One of my frustrations over the years has been around interviewing candidates for security jobs. I recently had a doozy when a candidate asked “what do you guys do?” Starring blankly at the phone I had to fight to maintain my composure. I then started mentally thumbing through years of absurd responses from candidates.
I decided to ask the community to share their favourite security job interview question answers and wow…did that ever garner a response.
Opening statement on Twitter “I’m compiling a list of things NOT to say in an interview for a security job. Got any good ones?”
Here are 50(ish) responses in no particular order.
Enjoy!
- I’m a thought leader
- “What was this position again?”
- “Does the workplace anti-drug policy apply to drugs I make myself?”
- asking someone on the interview panel “hey so why did you leave your last gig???”
- “Who is that bitch in the picture behind your desk, the one next to the picture of those three ugly kids.”
- Sharepoint
- I use [OSX/Linux] so I’m secure.
- “How can it be secure if anyone can see the source?”
- “Why wouldn’t you just use Telnet for that?”
- “IT guys are dumb”; “Developers are dumb” “they expected me to work at 9pm…”
- “when nobody is looking I change the homepage to meatspin”
- “This one time when I hacked _ …”
- Q: Describe a TCP handshake. A: I can’t. NB: self declared network expert
- Yeah, I’ve already been in your systems and, whew, I gotta say, you really need help.
- “I don’t do documentation”
- I only use Cisco security devices, because security begins with trusting yr vendor, and everyone
trusts CSCO (Look at their stock!) - If an app has Common Criteria certification, you know it’s secure
- “I broke into x, y and z sites”
- You know, I hacked your company’s network once. Made a fortune off of the credit card data.
- I had someone interview for a management position with a book full of documents created for previous employer
- This job can be done by monkeys. Yes, I actually heard that one from a candidate.
- “There’s this thing called APT.”
- Do you want my Facebook username and password now?
- “I know this guy Greg Evans who can be contacted for referral if needed”
- I use the same password everywhere
- “Admin for everybody works best.”
- “I think Facebook’s handling for privacy matters is the bomb.”
- mentioning a CISSP at all or citing military experience and having zero actual security experience
- …and that guy with my name, yeah, that wasn’t me selling those secrets to China.
- don’t speak of known security issues or problems in your existing org, if you’ll cheat on them, you’ll cheat on them
- “Auditing? Naw, I’m not into the whole ‘logging’ thing.”
- What do you mean compliance != security?
- Gave a guy a scenario to work through once, dude got mad, lost his temper, described people in the situation as idiots, etc.
- “Will this position look good as I’m interviewing for my next gig?”
- I make sure to use a complex alphanumeric+special 8+ characters password for all critical systems: passw0rd!
- Turn to the CTO (Jeremiah Grossman) and ask, “What do you do here?”
- “I don’t think you’ve got anything a criminal would want”
- “Why infosec? One word: misanthropy. BTW, can I telecommute?”
- “everything I learned about security I learned from the compliance manager at my previous Job”
- “In my last job I used Nexxus a lot”
- do you have flexible office hours? I usually work from my home office lab, can you pay for my internet?
- “Sorry I’m late. I misplaced the printout of the email setting up the interview.”
- “Why, yes, An*nym*us *was* my idea…”
- Lulzsec, that was also my idea.
- I’m perfect for security, because I love telling people NO!
- “Can I connect my {insert droid phone brand} to your network?”
- “home labs are for geeks, that’s just pointless”
- How would you describe diversity? >I eat lots of Chinese and Italian foods. >Could u elaborate more? > They all taste great. #real
- “I’m just applying for the job so I can keep getting my unemployment check.” (true story)
- “This is a 9-5 gig, right?”
- “I just read SANS Newsbites and that’s pretty much how I keep up with everything in infosec”
- Worst was clothing, not comment. Kid showed up wearing a “Bart Simpson, underachiever and proud of it” t-shirt for interview.
- All of my past bosses were assholes, I hope you aren’t. (paraphrasing actual interview)
- Yes. I was security lead at Sony in 2010 and 2011
…and the winner in my books
I received over 250 responses. Thanks everyone for contributing. Got more? Feel free to leave a comment.
🙂
(Image used under CC from Ced)
Good article.