- Email: [email protected]
Interviews, Bosses, and Staff
Chapter 6
111
112
Chapter 6
9Interviews, Bosses, and Staff
Anecdote For years, I documented some of my more memorable interviews on umnv.loud-fatbloke.co.uk, along with a wealth of thought-provoking technical papers. I was horrified to find that when I told colleagues that I was writing a book, most showed only polite interest on the technical aspects, but they all insisted I publish the interview section. They seem to think my misfortunes are funny--and I hope you do, too.
Introduction This chapter is designed as a bit of light relief. W h e n I gave up heading the security practice, partnership, and annual riches beyond my dreams at a large accountancy firm (and ran away with a very large check), it was the middle of a recession. Although I slipped a notch in status, I fell on my feet, but I was no longer in a position to help many of the talented people I had always sponsored previously. Many of these people were now struggling a little in a post-9/11 world. To lend moral support, I started recording some of the interview encounters I had experienced. These became a feature of my Web site and a regular topic of discussion. As I have worked with a "right bunch of nutters," I have expanded this material to include bosses and staff.
Interviews as the Interviewee It is imperative that any young, ambitious person develop a robust interview technique. If you can bite your tongue for a couple of one-hour interviews, you will receive a job offer, and then you can consider at your own leisure whether to take the job or not. If you decide that the guy interviewing you is a moron, transmit this information to him after he has admitted to you that you are the best thing since sliced bread by giving you an offer. O f course, that's not they way I do it.
www.syngress.com
Interviews,
Bosses, a n d S t a f f
9 Chapter 6
Interview 1 I was asked to interview for the position of divisional head of security at a telecom company. The interview took place one Tuesday morning and was performed by a very stern lady. Interviewer: You seem to think this job has a lot to do with IDS. Why is that? Fat bloke- Well, you have had one of your staff asking me questions about IDS, Snort, and ISS for about half an hour, the job description you handed me at the start has "knowledge of tuning IDS" listed as the primary skill, and the headhunter told me that expertise was essential. Interviewer- What do you know a b o u t . . .
(Dring dring dring dring
dring. Fire alarm rings!) Fat bloke: Who? Interviewer: Don't you even know w h o m you are interviewing with? Surely, you must know the name? Fat bloke: Yes; I was just deafened by the fire bell. Should I be worried by that loud ringing noise? MARKOSBORNE dile
.... . ) .../-
has dmr~or~st~ated L~mf hr
r%..%
strong rdaf, io~shq.~ ~.~ " skit2~',; ,;o{..~ded w#' ~qua%y at ht,."
L:\ :
::.]:
.. ......
)
~ (Cv
:.
* L " Go. ,
:,...
'"...,../" k%
Great
CH;~#(*,.,tL ,.VKILt~ irk has preve-d he c )grammes or tech..qic, - E• of btuechip cl~ients,
.. security improvement . c~alle~gmg environ,ments ,~nd ~ecurity imp.~:ovemen~ progtammes ,,~.e malodtV of the {JK Banks.
www.syngress.com
113
114
Chapter 6
9Interviews, Bosses, and Staff
At this point the interviewer hands me a yellow Post-It; on it are the words, "You're gorgeous!"
Fat bloke (I'm proving that the m o u t h is faster than the brain): "You're just a chubby-chaser; aren't you, love? I've had trouble with your type before." .....~:iiiii!
.#iil .
~:~:v:;~:~;~:~:~:~:~The Post-It was a prop for a sexual harassment question, so my comii {ii! ment was particularly unhelpful. ..:.:.:....,..:,:.:.
Interviewer: The project team has just put in a new system. O n Friday afternoon, the project manager walks in to tell you it's business critical that it goes into production today, and to make it work, all traffic through the firewall needs to be allowed to all hosts with any2-any rules. What do you do? Fat bloke: I find this happens all the time.You have to get a wholebusiness view, so you do x, y, and z. Then you work the problem. But most important, even if it means building a completely new firewall for this new system, you should not endanger the whole of your infrastructure by turning off all your security on the say-so of one project manager. Interviewer: Wrong. Everybody always gets this wrong. The project manager has told you it's business-critical, so you should add the any2-any rule! But don't feel bad; none of the other candidates have got this right, either, and many of them were just as qualified as you.
