IT security officers are responsible for monitoring security on an organization’s network. Beyond the technical side, this role often includes leadership and management responsibilities.
IT security managers can expect a salary of around $140,000 based on the US national average on Salary.com. Candidates for the position typically have a bachelor’s degree in cybersecurity, computer science, engineering, or a similar field. Those looking to pursue this career path can set themselves apart from other applicants by also completing a certification, such as Certified Information Security Manager, CISSP or CISO certified.
The first step in applying for an IT security manager position is to create a resume. Then it’s time to start preparing for the interview.
“An interview is a two-way street; this is an opportunity for the organization to talk to the candidate but also for the candidate to see if the organization is the right one,” said Christophe Foulon, co-author of Hack the Cybersecurity Interview. An organization may offer the right salary, but if there is culture shock, the candidate will end up frustrated or exhaustedhe added.
Here, Foulon and co-authors Ken Underhill and Tia Hopkins offer tips on how to answer the most common interview questions with IT security managers, as well as questions the interviewee should ask. organization that interrogates him.
Editor’s note: This text has been edited for length and clarity.
What is your best advice for candidates preparing for a security manager interview?
Christophe Foulon: My best advice is to understand the expectations of the role. A security manager can oversee people, a product or a process – or the role can cover all three. Read the job description and make sure you understand which of these three, or a combination of these three, would be your responsibility. For example, an application security manager is responsible for the process and technology surrounding application security. He may therefore not be responsible for people, while security engineers sometimes work with the development team of the company. In this scenario, the engineer is supposed to act as the failsafe champion in this team.
Ken Underhill: It is important to research the company and how the position you are applying for fits into the overall security strategy. Most candidates I’ve interviewed never research the company and how the vacancy will help us. Those who do research received job offers 99% of the time. As a manager, you should be prepared to give examples of projects where you’ve led a team, as well as challenges, bad decisions, and measurable positive results you’ve received.
What are the behavioral questions most frequently asked when interviewing a security manager?
Under the hill: We have a chapter in the book devoted to the most common behavioral interview questions we’ve been asked over the years. I also recommend the Interview Ready software because it helps you identify weak spots in your interview skills.
Most behavioral interview questions begin with one of these statements:
- Describe a situation where you…
- How did you handle situation X?
- Give me an example of…
- Tell me about a time when you…
My advice is to be honest and provide measurable results — for example, “I did X, which led to Y, and the results were Z savings for the business.”
Fuller: One of the most common questions is, “Tell me about a time when you tackled a difficult situation.” As a hiring manager, I’m looking for a story or situation where you took action and got results. Another question might be, “Tell me about a time you had to deliver tough news to a stakeholder or a time you had to deliver tough results.”
What are the most frequently asked technical questions when interviewing a security officer?
Under the hill: Technical questions depend on the security officer’s role type, such as cloud security officer, network security officer, or application security officer.
You can usually expect technical questions to be thorough and ask about the tech stack. For example, as a cloud security manager, you would likely be given a customer scenario and asked to design a more secure network for the customer compared to an entry-level job interview, where the interviewer would probably just ask about OSI. [Open Systems Interconnection] model.
There are several different job titles for cybersecurity managers. What are the most common?
Under the hill: It depends on the organization, but here are a few: network security manager, security operations center manager, application security manager, information security manager, and cybersecurity manager.
Fuller: The common titles impose themselves. For example, vulnerability managers manage vulnerabilities and application security managers manage applications. It gets more complicated when you work for a small organization where you have to wear many hats versus a company where you are a cog in a bigger machine.
What questions should interviewees ask at the end of an interview with a security officer?
Tia Hopkins: Always ask the soft closing question: “Is there anything about my background or skills that concerns you regarding my ability to play this role?” Another is to ask about resources – for example, budget, team size, etc. – and leadership so you have an idea of what you might sign up for.
Fuller: Ask about a particular interest or preferences towards a certain cause. For example, if you know you won’t work well with someone who is your polar opposite, you want to find that out early on. The company or hiring manager might have an opposing stance on a particular topic which could be indicative of the company’s culture and how it approaches that particular issue. Based on the answer, you will know if this is the type of environment you want to work in.
Under the hill: I recommend candidates ask what three challenges the organization is trying to solve with this position. If the interviewer doesn’t know and is the hiring manager, ask them what the top three things they need help with in the first 30 days of you being hired. Based on your research on the company, also ask something like “What were the benefits and challenges of the Project X you deployed?” For example, if a company is rolling out new software, find out lessons learned from the rollout.
About the authors
Ken Underhill is CEO, executive producer and host of the syndicated cyber life TV show. Underhill educates approximately 2.6 million people each year through its online cybersecurity courses and serves on the advisory board of Breaking Barriers Women in CyberSecurity and the Whole Cyber Human Initiative, as well as the board of directors of a number of cybersecurity startups.
Christophe Foulon, senior executive and cybersecurity consultant at F10 FinTech, brings over 15 years of experience as a CISO, chief information security officer, adjunct professor, author, and cybersecurity strategist. He has also spent over 10 years leading, mentoring and mentoring people.
Tia Hopkins is Technical Field Director and Chief Cyber Risk Strategist at eSentire and Adjunct Professor of Cybersecurity at Yeshiva University. Hopkins was recognized by SC Media as an Outstanding Educator in 2019, as well as one of the Top 25 Women in Cybersecurity Leaders and Top 100 Women in Cybersecurity, both in 2020. In 2021, she was recognized as one top influencers in security executives. category by IFSEC Global. Hopkins is also the founder of Empow(H)er Cybersecurity, a nonprofit organization aimed at inspiring and empowering women of color to pursue careers in cybersecurity.