Understanding your Organization

One of the interview skills that is most often preached yet least often followed is this – Research the company before you walk in the door. Without understanding the organization, its products, and its values, it’s very difficult to explain why you would be the best person for a job within it. It is important to understand not only how you would fill the role, but very specifically, how you would fill the role at that company.

When I am interviewing candidates for security roles, I will often ask questions about what they think the biggest risks are to the organization. One candidate, coming from a role with an online gaming company, believed DDoS attacks would be the biggest concern, without realizing that as a brick and mortar retail business with no e-commerce, this type of attack would have very little impact on the organization beyond a minor PR hiccup. Another candidate, focusing on compliance risks, said that PCI compliance would be a concern, with SOX being a possible implication if we were publicly traded. Wait, what?! If you are interviewing with a well known Fortune 500 company, you should at least know whether or not they’re public traded!

Small details like this can have a large impact on how you would apply your role within the organization. After the interview, this information becomes even more vital to how you’re applying your resources. One thing I’ve learned very rapidly in this industry is that you can’t try to “boil the ocean”. In any medium to large organization, you could have small armies working at full utilization just trying to keep up with the day to day demands of trying to keep every system secure.

By understanding your organization’s core competencies and values, you can identify the risks which would have the biggest impact. If Internet-facing systems are offline, can your company still do business? Would it be noticed as a small hiccup in daily business, or would it negatively impact customer opinion? What critical data is being stored? Which of these would have the largest impact to the organization if it was breached? While it’s easy to see that retailers would likely be most affected by a breach to payment systems and health care organizations place most importance in the patient record, some companies are a little harder to pinpoint. Be sure to consider financial impact, legal repercussions, and PR implications.

Whether you’re trying to get your foot in the door or you’re looking to improve your current organization’s security strategies, it’s critical to understand the business drivers for your solutions. Our mission needs to be to improve the security posture while furthering the needs of the business. Sometimes, concessions will need to be made to ensure business can operate, even if it comes at a security risk. What is important is being able to identify that risk, fully understand its potential impact, and present a risk-based evaluation of whether that impact may outweigh the business impact. Once you can do that, your value to the organization will speak for itself!