cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JohnC
Viewer

Job Interview

Had my third phone interview with a company yesterday for a Full Stack Developer role. Never thought my security experience and CISSP would be a detriment to getting hired. The interviewer noticed my CISSP and security experience on my resume and asked me if I was willing to put security aside in the name of building and deploying fast to production. The person I was talking with was one of the CIOs and heading up the new project. I explained that perhaps adding in security from the beginning would save time in the long run and not expose them to possible breaches and rework. Nope, they were going to bolt on security afterward. Got the rejection two hours later.

 

I honestly wish them luck because they are going to need it. Lots of it.

15 Replies
Chuxing
Community Champion

Unfortunately, security and convenience are on the two ends of the spectrum, and looks like the company decide to forgo security.

 

Like the well-quoted saying (attributed to John Chambers):  There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.

 

and the company you interviewed is, or will be very soon, the second type.

 

 


____________________________________
Chuxing Chen, Ph.D., CISSP, PMP
Gonif
Newcomer I

@JohnC I think you dodge a bullet there John. Either that or they were testing you to see if you would say that leaving security out of it was okay. Have you had any feedback from the company/agency?The job was not meant to be. There are plenty nmore out there with your name on. Good luck with the search.

emb021
Advocate I

In my job hunting I have learned a few new terms like "unicorn", "purple squirrel" and "ghosted/ghosting".

 

I have since coined my own term:  "porridge".

 

It's from the story of "Goldilocks and the 3 Bears", where the porridge is "too hot" or "too cold".

 

I've had to deal with several companies who didn't want to talk with me because I was "too security", "too risk", "not security enough", etc.

 

I guess you got hit by being "too security".

 

 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
AppDefects
Community Champion

Dude, was that the type of company that you wanted to work for? There are many more out there that will value your AppSec skills.

Shannon
Community Champion

 

@JohnC, if that was just a test question --- and I sincerely hope it was --- there may have been other factors that contributed to your rejection.

 

On the other hand, if they actually intended to trade security for convenience, be glad you didn't grab that --- coz you'd probably have had a very hard time there, given the CIO's attitude.

 

Even worse, should security flaws be found in the developed system at a later stage, that organization might just turn the developers into scapegoats...

 

 

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
rslade
Influencer II


@JohnC wrote:

The interviewer noticed my CISSP and security experience on my resume and asked me if I was willing to put security aside in the name of building and deploying fast to production. The person I was talking with was one of the CIOs and heading up the new project.


Sorry, one of the CIOs?

 

As others have pointed out, you have had a fortunate escape.  Yes, it is disheartening to lose a job (prospect), but it would have been possibly much worse to lose your soul by working for these clowns.

 

Over the years I have come to disregard most of the "advice" on how to handle job interviews.  Best to be honest.  If they are that stupid (and remember George Carlin's advice to consider how stupid the average person is--and then to recall that half of them are dumber than that) then it would be painful working for them.

 


I honestly wish them luck because they are going to need it. Lots of it.

And you are lucky not to be involved ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Steve-Wilme
Advocate II

It's as likely a 'need to find excuses' to exclude a candidate.  For some reason many companies find it necessay to manufacture a reason; like being 'too security', being 'overqualified', 'not a good cultural fit' etc   And then some people have forgotten or never bother to think that security is generally a facilitator of many service, rather than the converse.  Where would the www be without SSL/TLS?

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
ResetE
Newcomer I

The key bit here is maybe that he posed the question as an either or, but it doesn't have to be.

 

My response would be 'If we have a risk, I'm more likley to be able to identify, understand and escalate that risk (quickly & efficiently) to my line manager with a clear picture of the potential consiquences, It would then be the leaderships desicion as to whether the risk is prohibative and needs aditional controls, or is within the risk appatite of the company'

 

An understanding that controls have costs, that to understand if it's worth securing you need to know the cost and the value,  is imho one of the core teachings of CISSP.

 

Steve-Wilme
Advocate II

Sounds like the interviewer never heard of SecDevOps.  A DevOps approach focusing on IaC and SaC, has a good potential to improve overall security posture and respond to vulnerabilities quickly.  So it's simply not a case of speed or security, but speed with security.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS