00
Mission Intel — Know What You're Walking Into
CRITICAL MINDSET SHIFT — READ THIS FIRST
This is NOT a pure SOC analyst role. The bank wants a leader who runs the SOC day-to-day, manages and mentors a team, owns IAM and compliance, reports to the ISO, and drives automation strategy. In every single answer, use "I led" and "my team" — not just "I did." You are stepping into a leadership identity, not a practitioner identity. Your title was Senior SOC Analyst. Their title for you is Operations Lead. Act like it from the moment you say hello.
Live Time
--:--:--
Loading...
Target Company
Lone Star National Bank
Via Robert Half · Brian Burkholder
Salary Target (This Role)
$145K+
Counter at $145K minimum. Do not anchor at analyst pay.
Reports To
ISO (Paul Kankwende)
PhD candidate, CISM, C-CISO — 20+ yrs experience
JD Decoded — What They Really Want
The JD mentions "Operations Lead" but buries the leadership scope. They want someone who can own the whole function — not just triage alerts. That means: SIEM program ownership, team supervision (analysts + engineers), IAM governance (FFIEC/GLBA/SOX), IR command authority, KPI reporting to the ISO, and an automation roadmap. You have all of this. Your job is to make it obvious in every answer.
What This Role IS
✓SOC Operations Lead — you own daily ops, not just participate
✓Team supervisor — analysts + engineers report to you
✓IAM owner — access reviews, MFA, SSO, PAM, least privilege
✓Compliance anchor — FFIEC, GLBA, NIST CSF, SOX, PCI DSS
✓ISO's right hand — translate strategy into measurable ops
✓Automation driver — SOAR, orchestration roadmap
Adolf's Proof Points
→Cut IR time 35% via playbook overhaul (100% ownership, not contribution)
→Eliminated 300+ false positives/wk via MITRE ATT&CK detection tuning
→Led multi-environment APT containment — 4hrs, zero exfiltration
→95% audit readiness score via ServiceNow at PNC Financial
→Mentored Tier 1 analyst → became overnight lead, trained 2 hires
→Executive brief after phishing → 2 controls approved same day
01
Know Your ISO — Paul Kankwende
Why This Matters
Your interviewer's LinkedIn profile was uploaded. Paul Kankwende is your future boss — the Information Security Officer you'd report to directly. He's a 20+ year veteran, currently pursuing a PhD in Information Systems at UCT, with a C-CISO, CISM, and deep ISO 27001 / NIST CSF expertise. Study his background. Mirror his language. Show him you can be his operator.
PK
Paul Kankwende, PhD Candidate
Chief Information Security Officer · Lone Star National Bank
Paul has 20+ years across finance, telecom, healthcare, retail, and education. He's held CISO and Group Head of InfoSec roles internationally, built SOCs from the ground up, and directed cloud security for 50,000+ identities. He is deeply technical AND strategically minded. He will test whether you think like an operator AND a business partner. His focus areas: Zero Trust, GRC integration with SOC ops, executive communication, and building security cultures — not just running tools.
C-CISO
CISM
CISA
CRISC
CEH
ISO 27001
COBIT 5
NIST CSF
AWS Security
What He Cares About
📊 KPIs and measurable program outcomes
🔗 GRC integrated with SOC operations
👥 Leadership that builds culture, not just runs tools
🏛️ Regulatory alignment (FFIEC, GLBA) as a discipline
🤝 Executives who can brief the board without jargon
Language to Mirror
"Operationalize the strategy"
"Translate risk into business impact"
"Continuous monitoring maturity"
"Zero Trust controls"
"Detection use case library"
"Control effectiveness vs. compliance checkbox"
How to Impress Him
Show a 90-day plan unprompted
Mention FFIEC CAT mapping to NIST CSF
Reference your executive brief example (PNC phishing)
Ask about the SOC team structure immediately
Name your KPI framework before he asks
02
The 4 Pillars — What the Bank Is Hiring For
1
Security Operations
Run daily SOC — SIEM monitoring, alert triage, tool optimization, detection engineering, automation. This is your strongest pillar. Anchor every answer here with your Splunk ES metrics (200+ alerts/day, 80K+ log records, 300+ FP reduction).
YOUR STRONGEST PILLAR
2
Team Leadership
Supervise and mentor analysts and engineers. THIS IS NOT IMPLIED BY YOUR ANALYST TITLE — you must make it explicit. Lead with "I led," "my team," "I assigned," "I mentored." Use the Tier 1 analyst development story. Describe yourself as the primary escalation authority.
MUST EMPHASIZE EXPLICITLY
3
IAM & Compliance
FFIEC, GLBA, NIST CSF, access reviews, MFA/SSO/PAM, SOX, PCI DSS. Your PNC Financial background covers this directly. Speak to quarterly privileged access reviews, GLBA Safeguards Rule operationalization, and your ServiceNow evidence management that hit 95% readiness.
COVERED BY PNC EXPERIENCE
4
Executive Communication
Report to ISO, brief business leaders, translate technical risk into business language. Have your PNC phishing brief story ready — CISO + 2 BU heads, one-pager, 2 controls approved same day. Also mention your 90-day plan presentation framework and monthly KPI dashboard concept.
HAVE CONCRETE EXAMPLES READY
03
Opening Pitch — "Tell Me About Yourself"
I'm a cybersecurity professional with 8+ years spanning security operations, GRC, and financial environments — and what sets me apart is the combination of hands-on SOC leadership and compliance depth that most people have separately.
At PDI Technologies — which operates as an MSSP — I serve as the primary incident response authority for multi-client environments. I oversee detection engineering in Splunk ES, lead threat hunting, and command our escalation process. I built the playbook framework that reduced IR time by 35% and led an APT containment event across three client environments simultaneously — zero exfiltration, contained in four hours.
