topic Re: Job Interview in Career Discussions

Job Interview

JohnC — Fri, 17 May 2019 16:24:09 GMT

Had my third phone interview with a company yesterday for a Full Stack Developer role. Never thought my security experience and CISSP would be a detriment to getting hired. The interviewer noticed my CISSP and security experience on my resume and asked me if I was willing to put security aside in the name of building and deploying fast to production. The person I was talking with was one of the CIOs and heading up the new project. I explained that perhaps adding in security from the beginning would save time in the long run and not expose them to possible breaches and rework. Nope, they were going to bolt on security afterward. Got the rejection two hours later.

I honestly wish them luck because they are going to need it. Lots of it.

Re: Job Interview

Chuxing — Fri, 17 May 2019 16:49:59 GMT

Unfortunately, security and convenience are on the two ends of the spectrum, and looks like the company decide to forgo security.

Like the well-quoted saying (attributed to John Chambers): There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.

and the company you interviewed is, or will be very soon, the second type.

Re: Job Interview

Gonif — Fri, 17 May 2019 17:08:31 GMT

@JohnC I think you dodge a bullet there John. Either that or they were testing you to see if you would say that leaving security out of it was okay. Have you had any feedback from the company/agency?The job was not meant to be. There are plenty nmore out there with your name on. Good luck with the search.

Re: Job Interview

emb021 — Fri, 17 May 2019 18:33:02 GMT

In my job hunting I have learned a few new terms like "unicorn", "purple squirrel" and "ghosted/ghosting".

I have since coined my own term: "porridge".

It's from the story of "Goldilocks and the 3 Bears", where the porridge is "too hot" or "too cold".

I've had to deal with several companies who didn't want to talk with me because I was "too security", "too risk", "not security enough", etc.

I guess you got hit by being "too security".

Re: Job Interview

AppDefects — Fri, 17 May 2019 19:54:07 GMT

Dude, was that the type of company that you wanted to work for? There are many more out there that will value your AppSec skills.

Re: Job Interview

Shannon — Fri, 17 May 2019 20:46:05 GMT

@JohnC, if that was just a test question --- and I sincerely hope it was --- there may have been other factors that contributed to your rejection.

On the other hand, if they actually intended to trade security for convenience, be glad you didn't grab that --- coz you'd probably have had a very hard time there, given the CIO's attitude.

Even worse, should security flaws be found in the developed system at a later stage, that organization might just turn the developers into scapegoats...

Re: Job Interview

rslade — Sat, 18 May 2019 18:08:08 GMT

@JohnC wrote:
The interviewer noticed my CISSP and security experience on my resume and asked me if I was willing to put security aside in the name of building and deploying fast to production. The person I was talking with was one of the CIOs and heading up the new project.

Sorry, one of the CIOs?

As others have pointed out, you have had a fortunate escape. Yes, it is disheartening to lose a job (prospect), but it would have been possibly much worse to lose your soul by working for these clowns.

Over the years I have come to disregard most of the "advice" on how to handle job interviews. Best to be honest. If they are that stupid (and remember George Carlin's advice to consider how stupid the average person is--and then to recall that half of them are dumber than that) then it would be painful working for them.

I honestly wish them luck because they are going to need it. Lots of it.

And you are lucky not to be involved ...

Re: Job Interview

Steve-Wilme — Mon, 20 May 2019 09:55:42 GMT

It's as likely a 'need to find excuses' to exclude a candidate. For some reason many companies find it necessay to manufacture a reason; like being 'too security', being 'overqualified', 'not a good cultural fit' etc And then some people have forgotten or never bother to think that security is generally a facilitator of many service, rather than the converse. Where would the www be without SSL/TLS?

Re: Job Interview

ResetE — Wed, 29 May 2019 12:57:57 GMT

The key bit here is maybe that he posed the question as an either or, but it doesn't have to be.

