IT security managers are responsible for monitoring security across an organization’s network. Beyond the technical side, this role often includes leadership and managerial responsibilities.
IT security managers can expect a salary of around $140,000 based on the U.S. national average on Salary.com. Candidates for the job typically have a bachelor’s degree in cybersecurity, computer science, engineering or a similar field. Those looking to pursue this career path can set themselves apart from other candidates by also completing a certification, such as Certified Information Security Manager, CISSP or Certified CISO.
The first step in applying for an IT security manager role involves creating a resume. Next up, it’s time to start preparing for the interview.
“An interview is a two-way street; it’s an opportunity for the organization to talk to the candidate but also for the candidate to see if the organization is the right fit,” said Christophe Foulon, co-author of Hack the Cybersecurity Interview. An organization might offer the right pay, but if there’s a culture clash, the candidate is going to end up frustrated or burned out, he added.
Here, Foulon and co-authors Ken Underhill and Tia Hopkins offer advice on how to answer the most common IT security manager interview questions, as well as questions the interviewee should ask the interviewing organization.
Editor’s note: This text has been edited for length and clarity.
What is your top tip for candidates preparing for a security manager interview?
Christophe Foulon: My top tip is to understand the expectations of the role. A security manager may oversee people, a product or a process — or the role could span all three. Read the job description, and ensure you understand which of those three, or combination of those three, would be your responsibility. For example, an application security manager is responsible for the process and technology surrounding application security, so they might not be responsible for people, whereas security engineers sometimes work with the development team from the business. In this scenario, the engineer is meant to act as an embedded security champion in that team.
Ken Underhill: Researching the company and how the job you are applying for fits into the overall security strategy is important. Most candidates I have interviewed never do any research on the company and how the open position will help us. Those that do research have received job offers 99% of the time. As a manager, you need to be prepared to give examples of projects where you have led a team, as well as challenges, bad decisions and positive measurable results you have received.
What are the most common behavioral questions asked in a security manager interview?
Underhill: We have a chapter in the book dedicated to the most common behavioral interview questions we have been asked over the years. I also recommend the software Interview Ready because it helps you identify areas of weakness in your interview skills.
Most behavioral interview questions start with one of these statements:
My advice is to be honest and provide measurable results — for example, ‘I did X, which led to Y, and the results were Z savings for the company.’
Foulon: One of the most common questions is, ‘Tell me about a time where you tackled a difficult situation.’ As a hiring manager, I’m looking for a story or situation where you took action and had results. Another question could be, ‘Tell me about a time you had to deliver difficult news to a stakeholder or a time where you had to deliver challenging results.’
Check out an excerpt from Chapter 3 of Hack the Cybersecurity Interview to learn about the top interview questions for pen testers.
What are the most common technical questions asked in a security manager interview?
Underhill: The technical questions depend on the type of security manager role, such as cloud security manager, network security manager or application security manager.
You can usually expect technical questions to be in depth and ask about the tech stack. For example, as a cloud security manager, you would likely be given a client scenario and asked to architect a more secure network for the client versus an entry-level job interview, where the interviewer would probably just ask about the OSI [Open Systems Interconnection] model.
There are several different job titles for cybersecurity managers. What are the most common?
Underhill: It depends on the organization, but here are some: network security manager, security operations center manager, application security manager, information security manager and cybersecurity manager.
Foulon: The common titles make themselves obvious. For example, vulnerability managers handle vulnerabilities, and application security managers deal with applications. It gets more complicated when you work for a smaller organization where you must wear multiple hats versus an enterprise where you’re a gear in a larger machine.
What questions should interviewees ask at the end of a security manager interview?
Tia Hopkins: Always ask the soft close question, ‘Is there anything about my background or skill set that concerns you with respect to my ability to perform in this role?’ Another one is asking questions about resources — for example, budget, team size, etc. — and leadership so you have a sense of what you might be signing up for.
Foulon: Ask about a particular interest or preferences toward a certain cause. For example, if you know that you won’t work well with someone that is your polar opposite, you want to find that out in the beginning. The company or hiring manager could have an opposing stance on a particular topic that could be telling about the company culture and how it addresses this particular issue. Based on the response, you’ll know if that’s the type of environment you want to work in.
Underhill: I recommend candidates ask what three challenges the organization is trying to solve with this position. If the interviewer doesn’t know and is the hiring manager, then ask what the top three things they need help with in the first 30 days after you’re hired. Based on your research of the company, also ask something such as, ‘What have been the benefits and challenges of project X you rolled out?’ For example, if a company rolls out a new software, find out the lessons learned from the rollout.
About the authors
Ken Underhill is CEO, executive producer and host of the syndicated Cyber Life television show. Underhill educates around 2.6 million people each year through his online cybersecurity courses and sits on the advisory board of Breaking Barriers Women in CyberSecurity and the Whole Cyber Human Initiative, along with sitting on the board for a number of cybersecurity startup companies.
Christophe Foulon, senior manager and cybersecurity consultant at F10 FinTech, brings over 15 years of experience as a CISO, information security manager, adjunct professor, author and cybersecurity strategist. He also has spent more than 10 years leading, coaching and mentoring people.
Tia Hopkins is field CTO and chief cyber risk strategist at eSentire and adjunct professor of cybersecurity at Yeshiva University. Hopkins was recognized by SC Media as an outstanding educator in 2019, as well as one of the Top 25 Women Leaders in Cybersecurity and Top 100 Women in Cybersecurity, both in 2020. In 2021, she was recognized as a Top Influencer in the Security Executives category by IFSEC Global. Hopkins is also founder of Empow(H)er Cybersecurity, a nonprofit organization aimed at inspiring and empowering women of color to pursue cybersecurity careers.
A day in the life of a cybersecurity manager
VPNs have been the workhorse of online connectivity. Enhancements to software and processing power in end devices will transform …
Common VLAN issues include physical connectivity problems, duplex mismatches, forwarding loops, unicast flooding and Layer 3 …
Network documentation helps enterprises resolve problems more quickly and create more reliable networks. But documentation needs …
ESG considerations add a new dimension to IT purchasing criteria and, more broadly, could bridge the gap between business leaders…
Climate tech success hinges on the technology’s capability, the team behind the tech, and their vision for building a viable …
The three antitrust bills passed by the U.S. House of Representatives would funnel more money to antitrust law enforcers, as well…
Jamf is supporting zero trust with new features across its suite of Mac management software. The proliferation of remote work has…
Google has introduced APIs and an SDK for third-party software integrations with Workspace apps. The company also unveiled …
Windows 11 desktops can run into problems that don’t have a clear cause. Safe Mode runs a pared-down version of the OS, making it…
Alloy, a new infrastructure platform, lets partners and Oracle-affiliated enterprises resell OCI to customers in regulated …
Dell dropped news at separate events this week — one that showcased edge management software, another that showed deepening HCI …
Google Cloud wants to shift workloads and applications from banks, healthcare and other industries into the cloud with a new …
A regional executive claims to have debunked the misnomer that Oracle Cloud is only good for Oracle workloads and that its …
Computer Weekly has revealed who is on the 2022 list of the 50 Most Influential Women in UK Tech, including this year’s winner, …
Disruptors, game-changers and scalable impact – just some of the reasons Flavilla Fongang, this year’s Most Influential Woman in …
All Rights Reserved, Copyright 2000 – 2022, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info