the "get certified within 3 yrs" shows the willingness to train, what do you think?

keatron

I would say go ahead a take a shot at the interview. Even if you find out you're not qaulified, the experience will be worth while, especially if this is your first security specific interview.

Keatron.

jkstech

yes, that is my reasoning, it would be nice to get it thoughv

DW [banned]

Great.

Claud Murdock

Woa keatron, that was some AWSOME info! that will sure help me out for future reference.

btw: I had an interview for DISA last month, and they said within 3 months of starting I had to have those two DoD certs (IAM, and something else). Is this standard for InfoSec branched givernment ageny's??? I know you have to know the ISO standards like the back of your hand...

JDMurray

Here's the SANS page defining the IAM and IAT levels: http://www.sans.org/training/dod8570.php

keatron

Claud Murdock wrote:

Woa keatron, that was some AWSOME info! that will sure help me out for future reference.

btw: I had an interview for DISA last month, and they said within 3 months of starting I had to have those two DoD certs (IAM, and something else). Is this standard for InfoSec branched givernment ageny's??? I know you have to know the ISO standards like the back of your hand...

Yes, this is very standard. An often times sub-contractors have to have the same.

jkstech

well turns out it was pretty harmless, they asked questions that would definately weed out the general IT applicant, but anyone with some networking knowledge and some study in info sec would have done well, I answered pretty much every question they asked, it was a good interview and they called me the same day for a follow-up....i'd really like to get this position as it is a great opportunity and the company seems to understand and value continuing education and certification