Interviewing for the ISSO Position | The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

Congratulations! Your resume has finally made it through the filtering process and you are being asked to appear for an interview. You will probably find that ISSO positions are very competitive, with talented ISSO professionals competing against you for each of those positions. So, you must be prepared. As with most job interviews these days, you will probably be subjected to a series of interviews consisting of members of the human resources department, information systems organization, auditors, and security personnel.

Don't be nervous, but this interview is what will put you back on the road to ISSO job hunting or offer you the challenges of the new ISSO position. So, you must be prepared!

There are many books on the market telling you how to interview for a position. They offer advice on everything from how to dress to how to answer the "mother of all interview questions"—What are your salary expectations?

It is not the purpose of this book to help you answer those common interview questions. It is assumed that you will have read those books, and that you have prepared and practiced for the upcoming interview. The purpose of this chapter is to show you how you can separate yourself from your ISSO competition.

You have probably already interviewed more times than you care to admit. In all those interviews, you probably, like your peers, walked in wearing dark, conservative business attire, neatly groomed, and prepared to answer any question thrown at you. The question is, What separated you from your competitors? What was it that would make the interviewers remember you and choose you above the rest?

You probably answered most questions in the most politically correct way, e.g., What is your major weakness? Answer: My major weakness is that I have very little patience for those who don't live up to their commitments. When someone agrees to complete a project by a specific date, I expect that date to be met unless the project leader comes to me in advance of the deadline and explains the reason why that date can't be met. I believe in a team effort and each of us as vital members of that team must work together to provide the service and support needed to assist the company in meeting its goals.

Will that answer to that question be considered a weakness or strength by the interviewers? Probably a strength, but that is how the game is played.

Many interviewees have "been there and done that" but still didn't get the position. Why? Maybe because our answers "float" in the interview room air. They hang there mingling with those of the other candidates before us and will be mingling again with the candidates that come after us.

The only real, lasting evidence of the interview is what was written down by the interviewers and what impressions you, the prospective ISSO, left in their minds! Many of the interviewers are "screeners," human resource people who have no clue as to what InfoSec is all about. They are there because we do teaming today. We operate by consensus. So, getting selected may be much more difficult.

So, you need one thing—one thing that will leave a lasting impression on the interviewers. One thing that will show them you have the talents, the applied education (that's education that you gained in college and other places, and something that you can actually use in the business world!), the experience, and the game plan. You've done it! You've been successful in building an InfoSec program before, and you will be successful again. You can prove that you can do it because you have your ISSO portfolio!

The next question that the reader may ask is, "What the heck is my ISSO portfolio?" You probably have seen movies where the models show up at the model studio or movie studio and present a folder containing photographs of themselves in various poses. No, sorry—your photo will probably not help you get the ISSO position—but think about it. They took with them to their interview physical evidence in the form of photographs, meant to prove that he or she was the best person for the position.

What you must do is develop your own portfolio to take with you, and leave with the interviewers—proof that you've been there, done that. You are the best person for the position. It's all there in the portfolio.

Your ISSO portfolio is something you should begin building as soon as you begin your first ISSO job or before. It should contain an index and identified sections that include letters of reference, letters of appreciation, copies of award certificates, project plans, metric charts you use for measuring the success of your InfoSec programs, and, probably most important, your InfoSec philosophy and InfoSec plan outline that you will implement as soon as you are hired.

The InfoSec plan is probably the most important document in your portfolio and should be the first page after your index. All the other documents are just proof that what you plan to do, you've done before.

In the case of someone who has never been an ISSO, the prospective ISSO can build his or her InfoSec plan and InfoSec portfolio from the information provided in this book. Build it for IWC.

The next question that may arise is, "If I never worked there, how do I know what I should do if I get hired?" Again, go back to doing some research. Remember that if you really want this job, you have to work at least as hard to get it as you will once you do get it.

Your first stop should be the Internet. Find out about the company. Some information that you should know is:

When was it started?
What are its products?
How is the company stock doing?
Where are their offices located, etc.?

You should also stop by the company and pick up an application, any company brochures available, their benefits pamphlets, etc.

You should study the information, complete the application, and place it in your portfolio. After all, if they decided to hire you, you'd have to fill one out anyway. You should go into the interview knowing as much if not more about the company as the people interviewing you. This is invaluable, especially if you are interviewing for a senior-level position. These interviews will undoubtedly include the members of executive management. Your ability to talk about their company in business terms with an understanding of the company will undoubtedly impress them and indicate that you are business-oriented.

All your answers to the interviewers' questions should be directed to something in your portfolio. For example, if they ask you how you would deal with downsizing in your department and what impact that would have on your ability to adequately protect the company's information and its related systems, how would you answer? You should be able to direct them to a process chart, a metric, something that indicates that you have done it before, or that you have a business-oriented approach to dealing with the issue.

If you have not done it before, write down how you could, and would, perform these functions, assess the InfoSec program, etc.

The portfolio can work for any new ISSO in any company. The following is a sample portfolio outline, which can be used as a guide by a new or experienced ISSO. In this case, it is the ISSO applying for the IWC ISSO position. It's up to you to fill in the details. Many of the ideas of what to put in your InfoSec portfolio will be found in this book.

You will note that the prospective ISSO applying for the IWC position has done the research necessary to tailor an InfoSec program for IWC. The beauty of building this type of portfolio is that it seems specific, and yet it's generic.

The ISSO also practiced interviewing skills. The ISSO knew that the resume or personal contacts got one the interview, but the interview got one the job. Before any interviews and during the IWC interview, the ISSO knew that one must do the following:

Learn all one can about the potential employer.
Read and learn from books, magazines, and the like about interviews and proper clothing to wear.
Prepare answers to typical questions that will be asked, and practice answering them without seeming as though the answers were rehearsed.
Develop and maintain an updated work portfolio.
During the interview always refer to "we" or "us" instead of "I" and "you" as much as possible, so it seems as if you already have the job and are just briefing fellow employees.
Refer interviewers to your portfolio in answering their questions.

The IWC ISSO established the career development plan as a formal project plan with an objective, goals, milestones, and tasks. The project plan helped the ISSO focus on the career progression, and also that focus made it easier not to get sidetracked and waste time on matters that did not lend themselves to meeting the project plan milestones. The ISSO continually updated the plan. At the end of each calendar year, the ISSO would analyze the progress in meeting the plan goals and objective. Regardless of whether the plan progressed ahead of schedule or behind schedule, the reasons for the change were noted and lessons learned. Then the updated plan would be used for the next year.

Over the years, the ISSO developed a portfolio. In the portfolio, the ISSO maintained a plan that would be continually updated and used during all interviews with extra copies available for the interviewers, and the ISSO successfully used it for IWC.

When others went through the interview process answering the interviewers' questions, their responses were lost in the air like smoke; however, the ISSO's thoughts, experience, education, plan for a CIAPP, and other information relevant to meeting IWC's needs were down on paper and could be referred to by the interviewers. This portfolio also indicated a person who was organized and came in with an action plan. Furthermore, since the ISSO researched IWC prior to being interviewed, the ISSO was intimately familiar with the corporation and even offered some information about IWC that was new to some of the interviewers.