So you have read my blog about finding your next opportunity, and now you have started to interview. I would like to share three common mistakes I see interviewees make that can cost them the job they are hoping to land:
1. Not doing your homework. Every interview situation is different, but most people would admit that interviewing is stressful. The best way to beat that stress is by being prepared. Being over-prepared is even better! The vast majority of candidates I help prepare to interview focus on only one thing: What questions will they ask me and how do I answer them? That’s a start, but let me give you a few more things to prepare for:
Research the people you are meeting with on LinkedIn or Google to identify common professional connections, business interests or hobbies outside of work.
This may sound obvious, but research fully what the company does. Do not know them only on the surface. Make sure you know every product, service offering and who their customers are.
Show them you have done your homework by reviewing the company’s recent news headlines and reading their last Form 10-K (if publicly traded).
Prepare concrete reasons you want to work for them and not their competitors. What sets them apart?
2. Not asking the right questions – or not asking questions at all. In my opinion, the worst thing that can happen is if an interviewer asks, “Do you have any questions for me?” and you say, “No, I think you answered them all!” You are planning to work at this company for years and you cannot think of so many questions there will not be enough time to cover them all? Uh oh …
Be over-prepared, with enough open-ended questions (think: how, what, why) to talk for double the amount of time allocated for the interview. You may have only two hours to prove to them you will be a contributor at their organization for years to come. Show them how interested you are by drilling down into the details of what they are doing and how they do it, and steer the conversation toward how you would make an impact if you were hired.
I often get questions about how to learn more about the benefits package during an interview. My advice is to leave out questions on any non-negotiable items until after you have interviewed. Make them want to hire you first, and then focus on getting the benefits details from HR at a later time.
3. Writing a bad follow-up letter. A poorly written and/or bland follow-up letter is one of the easiest ways to ruin an excellent interview. Auditors need to have strong writing skills, and you cannot afford to send a letter with a single typo, punctuation or grammatical error. Have someone proof your letter before you hit ‘send.’ Also, avoid a generic follow-up letter like, “Hi Mark, Thanks so much for taking the time to meet with me today. I enjoyed learning about your position. I look forward to hearing from you soon.” There is no meat to that, and you are missing an opportunity to make yourself stand out.
Be specific in your follow-up letters. Why did you enjoy meeting them? What specifically about the job interested you? Why do you want to work for their company? What part of your background do you think would benefit them the most after learning more about their position?
Bonus tip: Use the follow-up letter as a chance to clarify an answer you may not have communicated well.
Author’s note:I hope these three tips help you to successfully navigate your next career transition. There is a lot more that we can cover at a later time. Until then, I’d like to hear from you. What is your biggest interview mistake and what did you learn from it? What is the best question you have ever asked as an interviewee or best question you have ever been asked by a candidate?
This post is part an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017.
In Japan there is much hype around the 2020 Summer Olympics and the expectation that the event will create new business opportunities. There is also concern about cyberattacks disrupting the Tokyo 2020 Olympic Games operations and the theft of national security and/or trade secrets. This type of attack would harm the competitiveness of companies in Japan and damage reputations. With this in mind – and because the Internet of Things (IoT) is rapidly expanding and introducing new attack vectors. Here are some sure things and long shots for 2017, based on these dynamics.
SURE THINGS
Cyber insurance will become more popular. Cyber insurance services have been available in Japan since at least 2012, but the growth of the market in this country had been slower than in the U.S. While Japanese companies were not motivated to invest in stopping potential risks whose damage scale was unknown before actually suffering from cyberattacks, U.S. organizations across various company sizes are willing to consider such risks and invest in them. Another key difference is that Japanese businesses tend to be more reluctant to reveal cyber incidents (per an article from ScanNetSecurity) to other parties, including their own cyber insurance companies, than American businesses are, probably because of the pressure of the shame culture which we profiled in a recent blog.
The tide changed when the Ministry of Economy, Trade and Industry (METI) and Information-Technology Promotion Agency (IPA) published the Cybersecurity Guidelines for Business Leadership Ver 1.0 in December 2015 and the document encouraged companies to use cyber insurance. NISC’s Cybersecurity Approach for Business Management in August 2016 addresses how major companies and SMBs can seek cybersecurity effectively. The document acknowledges that their limited resources make it difficult to adopt sophisticated security products or solutions, and suggests SMBs use cloud-based security solutions and cyber insurance. As major companies have enhanced their security, attackers have ramped up targeting of SMBs (per an article from MYNAVI News) that often are short of the resources needed to detect breaches. This is the case, even though Japan’s economic strength and major companies are reliant on Japanese SMBs, some of which have high technical competence and provide parts for precision machines and metal-processing.
