1. Tell me what is salting, and why is it used?

You purposely want to give the question without context. If they know what salting is just by name, they've either studied well or have actually been exposed to this stuff for a while.

2. Explain me what's the difference between a threat, vulnerability, and a risk?

As weak as the CISSP is as a security certification it does teach some good concepts. Knowing basics like risk, vulnerability, threat, exposure, etc. (and being able to differentiate them) is important for a security professional. Ask as many of these as you'd like, but keep in mind that there are a few differing schools on this. Just look for solid answers that are self-consistent.

3. Please explain what is your experience with developing business metrics?

Keep your response brief, like you would for “Tell me about yourself,” but outline important experience you've had in this area.

By keeping your response brief, it can open up the conversation to be more like a dialogue about the employer's business metrics rather than a Q&A

4. Do you know what's the goal of information security within an organization?

This is a big one. What I look for is one of two approaches; the first is the über-lockdown approach, i.e. “To control access to information as much as possible, sir!” While admirable, this again shows a bit of immaturity. Not really in a bad way, just not quite what I'm looking for. A much better answer in my view is something along the lines of, “To help the organization succeed.”

This type of response shows that the individual understands that business is there to make money, and that we are there to help them do that. It is this sort of perspective that I think represents the highest level of security understanding--a realization that security is there for the company and not the other way around.

5. Tell me how does one defend against CSRF?

Nonces required by the server for each page or each request is an accepted, albeit not foolproof, method. Again, we're looking for recognition and basic understanding here–not a full, expert level dissertation on the subject. Adjust expectations according to the position you're hiring for.

6. Explain me if I started my career as an IT auditor, where might it lead?

As with most careers, it is difficult to predict where they will lead. Certainly it is common for CISA's in public accounting firms to move into line management. Other possibilities are to move to industry and become an internal auditor, IT risk or IT security manager, or a CIO.

7. Explain me where do you get your security news from?

Here I'm looking to see how in tune they are with the security community. Answers I'm looking for include things like Team Cymru, Reddit, Twitter, etc. The exact sources don't really matter. What does matter is that he doesn't respond with, “I go to the CNET website.”, or, “I wait until someone tells me about events.”. It's these types of answers that will tell you he's likely not on top of things.

8. Explain me what's the difference between stored and reflected XSS?

Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victim's browser when the results are returned from the site.

9. Explain me a time when you made a mistake on the job?

Early in my career, I made a mistake on a report and denied a client their claim on the grounds that the car accident appeared to be a result of their negligence as opposed to the negligence of the other party. I found out later that I was too quick to make that decision. I had not spoken to the police first, who later informed me that the evidence I was looking at was taken after the vehicles had been moved from the scene. They showed me photographs of the vehicle immediately after it had happened, which clearly showed the other party was at fault. I was too quick on the draw, and I learned that every case requires due diligence.

10. Explain me what is your role within the month-end close process?

Being able to articulate your functionality and responsibility and specifics related to how you go about the end-of-the-month close at your current or most recent firm is a very important piece, be able to sum up every bullet point on your resume, mentioning highlights and focusing on accomplishments.

Download Interview PDF