Foul! That Interview Question Is Unfair

Published: Feb. 2, 2021, 11 a.m.

All links and images for this episode can be found on CISO Series

https://cisoseries.com/foul-that-interview-question-is-unfair/

Pick a side. You either want your employees to have a work/life balance, or you want them to be obsessed with security 24/7. You can't have both.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our guest this week is Arpita Biswas, (@0sn1s) senior incident response engineer, Databricks

Thanks to our podcast sponsor, StackRox

StackRox is the industry\u2019s first Kubernetes-native security platform that enables organizations to securely build, deploy, and run cloud-native applications anywhere. The StackRox Kubernetes Security Platform delivers lower operational cost, reduced operational risk, and greater developer productivity through a Kubernetes-native approach that supports built-in security across the entire software development lifecycle.

What would you advise?

People speak a lot about the importance of integrating security and DevOps. Now it's time to learn some specifics, like how to energize developers to be more security minded in their development. What works? What hasn't worked?

"What's Worse?!"

You just learned something was breached. Uggh. (Thanks to Mike Toole, Censys)

What\u2019s the best way to handle this ?

What questions should be asked to see if a security team is cloud incident ready? A good article over on F5 by Sara Boddy, Raymond Pompon, and Sander Vinberg, provides some suggestions such as "Can you describe our attack surface and how have you reduced it to the bare minimum?" and "How are we managing access control?" and "What do we do when systems or security controls fail?" Which of the questions is the most revealing to cloud security readiness and why?

Should you ignore this security advice?

On the AskNetSec subreddit someone inquired about a good hiring question. One redditor suggested asking "What do you do on your own home network with respect to security?" to which another redditor argued that the question was unfair. He left the security and networking for work. He had other hobbies and interests for home life. Another person said, yes it is unfair, but there are plenty of candidates who do breathe security 24/7 and if given a choice, the redditor would take that person. The politically correct thing to say is you want the person with the work-life balance, but wouldn't we be more impressed with the person who has security in their blood day and night?

Close your eyes and visualize the perfect engagement

Another question on AskNetSec subreddit asked "What are the most important skills you see missing among other coworkers or your team?" The two most common answers I saw on the thread were communications and critical thinking. Are these correct. or should something else go there? ? And if those two did improve, what would be the resulting effect to a company's security program?