Cyber insurance for SMBs was born in Japan, and the pressure being placed on SMBs could lead to a variety of cyber insurance types, which would be beneficial for financially and resourcefully challenged companies that use cybersecurity services associated with such insurance. It is important to help those companies proactively invest in cyber defense technologies.
There will be more pressure on SMBs and non-critical infrastructure sectors to take cybersecurity measures.
SMBs and non-critical infrastructure sectors will see mounting pressure to take on more cybersecurity measures due to the Japanese government’s recent publications about the necessity of cybersecurity. Several events lead to this:
First, the Japanese government revised the 2003 Personal Information Protection Act in 2015 to remove an exception for SMBs holding fewer than 5,000 pieces of personal information to protect and prevent breaches of personal information. The Act’s revision was specifically timed to coincide with the January 2016 introduction of “My Number,” a new personal identification system for Social Security and taxation information, which has resulted in SMBs (and all companies) holding more personal information on residents in Japan.
Second, the Japan Tourism Agency’s Advisory Committee to Address Breaches in the Tourism Sector published an interim report in July 2016, and the National Center of Incident Readiness and Strategy or Cybersecurity (NISC) released the Cybersecurity Approach for Business Management in August 2016. The report encourages stronger cybersecurity in the tourism sector and also critical infrastructure sectors governed by the Ministry of Land, Infrastructure, Transport and Tourism (MLIT), which are aviation, logistics, and railways. Since Japan wants to see an increasing number of tourists to Japan during the 2020 Summer Olympics and the smooth operation of the event is key, tourism backed up by convenient and secure transportation services is definitely crucial. That is why both of the documents addressed the dire need for more cybersecurity measures taken by SMBs. 2017 will likely see follow-up guidelines.
Third, the NISC IoT Security Framework in August 2016 indicates the need of IoT security-by-design for manufacturers, even though they are not currently categorized as part of critical infrastructure in Japan. It means stewardship ministries and agencies would need to start drafting such guidelines.
Companies will be more active in cyberthreat intelligence and analysis sharing.
The 2020 Summer Olympics hype has certainly led to a huge expectation of innovation to showcase novel designs and technologies that drive economic growth. This all must be done in a secure manner for the convenience and safety of users. Voluntary cyberthreat intelligence-sharing is important to understanding the latest threat landscape and applying appropriate cyberdefenses. Active cyberthreat intelligence-sharing is encouraged by Cybersecurity Guidelines for Business Leadership Ver 1.0.in December 2015.
In fact, the auto and electric power industry plans to launch such a framework. In October 2015, Prime Minister Shinzo Abe stated at the Annual Meeting of the Science and Technology in Society (STS) Forum in October 2015 that driverless cars will be available in Japan when the 2020 Summer Olympics and Paralympic Games are held. Thus, manufacturers, including those in the auto sector, will be under growing pressure to innovate new and secure cars. That is why car manufacturers and auto parts providers will launch a forum for sharing cyberthreat intelligence in January 2017. In addition, Japanese electric power companies, including Tokyo Electric Power Company, plan to establish Electric Power Information Sharing and Analysis Center (ISAC) to share cyberthreat intelligence and best practices and cooperate with overseas entities, especially the U.S. Electricity ISAC and European Energy-ISAC.
Given this trend toward Tokyo 2020 and the importance of manufacturers, tourism, and transportation-related services, more cyberthreat intelligence sharing frameworks will be born in those sectors. Tourism agencies have begun to have regular information-sharing meetings to prevent massive personal information leaks and a guest lecturer recommended creating a tourism ISAC at the third meeting in September 2016. Thus, the Japanese government would appreciate best practices of the U.S. or other countries’ cyberthreat intelligence sharing, such as ISAC, and are interested in acquiring cyberthreat intelligence to add geopolitical context to technical analysis and serve governments’ and industry’s decision-making processes for risk management. The Cybersecurity Strategy in September 2015 recognized that it is important to fuse cybersecurity analysis with technical, legal, international relations, security, and social-scientific perspectives. NISC started to list potential cyber risks to Tokyo 2020 in Japan Fiscal Year 2016 and will continue to review the list and take cybersecurity measures to address the risks. This effort would also require the support of good cyberthreat intelligence and analysis from different types of expertise.
The Japanese traditional procurement system only allows one to buy visible and countable items, and this makes it challenging to procure cyberthreat intelligence, which is not necessarily “countable” unless it is put in reports. Yet, the pressure of Tokyo 2020 is gradually changing the Japanese mindset, and the country is definitely seeing more interest in cyberthreat intelligence and analysis, in a variety of formats.
LONG SHOTS
Increased focus in securing remotemedical services used for disaster relief in the aging society.
