ISSO interview?

forestgiant

Has anyone interviewed for an ISSO position? What's your experience like?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

paul78

It depends on job description and seniority. Also - what is an ISSO? Do you mean ISO or CISO?

tpatt100

Information Systems Security Officer, I had that title at one of my old jobs for a defense contractor. It was basically the overall security person that oversaw making sure things that should be done are being done and or systems are still in compliance.

What I was in charge of was:

1. Making sure all physical security controls are still in place and operating properly (Doors, safes, locks, lights, cameras, etc)

2. Make sure all employee security controls are working and still in place (verify system monitoring is working, people sign in/out log books for the different safes, system logging for anything like cameras, badging systems working)

3. Make sure all systems security controls are in place and working properly (weekly, daily checking of logs, anti virus servers, Windows/Linux syslog, etc, etc). Be able to find, examine and identify possible threats.

4. Make sure employees comply with workplace security controls such as monitoring of employees to make sure they leave their mobile devices outside of classified areas, no personal laptops inside secure labs, etc.

5. Attend a lot of meetings, I spent probably 5 hours a week in meetings..... When something was being introduced to the company I would evaluate it and try and find possible issues and be able to explain them to management of the department that was requesting it. I wasn't to be a hard a$$ but rationally explain and be ready to assume it is already approve and recommend security controls.

It was a really general jack of all trades position so I was asked about different standards, how well I interact with different departments, etc.

My experience is probably similar or different from others who have had the title. I guess just be prepared to be a generalist with decent communication skills.

forestgiant

^ Thanks, tpatt. This is very helpful as the job description said exactly the same thing but in a much more convoluted manner.

I have an interview next week with a defense contractor (wondering if I'm taking that job you described), but coming from the private industry I wonder just how I'm going to "make sure" people are doing what's asked of them?! Is there a disciplinary process? e.g. verbal or written warnings? pay withhold?

Is there are career path beyond roles and duties as an ISSO? It seems like a dead end of sort because you're not specializing in anything, and don't have a lot of enforcement authority.

Finally, what sort of questions should I expect for the interview?

tpatt100

If you check the security sections of this forum you will see that IT Security specializations can be anything really.

The job I had was to make sure stuff was followed by maintaining compliance and while maintaining compliance of the systems and workplace you identify gaps that result from people not complying or system/software failing.

I think it helped me career wise because you have to understand why you are doing the things you are tasked with and be able to document what you do. The person I replaced was sloppy and was terrible at making sure the systems were secure like pencil whipping that the Symantec clients were up to date when some were not, or not noticing that some systems stopped showing up in syslog reports.

I think if it can help you advance or not depends entirely on where you are working. I was working at the main corporate office so I had ended up with more responsibilities over time.

paul78

forestgiant wrote: »

It seems like a dead end of sort because you're not specializing in anything, and don't have a lot of enforcement authority.

Finally, what sort of questions should I expect for the interview?

I am unfamiliar with public sector roles but the description sounds like a good career step if you do not have infosec management or governance experience. In private sector, authority comes only with proven ability to temper judgement with risk.

The type of questions you would encounter at least with private sector are more around scenarios related to governance and organizational abilities. ISO roles in private sector tend to favour an individual's ability to understand the broad risk environment versus narrow technical knowledge.

Good luck on the interview.