Interview 2 I interviewed for a "security strategy" position at a large investment bank in Canary Wharf, London. The job seemed very much like a computer audit job and a little junior for me, but it was still worth a look. I had a telephone interview with the team manager, then a formal interview with the team www.syngress.com
Interviews, Bosses, and Staff
9Chapter 6
manager. T h e n all in the same afternoon a further set of interviews with the global head of department, global head of technical security, and some muppet with a charisma bypass (the last two over a video conference call, with a camera that seemed to focus on the bald bit on the top of my head; you all k n o w I love myself, but they might as well have asked me to interview in the nude while doing a step-aerobics class).
Interviewer 1 (global head of department)" H o w do you sell security to a chief dealer w h o doesn't think it matters?
Interviewer 2 (charismaless muppet): H o w do you sell security to a chief dealer w h o doesn't think it matters?
Interviewer 3 (global head of technical security, as he walks in to join the charisma-bypass muppet)" H o w do you sell security to a chief dealer w h o doesn't think it matters?
Fat Bloke: "Well the answer I gave to that question w h e n I was asked by Mr. X on first interview was this" It seemed to go down well so I'll give the same answer just for c o n s i s t e n c y . . .
Interviewer (global head of technical security)" " W h i c h is better, AES or M D 5 ? "
Fat Bloke: Well, they're different things, aren't they? One is a cryptographic algorithm and the other is a crypto-hash. I guess with poetic license, if you read "better" as longer key length, you could claim AES was better because it is c o m m o n to have key lengths of 256. (Trying desperately to demonstrate knowledge.) Nevertheless, the question is similar to, " W h i c h is better, a h a m m e r or a screwdriver?"; you need to k n o w for what purpose before you can answer it.
Interviewer (global head of technical security): "Yeah! But which is better?"
Interview 3 I once interviewed for a head of practice position at a boutique security consultancy. I was at the final stage w h e n I met the CEO. Even though I knew I
115
116
Chapter 6
9Interviews, Bosses, and Staff
had the job in the bag, they had been playing good cop/bad cop for about two hours, and I was mightily annoyed. The C E O - Have you got any questions? Fat Bloke-Yes, can you give an outline scope of the job? The CEO" Holding up a blank piece of paper That is the scope of the job; you write it. Fat Bloke: So anything in security is my baby. The C E O : It is, if you want it. Fat Bloke: So how many pen testers will I have to manage? The C E O : Pen testers!You won't be in charge of pen testers~that's not within the scope of the job!
Interview 4 I was bored off my bean and needed a change. I was approached for the role of security supremo at a reseller well known for managed firewalls; we'll refer to them as Via-Windy. I was not keen, but then I met the VP of products, who was very impressive and ensconced in an impressive office near Oxford. I became more interested and went for an interview with the chief operating officer (in what seemed to be a small closet in the city). Fat Bloke: The headhunter said you'd like to see me present a business plan. (Thrusting a copy of a lovingly bound plan into his hand) The C O 0 : (Short man with Short Man Syndwme) I couldn't care less about your plan. I am sick of hearing about security. I don't think Via-Windy can make money in security; Web hosting is where it's at. Fat Bloke" Well, these days, customers expect commitment from their managed security partners. Too many firms have left their clients in the lurch. Likewise, investors are cagey; with 135 employees, three offices, and a small revenue of less than s million after five years of operation, they have some grounds. But last and most important, you have to question the motivations of someone who tells interview
www.syngress.com
Interviews, Bosses, and Staff
9Chapter 6
candidates that it's a dead-end job.Yes I a g r e e ~ I don't think Y O U can make money in security.
Short C O 0 : You may have been a director and uncrowned partner at a la-de-da Big Six firm, and you claim to have brought in s million, but we all know audit clients just hand you the money t. Fat Bloke: That is a c o m m o n misconception, but it was never really the case. Anyway, Sarbanes-Oxley has put an end to that for many international clients. Short C O O : Sarbanes-Oxley? What's that? Fat Bloke: You did say you were considering being quoted on the NASDAQ?? S e c o n d Interviewer: (A very strange northern woman) I know not about security; sell me some security. Fat Bloke: Would like to buy some security? No? (Aimless chit-chat followed, during which time I got some insight into just how un-P.C, and intolerant some people can be. A n d you can guess it takes a lot to shock me. But I was, so I left.)
