Share Tweet Share





I’ve been having some interesting discussions with some management peers of mine, and from job seekers.

THE PROBLEM

Those of us who have had our stay in the information security management chair realize that we have to periodically interview and hire new staff as positions get budgeted or staff members retire or leave.

Very few of us enjoy this process, and for a reason that seems completely obvious to me but is apparently lost on the industry as a whole: we have no idea what we’re doing.

CASE STUDY

Let’s walk through a sample hiring scenario and examine the “fail”.

ABC Security is expanding its information security staff dramatically in 2011. The director of information security determines that she has to split her team into two sub-teams, each lead by a manager. Her single existing manager will manage team alpha, which primarily deals with governance and compliance. She will need to hire another manager to lead team bravo, which is responsible for risk, assessments, response, and mitigation. The director works with HR to create a job description and a job order. HR gets to work soliciting resumes from their professional contacts, job sites, and referrals. They sift through the submissions and decide on 5 candidates. The interviewing process consists of: 1) Telephone pre-screen by HR 2) Telephone pre-screen by hiring manager (the director) and reduce the candidates from 5 to 3 3) In-person interview with director and various other staff members 4) In-person interview with HR to answer questions about the company HR has already pre-screened the 5 candidates, and sets up phone interviews with the director. Nobody has ever trained the director on how to conduct an interview, or educated her on Federal and local laws pertaining to the hiring process She is on her own! She quickly writes a script to follow with all 5 candidates, with a list of questions that she thinks will give her a good idea of who she should bring in for in-person interviews. Her list of questions contains gems like: What are your strengths? What are your weaknesses? Why did you leave your former employer? What did you do at your former employer? Are you familiar with (acronym that is never defined)? Have you managed people? Can you be responsible for a budget? After asking all 5 candidates these questions, she selects 3, and then asks the same questions to those 3 in person. She is confused that she really doesn’t have a better feel for any of the candidates after the process is completed. What did she do wrong? Who does she hire? She has no idea.



The real “problem” here is one that not only plagues information security managers, but information technology managers in general. They haven’t properly engaged the candidates.

Let’s look at the questions on the director’s list – every single one of those questions can be answered by reading the candidates’ resumes. Why waste their time rehashing the same information?

A BETTER WAY

Information technology (and especially information security) is a discipline that requires an interviewer to get inside a candidate’s head. But how does one do that?

Figure out how they think.

The absolute best way to properly evaluate a candidate is to present them with a real-world (or largely hypothetical) situation or problem, and ask them to walk through the process of solving it. This can be through a conversation, or bring out the trusty whiteboard with markers. Most folks in IT are thought mappers – they need to properly diagram and pseudocode their processes and problem solving procedures.

A BETTER EXAMPLE

Let’s look at the scenario above again, but educate the director on how to properly syphon relevant and useful information out of her candidates’ heads.

Director: This position will be managing a team of 5 information security analysts, engineers and testers. Assume the role of the manager. You receive a call from the network operations team that all three of the company’s web servers are under a denial of service attack. Describe for me what your next steps are. or Director: This position will be managing a team of 5 information security analysts, engineers and testers. Assume the role of the manager. You receive a call from the network operations team that all three of the company’s web servers are under a denial of service attack. Use the whiteboard next to you to diagram what next steps might be in a situation like that.

Assuming that a typical interview is one to two hours, the director can present a number of these scenarios and get an excellent understanding of the candidates’ thought processes.

WORKS FOR SOFT SKILLS TOO

This same process can be used for non-technical situations.

How does the candidate deal with management that don’t understand the value of security in an organization? Conflict between team members? An unhappy client?

WHAT REALLY DOESN’T WORK

I have to list my personal top 10 list of huge NO-NOs when interviewing candidates:

Myers-Briggs and intelligence tests. Seriously, these are worthless. They are so well known that with a few quick searches on the Internet, candidates can gauge what their responses should be to appear likable to the hiring manager. If you’re hiring a penetration tester, do they really need to understand advanced geometric problem solving techniques? Don’t draw the process out. If your interview process from beginning to end exceeds 10 hours, you are doing something terribly wrong, and putting an undue burden on the candidate – especially if they are unemployed and tight on cash. Don’t beat them repeatedly with the same hose. If you have 10 people interview a candidate, at least give them different questions to ask. If the candidate has to answer the same questions over and over, it becomes a robotic process and you’re not getting anything useful out of the candidate past the first round of questioning. Don’t require the candidate to know all the names of your management team and board of directors, unless they are going to meet every one. Expecting a fair amount of research about your company is fine – expecting them to memorize your company charter is not. Avoid asking all negative questions. “What didn’t you like about your last boss? The company? Your staff?” Encourage them to talk about their successes, and how they can leverage those to make you a success. Don’t appear as filler to the candidate. If you’re a VP and interviewing a potential new staff member, don’t start the interview by saying “I have no idea what this position is, or what you’d be doing.” Brief your interviewers! Don’t create an interview process that is so long and drawn out that you spend most of the time picking apart a candidate instead of realizing their potential. This is especially true for candidates at the manager level and above. Don’t spend half of your interview hour talking about yourself and your accomplishments. You’re burning their time, and boring them to tears. Don’t starve them. If your interview times fall on breakfast, lunch, or dinner times – feed them. Be courteous, and treat them like guests. If you don’t speak the candidate’s native language, put someone on the phone that does. Nothing is more frustrating than having to ask an interviewer to repeat questions 3 or 4 times. (Bonus) – If you are going to use a generic term in a question like “whitelisting” or “storage”, make sure the question is framed properly – otherwise, you don’t get the answer you want and the candidate waste valuable interview time.

I’d love everyone’s feedback on how this method can be expanded and improved upon. Share some situations that went well, and those that didn’t.

Chief