Unfortunately, security and convenience are on the two ends of the spectrum, and looks like the company decide to forgo security.

Like the well-quoted saying (attributed to John Chambers):  There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.

and the company you interviewed is, or will be very soon, the second type.

@JohnC I think you dodge a bullet there John. Either that or they were testing you to see if you would say that leaving security out of it was okay. Have you had any feedback from the company/agency?The job was not meant to be. There are plenty nmore out there with your name on. Good luck with the search.

In my job hunting I have learned a few new terms like "unicorn", "purple squirrel" and "ghosted/ghosting".

I have since coined my own term:  "porridge".

It's from the story of "Goldilocks and the 3 Bears", where the porridge is "too hot" or "too cold".

I've had to deal with several companies who didn't want to talk with me because I was "too security", "too risk", "not security enough", etc.

I guess you got hit by being "too security".

@JohnC, if that was just a test question --- and I sincerely hope it was --- there may have been other factors that contributed to your rejection.

On the other hand, if they actually intended to trade security for convenience, be glad you didn't grab that --- coz you'd probably have had a very hard time there, given the CIO's attitude.

Even worse, should security flaws be found in the developed system at a later stage, that organization might just turn the developers into scapegoats...

---

@JohnC wrote:

The interviewer noticed my CISSP and security experience on my resume and asked me if I was willing to put security aside in the name of building and deploying fast to production. The person I was talking with was one of the CIOs and heading up the new project.

---

Sorry, one of the CIOs?

As others have pointed out, you have had a fortunate escape.  Yes, it is disheartening to lose a job (prospect), but it would have been possibly much worse to lose your soul by working for these clowns.

Over the years I have come to disregard most of the "advice" on how to handle job interviews.  Best to be honest.  If they are that stupid (and remember George Carlin's advice to consider how stupid the average person is--and then to recall that half of them are dumber than that) then it would be painful working for them.

---

I honestly wish them luck because they are going to need it. Lots of it.

---

And you are lucky not to be involved ...

It's as likely a 'need to find excuses' to exclude a candidate.  For some reason many companies find it necessay to manufacture a reason; like being 'too security', being 'overqualified', 'not a good cultural fit' etc   And then some people have forgotten or never bother to think that security is generally a facilitator of many service, rather than the converse.  Where would the www be without SSL/TLS?

The key bit here is maybe that he posed the question as an either or, but it doesn't have to be.

My response would be 'If we have a risk, I'm more likley to be able to identify, understand and escalate that risk (quickly & efficiently) to my line manager with a clear picture of the potential consiquences, It would then be the leaderships desicion as to whether the risk is prohibative and needs aditional controls, or is within the risk appatite of the company'

An understanding that controls have costs, that to understand if it's worth securing you need to know the cost and the value,  is imho one of the core teachings of CISSP.