Preinterview Questionnaires Interviews are a poor way of selecting employees, but what real choice do we have? One company, the leader in the field for alternative site recovery centers, choose to use a basic questionnaire to help them choose new hires. Unfortunately, they got the day-release student from the H1K department to write it, and English obviously was not a strength. The company was recruiting for an IT director who specialized in networks, security, and disaster recovery. It sounded like a great job, but I had a nice challenge where I was, and the questionnaire (see Figure 6.1) was too banal to resist. Even after I submitted this questionnaire, they were very eager to retain me for the position, but arrogant fool that I am, I just could not bring myself to go along.
www.syngress.com
117
118
Chapter 6
9Interviews, Bosses, and Staff
Figure 6.1 Fat Bloke's Preinterview Questionnaire Candidate Name: Date completed: Position applied for Key questions
Mark Osborne
29/09/05
Director IT--- Europe
1. Bilingual- What languages and please rate fluency on a one (1) to five (5) scale (1 poor/weak and 5 beinq very stronq) French comprehension - 2 French spoken - 1 2. What type of IT environments have you worked in? (i.e. structured -lots of standards and policies or unstructured with little or no policies/standards established) Banking-- Regulated and structured using large mainframe Banking m Regulated and structured using distributed PC and Unix Banking M & A - - I want it yesterday Service provider-- Varied Manufacturing-- No regulation, emerging standards Start-upm No idea ........... several more HR questions . . . . . . . . . . 10. - Have you ever reported to a manager/supervisor who was remote? If so, how fair a way is it? How did you feel about that? My current boss is very remote and distant-- Sometimes he talks to me while staring out at the river Thames below Canary Wharf. How Fair? Well, I think its reasonable~ He has a lot on his mind, running a large company an all- And I am not a trainee. How do I feel?~ I quess I feel hunqry. 12. How do you select team members for an interview process? I have a magic formula for this - When I select members of my team to participate in an interview process to recruit a new member of staff, I would routinely select: the potential employees manager a potential workmate of the candidate In this way from the manager, I get feedback on whether the candidate "fits" the culture and is manageable. The workmate gives an assessment of the candidate's ability to do the job. Revolutionary. 13. How do you handle challenqes that are escalated to the executive level? I consider myself to be "executive level". For example, in my current role, I have regular interaction with the CEO. And although it isn't GE, this is a $250million p.a. revenue company. This role, I am told, is one level below the board and has 50 or more staff. So presumably it is also an executive level position. So "How do I handle challenges that are escalated to the executive level?"-- Well exactly like I was dealinq with a peer!! 15. How do you feel about international travel? I feel International travel is brilliant for travelling to other countries or continents. International travel can be a pleasant experience-- or not, usually dependent on the travel policy of the firm in question. So you tell m e - - How do you make it easy for me.
Interviews, Bosses, and Staff
9Chapter 6
Interviews as the Interviewer But I am not the worst interviewee in the world. Here are some contenders for that title.
Interview 1 W h e n I was a principal security consultant, I was looking for a number of junior consultants. A bloke from Zergo, the leading consultancy of the day, had a great CV. Fat bloke: So you know Sidewinder.Tell me about it. Interviewee:
Silence
Fat bloke: I also see you have used FireWall-1 and Gauntlet. Tell me what generic type or class of firewall each is. Perhaps highlight the pros and cons? Interviewee:
Silence
Fat bloke: Take your time; nod if you can hear me.
Interview 2 In my current role, I was demonstrating what a good chap I was by helping recruit IP engineers. The following was possibly the worst start to an interview: Fat bloke: I am standing in for the VP in charge of that section; he is on the board and he would be your boss's boss. I am Mark Osborne, chief information security officer. Interviewee: Ha, ha, ha, security officer~what! Have you come to check me badge? Look, here it is! (Holding up his visitor's pass) Oh, but I'm not wearing it, look. Ha, ha, ha! You'll have me escorted out the building, ha, ha, ha!
After 20 minutes
119
120
Chapter 6
9Interviews, Bosses, and Staff
Fat bloke: Look, I have let this run on much longer than normal because of your poor start, and I wanted to be more than fair. But we've asked you 15 questions and you haven't even come near to getting one right.You've applied for a job as an IP engineer and you've consistently demonstrated you don't know anything about routers and switches. It has been torture. W h e n you write IOS 12.1 on a CV, people think you know IOS 12.1, not that you sat in the same office as someone that knew it! Interviewee: I see myself as a manager. Fat bloke: Then in future I suggest you apply for jobs with "manager" in the title.
