For those of you that remember what an "E" ride was it's telling of your age. I had a really good conversation with someone the other day on what questions I would ask in looking at security roles. I thought I would list them out for discussion points and thoughts. Mostly these are from lessons learned in past organizations where the hurdles are not discovered until I landed and uncovered them.
1) What is the current project spend in relation to IT spend (CapEx/OpEx)?
Note: generally, a company will spend about 5% of it's IT spend on Security. This can very from industry to industry but can be used as a rule.
2) What are the current process maturity levels of IT (CM, PM, SDLC)?
Note: A company with little to no maturity in the core processes will never get out of the firedrill mentality. This can be evidenced by audit reports, etc. The main discovery point is if they can explain how it's mature, if it's distributed or centralized, etc.
3) What is the current staffing of security relative to the overall company?
Note: this is a big varience and can drive a lot of questions. Most companies with a overall employee base of 10-20k will have a security group of 30-40. There can be more if operational functions are included or if it's in a unique industry. There could be less (25-30) if it's a true governance role and any compliance is separate. It could also be less if it's a distributed model. Too many people is a demonstration that their processes are not mature and they are just throwing bodies at it. Too few and it could be Security is not really supported.
4) What is the attrition rate?
Note: technology roughly ranges in the 10-15% annual attrition. Above that, say 30%, can be an indicator of a problem in the company and/or the team.
5) What is the average "open req to butt in seat" time?
Note: This should be within 30-60 days. Remember, this is subjective to the location as well. It's really hard to find good security people to begin with but it's even harder to find them in areas such as the Bay Area or Bangalore. Even with that, the lack of attracting new talent is something that can cause problems. It can also be an indicator that the talent acquisition construct in the company is way to big of a hurdle and it's limiting hiring.
6) Is there a documented company and technology strategy for the company?
Note: without this you're fighting an uphill battle. A company that can't articulate where their company is gong or how technology supports it will find little ability to understand a security strategy and accept it. Also, since most of security is attaching to the business processes and functions, without that concept of a strategy to attach to there's no clear directin.
7) Not really a questions but you need to map the company's fiscal and business health out. Read the 10k and 10Q's. Understand their revenue growth, PEG, industry growth and overall macro environment.