Japan is known for its high frequency of natural disasters, such as earthquakes and typhoons. It is also dealing with the reality of an aging society. These challenges have led to demands for remote medical services for disaster relief and elderly people by taking advantage of IT and IoT, such as drones. This also requires cybersecurity services to protect the convenience of these services and to protect human lives.
Japan had a few major natural disasters in 2016, including the Kumamoto Earthquake and the East Japan typhoon. The aging population already passed 25 percent in 2013, and the Japanese government expects the number will reach 39.9 percent in 2060, or two out of five people at 65 years old or older. At the same time, the population has been shifting from rural areas to major cities. The Japanese government expected in 2012 that those rural areas would see a drastic decrease in population from 2.89 million people in 2005 to 1.14 million people in 2050 by 61.0 percent. This affects the availability of doctors in rural areas. According to a report by the Japan Hospital Association in May 2016, 80.0 percent of hospitals all over Japan said that they do not have a sufficient number of doctors. While 72.7 percent of hospitals in big cities said they have a shortfall of doctors, the figure is 92.5 percent in rural areas. The gap between cities and rural areas is widening.
This is even more problematic for disaster relief activities, especially because the Japanese government used to ban remote medical services, except for special cases in isolated islands or rural backwater areas, where face-to-face medical treatment is physically difficult. Finally, in August 2015, the Ministry of Health, Labour and Welfare issued a document to acknowledge the needs and benefits of remote medical services and approve remote medical services if they are combined with face-to-face medical treatment although it does not require face-to-face service before remote service. New medical services have become available since then and the first case for disaster relief was in April 2016 when two companies in Japan provided free remote health consultation by using smartphones and volunteer doctors to help Kumamoto Earthquake victims. This type of new disaster relief effort will be in high demand in the future.
Drones also expand the scope of remote medical services by delivering medicine. Since the revised aviation law was enacted in December 2015 to add rules for drones, tests for proof of concepts have started in rural areas, such as the Yabu City (an article from Nikkei Digital Health), Hyogo Prefecture and western part of the Japanese mainland.
Associated cybersecurity services will be in demand to ensure the convenience of such services and to protect patients from disruption to the services by cyberattacks. Proactive, prevention-based cybersecurity is needed.
Massive My Number personal information leak will happen.
Japan faced massive breaches in May 2015 and in summer 2016. The May 2015 incident saw the leak of 1.25 million pieces of personal information from a government-associated organization, and the June 2016 incident suffered the leak of personal information belonging to 7.93 million people from a tourism agency. In July 2017, the Japanese government will start to share My Number-related information with local governments for welfare services. Since all of the organizations now have more personal information from their employees, thanks to My Number, they are more worried about potential breach risks.
According to an ABeam Consulting Ltd.’ survey, of the 1,917 publicly listed Japanese companies (105 companies responded) between May and June 2016, almost all had finished gathering My Number information from their employees. Nonetheless, in most cases, security measures taken for My Number remain expedient. For example, only 49 percent of companies have audit policies in place to check the data regularly. While 72 percent say they have strengthened access control for the systems to store My Number information, only 16 percent had improved prevention and detection of potential hacking. Although half of the companies plan to provide training for people who are newly assigned to deal with My Number, only 39 percent plan to review the training program regularly, and 32 percent plan to provide such training in a repetitive manner.
If those problems remain unresolved, Japan will most likely see a bigger scale of personal information breaches in the near future. Of course, cybersecurity efforts cannot be made overnight. It takes time because they entail the reform of corporate governance, as we pointed out in our September blog. But if Japan can combine My Number security efforts with cybersecurity governance for the success of Tokyo 2020, it will prevent damage by potential cyberattacks to steal or leak personal information.
What are your cybersecurity predictions for Japan? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for ICS.
The UK government recently released its new National Cyber Security Strategy 2016-2021. Recognizing that cyberattacks on the UK are a top threat to the UK’s economic and national security, the strategy outlines a vision and goals to create a UK that is secure and resilient to cyberthreats, as well as prosperous and confident in the digital world. The UK has always been at the forefront of cybersecurity activities, and its new strategy is an important contribution to and model for global efforts.
The strategy lays out a substantive set of goals, actions and metrics mapped to three important pillars:
Defend: The government will strengthen its own IT defenses and work with industry to ensure UK networks, data and systems are protected against evolving cyberthreats.
Deter: The UK will strengthen law enforcement’s capabilities to increase the cost of cybercrime.
Develop: The government will help to develop the UK’s critical capabilities, including cyber skills, as well as the country’s growing cybersecurity industry, to keep pace with cyberthreats.
The strategy includes an impressive set of plans, based extensively on working with the private sector. While all parts of the strategy are laudable, highlighted below are a number of its forward-looking approaches that will surely contribute to greater cybersecurity in the UK.