Bosses N o w let's discuss bosses.
Runner-up for the Worst Boss in the World This coveted award goes to a good-hearted and well-meaning fellow. Apart from his one defect, he had nothing really wrong with him. The main problem was this guy was visibly dirty and stank. He looked the spitting image of Neil from "The Young O n e s " ~ t h e original hippie. This guy was so dirty that the catering manager banned him from the canteen, declaring that he was "a health hazard."
Worst Boss in the World The winner of the title worst boss in the world definitely goes to a partner I used to work with; let's call him Melvin Sheriff. The man was definitely a loony. He would get overly excited for no apparent reason and rub his hands together so rigorously that there was real risk of" human combustion while he reeled off a whole series of self-rebukes. Later in life, when we moved to more modern buildings with glassfronted offices and meeting rooms, he took to telling himself off, or more correctly, telling off his reflection that appeared in the glass wall. This involved a furiously wagging finger, like some crazed orchestra conductor, pointing and
Interviews, Bosses, and Staff
9Chapter 6
stabbing as the rant reached a crescendo. This was bad enough, but if you happened to be passing by or if you were a visiting client inside the meeting room, it could be more than distressing. Classic incidents included: 9 He turned up to work in one brown Oxford shoe and one black brogue and then went into a client meeting without changing. 9 A finance director of an asset management firm said he never wanted to speak to Mel after he messed something up and caused the director serious job jeopardy. However, Mel insisted that he retain the role of client partner despite this. Apparently weeks of meetings ensued where Mel insisted on turning up. The finance director would completely ignore him and insist that everyone else do as well. If Mel spoke, the finance director started repeating "We can't hear you, we can't hear you" or began "La-la-la-ing" very loudly. m We were partnering with RSA Security (very famous for encryption and token authentication) and holding a series of lavish marketing events that they had paid for. Mel walked up to Graham, head of sales for Western Europe, and said, "What do RSA do, then? I've never heard of them." []
We were attempting to partner with Cisco (also very famous). Mel refused because "he didn't want to be associated with a mail-order catalogue firm" (he was thinking of Misco).
Commonly, Mel would lose anything~briefcases, laptops, and phones all seemed to feel a desperate desire to escape his influence. At one stage, the IT department refused to issue him with any mobile phone except those had been marked for end of life. Why? Well, because he would leave them places. This trend was not limited to phones. It also included confidential reports. He would constantly write out yellow Post-Its to himself and attach them to reports. "Review this for me by tomorrow, Melvin," the notes would demand. Having an attention span of a newt, Mel would go and talk to someone, only to be spirited away to lunch. Lunch, oh lunch~ever calling, ever important for Mel. In an open plan office at least 20 feet from his desk, he would relieve himself of the burden of the weighty report he'd been carrying by www.syngress.com
121
122
Chapter 6
9Interviews, Bosses, and Staff
depositing it on some random and unsuspecting junior's desk~instead of securing it in his office. Predictably, the junior would return, be unable to find Mr. Sheriff because he was down in the pub (with phone AWOL, of course). The ubiquitous junior, always keen to please, would work all night producing an analysis of investment bank regulations in Brazil, following the directives of the Post-It. I k n o w - - i t happened to me, but once was enough. Please don't feel sorry for h i m ~ h e wasn't a nice man.
Worst Employees I never really had any truly bad employees. But I've had a few nutty or funny ones. Here are a few examples: 9 The employee who called in sick one day because he thought he had rabies. Apparently, while in Thailand, he was stroking a stray cat that urinated on him. Apparently in Thailand, rats have rabies, and cats eat rats, ipso facto. 9 The employee who called in sick because he had "exploding tooth syndrome"~apparently a real affliction, according to the Internet. However, this turned out to be a bit of fingernail stuck between his teeth. 9 Then there was the employee who tried to run a mini-cab company from his mobile phone. 9 Dave, who took six different doses of compassionate leave for his grandmother's funerals. I want to know who kept on digging her up. 9 Then there was Danny, the stunningly beautiful and violent security analyst who seemed to assault everyone, but nobody complained. But they were all fantastic and sparkly.
Summary You should laugh as much as possible.You have to if you are going to survive in security. But enough levity. N o w let's dive into the more technical side of security.