My response would be 'If we have a risk, I'm more likley to be able to identify, understand and escalate that risk (quickly & efficiently) to my line manager with a clear picture of the potential consiquences, It would then be the leaderships desicion as to whether the risk is prohibative and needs aditional controls, or is within the risk appatite of the company'

An understanding that controls have costs, that to understand if it's worth securing you need to know the cost and the value, is imho one of the core teachings of CISSP.

Re: Job Interview

Steve-Wilme — Thu, 30 May 2019 07:03:17 GMT

Sounds like the interviewer never heard of SecDevOps. A DevOps approach focusing on IaC and SaC, has a good potential to improve overall security posture and respond to vulnerabilities quickly. So it's simply not a case of speed or security, but speed with security.

Re: Job Interview

RRoach — Wed, 17 Jul 2019 17:00:05 GMT

Interesting such a question came up. However one thing to consider in the future might be to have a well documented Limited Liability or Indemnity Agreement where for instance you can code to their hearts content but should anything happen because of their rush to production there is no legal recourse on their part. Even if you would have dropped this bombshell my guess is they probably would have been dazed and confused and would have probably not have moved things further.

Re: Job Interview

emb021 — Mon, 22 Jul 2019 14:49:23 GMT

@Steve-Wilme wrote:
Sounds like the interviewer never heard of SecDevOps. A DevOps approach focusing on IaC and SaC, has a good potential to improve overall security posture and respond to vulnerabilities quickly. So it's simply not a case of speed or security, but speed with security.

I thought it was DevSecOps?? 🙂

Then you have some DevOps wags who say security is already in it, so you don't need to talk about 'SecDevOps' or 'DevSecOps' as separate things...

I do have to wonder about the level of knowledge of some of the infosec 'leaders' I've met with on interviews. I dealt with one CISO when interviewing for an infosec analyst role that would have deal heavily with third party risk management who, surprisingly to me, didn't seem to understand the different SOC reports (1,2,3, etc) nor had ever heard of Shared Assessments' SIG Report. Sigh. (oh, and they decided to reject me for 'better candidates'... yeah, right).

Re: Job Interview

Frank_Mayer — Mon, 22 Jul 2019 18:10:42 GMT

Your post is very informative. However, I do not wish anyone luck that wants to bolt on security later and that trashes a good person like yourself, just for wanting to do what basic due care requires. I wish you an even better opportunity later since I applaud your honesty and integrity. We need strong laws at the international, national, state and local levels of government that make it a civil and criminal offense to do that kind of software engineering. How is it that a totally irresponsible engineering approach is accepted? If any avionics, automotive, or other traditional industry took that kind of approach to any other discipline other than information technology, they would get sued to the point of bankruptcy.

I want to see liability lawyers start suing information technology firms like they do the medical industry, world-wide, so there is nowhere to hide, so as to stop all this nonsense. The likely failure that will ensue in the situation you describe will be the burden of disaster placed on the unfortunate consumer of their miscreant product. I hope that the GDPR regulators get wind of this and watch them like a hawk and when their irresponsible plan backfires that they get fined and sued out of existence. Where is the Ralph Nader we need for the software industry?

Due care and due diligence is mandatory for all other professions except for application developers and hosting organizations of all these deformed applications. It is time now for this lax state of affairs for software engineering to stop.

Re: Job Interview

Frank_Mayer — Mon, 22 Jul 2019 18:06:17 GMT

We need a Ralph Nader type crusader for the software industry. It is ridiculous that in the 21st Century that the software engineering based industries and information technology firms still operate with the buyer beware approach of the 19th century.

Re: Job Interview

RRehm — Tue, 28 Sep 2021 15:49:36 GMT

the citation is to my knowledge (also) attributed to Robert Muller, former director of the FBI

Re: Job Interview

RRehm — Tue, 28 Sep 2021 15:53:26 GMT

Same once happened to me avoiding being too technical, so at the end I got the response that I wasn't technical enough. And I was applying for a strategic role on how to develop the DB solution in a more secure way.

Maybe it is just an excuse for saying I don't like you...