First, the strategy immediately puts into action its stated goal of partnering with industry. For example, as part of his strategy, the UK has created a new National Cyber Security Center (NCSC), which is a single, central government body bringing together many of the government’s cybersecurity functions, including CERT-UK. The NCSC will be the UK’s authoritative voice on cybersecurity and aims to build effective cybersecurity partnerships between government, industry and the public. The NCSC’s commitment to direct industry engagement will help to deliver many elements of the strategy. The NCSC will manage national cyber incidents, provide expertise and deliver tailored support and advice to government and industry.
Second, the strategy aims to prevent and reduce the impact of cyberattacks on the UK, reflected in a new “Active Cyber Defence” program. Described in a blog by Ian Levy, technical director of the NCSC, this effort aims to make a significant proportion of UK networks more robust through automated prevention, ensuring UK citizens are protected by default from the majority of large-scale commodity cyberattacks. For example, the government plans to provide automated protections to citizens accessing online government services and states that, where possible, “similar technologies should be offered to the private sector and the citizen.” Using automation to prevent successful cyberattacks is wise, given that attackers themselves deploy sophisticated, automated attacks. Responding with manual defenses just won’t scale: we won’t keep up and, in fact, will continue to fall behind. The UK’s prevention-focused calculus will change the dynamic that currently favors attackers, tilting the balance to help the UK government, businesses and individuals better protect their networks. The strategy envisions the development and deployment of automated cyber defense in partnership with industry.
Third, the strategy strongly endorses cyberthreat information sharing. In fact, one of the NCSC’s initial emphases will be on facilitating such sharing, including ensuring UK government organizations have easy access to cyberthreat information and improving government-industry sharing. The goal is to “ensure that citizens, businesses, public and private sector organizations and institutions have access to the right information to defend themselves.” Sharing threat intelligence on advanced cyberattacks, cybercriminal motivations, and the tactics of malicious actors is essential to defend networks and prevent successful attacks. The UK also plans to move toward automated cyberthreat information sharing to allow organizations to act swiftly on relevant information, an important measure that will support the aforementioned automated prevention goal.
Fourth, the strategy focuses heavily on helping industry to raise its cyber resilience. The government plans to work with critical national infrastructure (CNI) but also will expand outreach to many more firms: the “UK’s most successful” companies, companies that hold a large amount of data, high threat targets, digital service providers, insurers, and others. While the exact risks to these companies may differ, they all require cybersecurity for competitiveness and efficiency. Although the government plans to continue its practice of helping via investing in innovation and encouraging industry’s voluntary action, the strategy acknowledges a role for regulation, noting that the UK plans to use the forthcoming General Data Protection Regulation (GDPR) to drive standards of cybersecurity across the economy.
Fifth, augmenting the cyber resilience goals above, the strategy stresses that whether in industry or government, cybersecurity now needs to be viewed as a C-level or board-level concern, not simply an IT issue. The strategy notes responsibility for cybersecurity in the private sector lies with boards, owners and operators, while security of UK public sector organizations lies with Ministers, Permanent Secretaries and Management Boards. Palo Alto Networks agrees on the need for senior leadership involvement, and we are helping educate corporate directors and board members worldwide on these responsibilities through our recent book, Navigating the Digital Age. The UK version, including chapters by almost a dozen UK thought leaders, is slated for launch in early 2017. It is critical for modern corporations to have the capacity not just to understand the opportunities but also to understand and mitigate the risks inherent in our digital age, and we are pleased to contribute to that discussion in the UK.
Finally, the strategy stresses that the UK will work internationally. We wholeheartedly support this approach by all governments. Neither the global digital infrastructure nor the threats attacking it know national boundaries. We are only as strong as the weakest link. We appreciate that the UK will continue to play a strong role in global cybersecurity capacity building and use its influence in multilateral organizations, such as the European Union (EU), NATO and the G20.
These are only some of the many important activities in the UK’s new strategy, which also details plans to tackle cybercrime, develop cybersecurity skills across the population, and support a thriving UK cybersecurity sector. The UK’s National Cyber Security Strategy 2016-2021 sets out how the UK will become one of the most secure places in the world to do business in cyberspace. This framing is important. Cybersecurity must be viewed as an enabler, and the UK’s strategy, while acknowledging the growing threats, focuses on the benefits to the UK of better cyber resilience. As the sixth largest economy in the world, strong cybersecurity in the UK has multiplier effects around the globe. Palo Alto Networks looks forward to working with the UK government and private sector to realize the goals of its 2016-2021 Cyber Security Strategy and improve the UK’s – and hence the world’s – cybersecurity.