111
112
Chapter 6
9Interviews, Bosses, and Staff
Anecdote For years, I documented some of my more memorable interviews on umnv.loud-fatbloke.co.uk, along with a wealth of thought-provoking technical papers. I was horrified to find that when I told colleagues that I was writing a book, most showed only polite interest on the technical aspects, but they all insisted I publish the interview section. They seem to think my misfortunes are funny--and I hope you do, too.
Introduction This chapter is designed as a bit of light relief. W h e n I gave up heading the security practice, partnership, and annual riches beyond my dreams at a large accountancy firm (and ran away with a very large check), it was the middle of a recession. Although I slipped a notch in status, I fell on my feet, but I was no longer in a position to help many of the talented people I had always sponsored previously. Many of these people were now struggling a little in a post-9/11 world. To lend moral support, I started recording some of the interview encounters I had experienced. These became a feature of my Web site and a regular topic of discussion. As I have worked with a "right bunch of nutters," I have expanded this material to include bosses and staff.
Interviews as the Interviewee It is imperative that any young, ambitious person develop a robust interview technique. If you can bite your tongue for a couple of one-hour interviews, you will receive a job offer, and then you can consider at your own leisure whether to take the job or not. If you decide that the guy interviewing you is a moron, transmit this information to him after he has admitted to you that you are the best thing since sliced bread by giving you an offer. O f course, that's not they way I do it.
www.syngress.com
Interviews,
Bosses, a n d S t a f f
9 Chapter 6
Interview 1 I was asked to interview for the position of divisional head of security at a telecom company. The interview took place one Tuesday morning and was performed by a very stern lady. Interviewer: You seem to think this job has a lot to do with IDS. Why is that? Fat bloke- Well, you have had one of your staff asking me questions about IDS, Snort, and ISS for about half an hour, the job description you handed me at the start has "knowledge of tuning IDS" listed as the primary skill, and the headhunter told me that expertise was essential. Interviewer- What do you know a b o u t . . .
(Dring dring dring dring
dring. Fire alarm rings!) Fat bloke: Who? Interviewer: Don't you even know w h o m you are interviewing with? Surely, you must know the name? Fat bloke: Yes; I was just deafened by the fire bell. Should I be worried by that loud ringing noise? MARKOSBORNE dile
.... . ) .../-
has dmr~or~st~ated L~mf hr
r%..%
strong rdaf, io~shq.~ ~.~ " skit2~',; ,;o{..~ded w#' ~qua%y at ht,."
L:\ :
::.]:
.. ......
)
~ (Cv
:.
* L " Go. ,
:,...
'"...,../" k%
Great
CH;~#(*,.,tL ,.VKILt~ irk has preve-d he c )grammes or tech..qic, - E• of btuechip cl~ients,
.. security improvement . c~alle~gmg environ,ments ,~nd ~ecurity imp.~:ovemen~ progtammes ,,~.e malodtV of the {JK Banks.
www.syngress.com
113
114
Chapter 6
9Interviews, Bosses, and Staff
At this point the interviewer hands me a yellow Post-It; on it are the words, "You're gorgeous!"
Fat bloke (I'm proving that the m o u t h is faster than the brain): "You're just a chubby-chaser; aren't you, love? I've had trouble with your type before." .....~:iiiii!
.#iil .
~:~:v:;~:~;~:~:~:~:~The Post-It was a prop for a sexual harassment question, so my comii {ii! ment was particularly unhelpful. ..:.:.:....,..:,:.:.
Interviewer: The project team has just put in a new system. O n Friday afternoon, the project manager walks in to tell you it's business critical that it goes into production today, and to make it work, all traffic through the firewall needs to be allowed to all hosts with any2-any rules. What do you do? Fat bloke: I find this happens all the time.You have to get a wholebusiness view, so you do x, y, and z. Then you work the problem. But most important, even if it means building a completely new firewall for this new system, you should not endanger the whole of your infrastructure by turning off all your security on the say-so of one project manager. Interviewer: Wrong. Everybody always gets this wrong. The project manager has told you it's business-critical, so you should add the any2-any rule! But don't feel bad; none of the other candidates have got this right, either, and many of them were just as qualified as you.
Interview 2 I interviewed for a "security strategy" position at a large investment bank in Canary Wharf, London. The job seemed very much like a computer audit job and a little junior for me, but it was still worth a look. I had a telephone interview with the team manager, then a formal interview with the team www.syngress.com
Interviews, Bosses, and Staff
9Chapter 6
manager. T h e n all in the same afternoon a further set of interviews with the global head of department, global head of technical security, and some muppet with a charisma bypass (the last two over a video conference call, with a camera that seemed to focus on the bald bit on the top of my head; you all k n o w I love myself, but they might as well have asked me to interview in the nude while doing a step-aerobics class).
Interviewer 1 (global head of department)" H o w do you sell security to a chief dealer w h o doesn't think it matters?
Interviewer 2 (charismaless muppet): H o w do you sell security to a chief dealer w h o doesn't think it matters?
Interviewer 3 (global head of technical security, as he walks in to join the charisma-bypass muppet)" H o w do you sell security to a chief dealer w h o doesn't think it matters?
Fat Bloke: "Well the answer I gave to that question w h e n I was asked by Mr. X on first interview was this" It seemed to go down well so I'll give the same answer just for c o n s i s t e n c y . . .
Interviewer (global head of technical security)" " W h i c h is better, AES or M D 5 ? "
Fat Bloke: Well, they're different things, aren't they? One is a cryptographic algorithm and the other is a crypto-hash. I guess with poetic license, if you read "better" as longer key length, you could claim AES was better because it is c o m m o n to have key lengths of 256. (Trying desperately to demonstrate knowledge.) Nevertheless, the question is similar to, " W h i c h is better, a h a m m e r or a screwdriver?"; you need to k n o w for what purpose before you can answer it.
Interviewer (global head of technical security): "Yeah! But which is better?"
Interview 3 I once interviewed for a head of practice position at a boutique security consultancy. I was at the final stage w h e n I met the CEO. Even though I knew I
115
116
Chapter 6
9Interviews, Bosses, and Staff
had the job in the bag, they had been playing good cop/bad cop for about two hours, and I was mightily annoyed. The C E O - Have you got any questions? Fat Bloke-Yes, can you give an outline scope of the job? The CEO" Holding up a blank piece of paper That is the scope of the job; you write it. Fat Bloke: So anything in security is my baby. The C E O : It is, if you want it. Fat Bloke: So how many pen testers will I have to manage? The C E O : Pen testers!You won't be in charge of pen testers~that's not within the scope of the job!
Interview 4 I was bored off my bean and needed a change. I was approached for the role of security supremo at a reseller well known for managed firewalls; we'll refer to them as Via-Windy. I was not keen, but then I met the VP of products, who was very impressive and ensconced in an impressive office near Oxford. I became more interested and went for an interview with the chief operating officer (in what seemed to be a small closet in the city). Fat Bloke: The headhunter said you'd like to see me present a business plan. (Thrusting a copy of a lovingly bound plan into his hand) The C O 0 : (Short man with Short Man Syndwme) I couldn't care less about your plan. I am sick of hearing about security. I don't think Via-Windy can make money in security; Web hosting is where it's at. Fat Bloke" Well, these days, customers expect commitment from their managed security partners. Too many firms have left their clients in the lurch. Likewise, investors are cagey; with 135 employees, three offices, and a small revenue of less than s million after five years of operation, they have some grounds. But last and most important, you have to question the motivations of someone who tells interview
www.syngress.com
Interviews, Bosses, and Staff
9Chapter 6
candidates that it's a dead-end job.Yes I a g r e e ~ I don't think Y O U can make money in security.
Short C O 0 : You may have been a director and uncrowned partner at a la-de-da Big Six firm, and you claim to have brought in s million, but we all know audit clients just hand you the money t. Fat Bloke: That is a c o m m o n misconception, but it was never really the case. Anyway, Sarbanes-Oxley has put an end to that for many international clients. Short C O O : Sarbanes-Oxley? What's that? Fat Bloke: You did say you were considering being quoted on the NASDAQ?? S e c o n d Interviewer: (A very strange northern woman) I know not about security; sell me some security. Fat Bloke: Would like to buy some security? No? (Aimless chit-chat followed, during which time I got some insight into just how un-P.C, and intolerant some people can be. A n d you can guess it takes a lot to shock me. But I was, so I left.)
Preinterview Questionnaires Interviews are a poor way of selecting employees, but what real choice do we have? One company, the leader in the field for alternative site recovery centers, choose to use a basic questionnaire to help them choose new hires. Unfortunately, they got the day-release student from the H1K department to write it, and English obviously was not a strength. The company was recruiting for an IT director who specialized in networks, security, and disaster recovery. It sounded like a great job, but I had a nice challenge where I was, and the questionnaire (see Figure 6.1) was too banal to resist. Even after I submitted this questionnaire, they were very eager to retain me for the position, but arrogant fool that I am, I just could not bring myself to go along.
www.syngress.com
117
118
Chapter 6
9Interviews, Bosses, and Staff
Figure 6.1 Fat Bloke's Preinterview Questionnaire Candidate Name: Date completed: Position applied for Key questions
Mark Osborne
29/09/05
Director IT--- Europe
1. Bilingual- What languages and please rate fluency on a one (1) to five (5) scale (1 poor/weak and 5 beinq very stronq) French comprehension - 2 French spoken - 1 2. What type of IT environments have you worked in? (i.e. structured -lots of standards and policies or unstructured with little or no policies/standards established) Banking-- Regulated and structured using large mainframe Banking m Regulated and structured using distributed PC and Unix Banking M & A - - I want it yesterday Service provider-- Varied Manufacturing-- No regulation, emerging standards Start-upm No idea ........... several more HR questions . . . . . . . . . . 10. - Have you ever reported to a manager/supervisor who was remote? If so, how fair a way is it? How did you feel about that? My current boss is very remote and distant-- Sometimes he talks to me while staring out at the river Thames below Canary Wharf. How Fair? Well, I think its reasonable~ He has a lot on his mind, running a large company an all- And I am not a trainee. How do I feel?~ I quess I feel hunqry. 12. How do you select team members for an interview process? I have a magic formula for this - When I select members of my team to participate in an interview process to recruit a new member of staff, I would routinely select: the potential employees manager a potential workmate of the candidate In this way from the manager, I get feedback on whether the candidate "fits" the culture and is manageable. The workmate gives an assessment of the candidate's ability to do the job. Revolutionary. 13. How do you handle challenqes that are escalated to the executive level? I consider myself to be "executive level". For example, in my current role, I have regular interaction with the CEO. And although it isn't GE, this is a $250million p.a. revenue company. This role, I am told, is one level below the board and has 50 or more staff. So presumably it is also an executive level position. So "How do I handle challenges that are escalated to the executive level?"-- Well exactly like I was dealinq with a peer!! 15. How do you feel about international travel? I feel International travel is brilliant for travelling to other countries or continents. International travel can be a pleasant experience-- or not, usually dependent on the travel policy of the firm in question. So you tell m e - - How do you make it easy for me.
Interviews, Bosses, and Staff
9Chapter 6
Interviews as the Interviewer But I am not the worst interviewee in the world. Here are some contenders for that title.
Interview 1 W h e n I was a principal security consultant, I was looking for a number of junior consultants. A bloke from Zergo, the leading consultancy of the day, had a great CV. Fat bloke: So you know Sidewinder.Tell me about it. Interviewee:
Silence
Fat bloke: I also see you have used FireWall-1 and Gauntlet. Tell me what generic type or class of firewall each is. Perhaps highlight the pros and cons? Interviewee:
Silence
Fat bloke: Take your time; nod if you can hear me.
Interview 2 In my current role, I was demonstrating what a good chap I was by helping recruit IP engineers. The following was possibly the worst start to an interview: Fat bloke: I am standing in for the VP in charge of that section; he is on the board and he would be your boss's boss. I am Mark Osborne, chief information security officer. Interviewee: Ha, ha, ha, security officer~what! Have you come to check me badge? Look, here it is! (Holding up his visitor's pass) Oh, but I'm not wearing it, look. Ha, ha, ha! You'll have me escorted out the building, ha, ha, ha!
After 20 minutes
119
120
Chapter 6
9Interviews, Bosses, and Staff
Fat bloke: Look, I have let this run on much longer than normal because of your poor start, and I wanted to be more than fair. But we've asked you 15 questions and you haven't even come near to getting one right.You've applied for a job as an IP engineer and you've consistently demonstrated you don't know anything about routers and switches. It has been torture. W h e n you write IOS 12.1 on a CV, people think you know IOS 12.1, not that you sat in the same office as someone that knew it! Interviewee: I see myself as a manager. Fat bloke: Then in future I suggest you apply for jobs with "manager" in the title.
Bosses N o w let's discuss bosses.
Runner-up for the Worst Boss in the World This coveted award goes to a good-hearted and well-meaning fellow. Apart from his one defect, he had nothing really wrong with him. The main problem was this guy was visibly dirty and stank. He looked the spitting image of Neil from "The Young O n e s " ~ t h e original hippie. This guy was so dirty that the catering manager banned him from the canteen, declaring that he was "a health hazard."
Worst Boss in the World The winner of the title worst boss in the world definitely goes to a partner I used to work with; let's call him Melvin Sheriff. The man was definitely a loony. He would get overly excited for no apparent reason and rub his hands together so rigorously that there was real risk of" human combustion while he reeled off a whole series of self-rebukes. Later in life, when we moved to more modern buildings with glassfronted offices and meeting rooms, he took to telling himself off, or more correctly, telling off his reflection that appeared in the glass wall. This involved a furiously wagging finger, like some crazed orchestra conductor, pointing and
Interviews, Bosses, and Staff
9Chapter 6
stabbing as the rant reached a crescendo. This was bad enough, but if you happened to be passing by or if you were a visiting client inside the meeting room, it could be more than distressing. Classic incidents included: 9 He turned up to work in one brown Oxford shoe and one black brogue and then went into a client meeting without changing. 9 A finance director of an asset management firm said he never wanted to speak to Mel after he messed something up and caused the director serious job jeopardy. However, Mel insisted that he retain the role of client partner despite this. Apparently weeks of meetings ensued where Mel insisted on turning up. The finance director would completely ignore him and insist that everyone else do as well. If Mel spoke, the finance director started repeating "We can't hear you, we can't hear you" or began "La-la-la-ing" very loudly. m We were partnering with RSA Security (very famous for encryption and token authentication) and holding a series of lavish marketing events that they had paid for. Mel walked up to Graham, head of sales for Western Europe, and said, "What do RSA do, then? I've never heard of them." []
We were attempting to partner with Cisco (also very famous). Mel refused because "he didn't want to be associated with a mail-order catalogue firm" (he was thinking of Misco).
Commonly, Mel would lose anything~briefcases, laptops, and phones all seemed to feel a desperate desire to escape his influence. At one stage, the IT department refused to issue him with any mobile phone except those had been marked for end of life. Why? Well, because he would leave them places. This trend was not limited to phones. It also included confidential reports. He would constantly write out yellow Post-Its to himself and attach them to reports. "Review this for me by tomorrow, Melvin," the notes would demand. Having an attention span of a newt, Mel would go and talk to someone, only to be spirited away to lunch. Lunch, oh lunch~ever calling, ever important for Mel. In an open plan office at least 20 feet from his desk, he would relieve himself of the burden of the weighty report he'd been carrying by www.syngress.com
121
122
Chapter 6
9Interviews, Bosses, and Staff
depositing it on some random and unsuspecting junior's desk~instead of securing it in his office. Predictably, the junior would return, be unable to find Mr. Sheriff because he was down in the pub (with phone AWOL, of course). The ubiquitous junior, always keen to please, would work all night producing an analysis of investment bank regulations in Brazil, following the directives of the Post-It. I k n o w - - i t happened to me, but once was enough. Please don't feel sorry for h i m ~ h e wasn't a nice man.
Worst Employees I never really had any truly bad employees. But I've had a few nutty or funny ones. Here are a few examples: 9 The employee who called in sick one day because he thought he had rabies. Apparently, while in Thailand, he was stroking a stray cat that urinated on him. Apparently in Thailand, rats have rabies, and cats eat rats, ipso facto. 9 The employee who called in sick because he had "exploding tooth syndrome"~apparently a real affliction, according to the Internet. However, this turned out to be a bit of fingernail stuck between his teeth. 9 Then there was the employee who tried to run a mini-cab company from his mobile phone. 9 Dave, who took six different doses of compassionate leave for his grandmother's funerals. I want to know who kept on digging her up. 9 Then there was Danny, the stunningly beautiful and violent security analyst who seemed to assault everyone, but nobody complained. But they were all fantastic and sparkly.
Summary You should laugh as much as possible.You have to if you are going to survive in security. But enough levity. N o w let's dive into the more technical side of security.