Before that, at PNC Financial, I worked directly in a regulated banking environment — SOX 404, PCI DSS, NIST CSF audits, access management aligned to FFIEC controls. I understand the regulatory obligations of a financial institution, not just theoretically — I've lived the audit prep cycle.
What draws me to this role specifically is the combination of operational ownership and leadership scope. I'm ready to move from executing security operations to leading the function — managing analysts and engineers, driving the KPI conversation with the ISO, and building a security program that stays ahead of the threat landscape. That is the exact progression this role represents.
At PDI Technologies — which operates as an MSSP — I serve as the primary incident response authority for multi-client environments. I oversee detection engineering in Splunk ES, lead threat hunting, and command our escalation process. I built the playbook framework that reduced IR time by 35% and led an APT containment event across three client environments simultaneously — zero exfiltration, contained in four hours.
Before that, at PNC Financial, I worked directly in a regulated banking environment — SOX 404, PCI DSS, NIST CSF audits, access management aligned to FFIEC controls. I understand the regulatory obligations of a financial institution, not just theoretically — I've lived the audit prep cycle.
What draws me to this role specifically is the combination of operational ownership and leadership scope. I'm ready to move from executing security operations to leading the function — managing analysts and engineers, driving the KPI conversation with the ISO, and building a security program that stays ahead of the threat landscape. That is the exact progression this role represents.
Delivery Notes
Keep it to 90 seconds max. Hit these four beats: (1) experience span, (2) SOC leadership proof point with metric, (3) banking compliance credibility, (4) why this role, why now. Do NOT list tools or certifications — those are resume items. Lead with impact and narrative. End on forward momentum, not history.
04
Behavioral Interview — STAR Answers
STAR Rule for This Role
Every behavioral answer must end with a measurable result AND a systemic improvement you led. Don't just say what happened — say what changed permanently because of your leadership. The bank needs to see someone who builds durable systems, not someone who fights fires reactively.
STAR · LEADERSHIP
"Tell me about a time you led a team through a major security incident."
SITUATION
At PDI Technologies, we detected multi-client APT lateral movement across three client environments simultaneously — a rare high-pressure scenario that required parallel command decisions in real time.
TASK
I was the incident commander — responsible for assigning analysts, coordinating three separate client CIRTs, and managing executive communication simultaneously while maintaining our SLA obligations across all environments.
ACTION
I triaged in Splunk ES and CrowdStrike in parallel — assigned one analyst per environment with clear containment mandates, established a 30-minute check-in cadence so I maintained full situational awareness, and personally ran the stakeholder calls while my team executed containment. I made every escalation decision and managed the blast radius documentation in real time.
RESULT
All three incidents contained within 4 hours — no confirmed exfiltration across any environment. I led the post-incident review and updated playbooks across all three client environments. Those updates caught a similar attempt against a different client within 60 days.
STAR · PROCESS
"Tell me about a time you improved a security operations process."
SITUATION
My SOC was generating 300+ false positive alerts weekly — consuming analyst capacity, creating fatigue, and causing real threats to get buried in noise. The problem was systemic, not individual.
TASK
I was responsible for reducing the noise without creating blind spots — a technical and governance challenge that required both Splunk expertise and a structured process for rule lifecycle management.
ACTION
I led a full detection tuning initiative. I mapped every active use case against MITRE ATT&CK, retired rules with zero true-positive history in 90 days, and rebuilt our top 15 detection use cases with tighter correlation logic and tuned thresholds. I also built a quarterly rule review process so the library stays clean going forward.
RESULT
False positive volume dropped over 60% within 60 days. Analyst capacity freed up significantly for proactive threat hunting. IR time improved 35% as a downstream effect — and we now have a repeatable governance process for detection hygiene.
STAR · COMPLIANCE
"Tell me about a time you dealt with a compliance audit."
SITUATION
At PNC Financial, I supported an annual security audit covering SOX 404 and PCI DSS controls — a high-stakes engagement with external auditors who had zero tolerance for evidence gaps or control failures.
TASK
I was responsible for evidence collection, control validation, and serving as the primary liaison between the security team and external auditors — a role that required both technical precision and communication discipline.
ACTION
I pre-staged all evidence in ServiceNow, mapped every control to its specific audit requirement, and ran a mock walkthrough with the team before auditors arrived. I proactively flagged two minor control gaps and remediated them before the audit began — rather than hoping auditors wouldn't find them.
RESULT
Zero critical findings. I also built a running evidence repository in ServiceNow that reduced prep time for the following year's audit by approximately 30% — and it became the team's standard operating model.
STAR · EXEC COMM
"Tell me about a time you communicated a security issue to non-technical executives."
SITUATION
After a targeted phishing campaign hit internal banking users at PNC, I needed to brief the CISO and two business unit heads — executives who needed the facts, the risk exposure, and a clear path forward. No jargon, no buried lead.
TASK
Translate a technical incident into a business risk briefing that would drive a decision — not just inform. The goal was approval for two specific control improvements I had already scoped.
ACTION
I built a one-page executive brief: incident timeline, business impact in dollar-equivalent risk terms, containment steps already taken, and a cost-of-breach comparison versus the cost of implementing the proposed controls. No technical jargon anywhere on the page.
RESULT
Leadership approved both controls on the spot in the same meeting. Subsequent phishing attempts over the following quarter were caught before reaching any users. The brief format became our standard for executive incident reporting.
STAR · MENTORING
"Tell me about a time you mentored or developed a junior team member."
SITUATION
A Tier 1 analyst on my team was technically capable but had inconsistent escalation judgment — sometimes over-escalating noise and sometimes holding real alerts too long. Both patterns created operational risk.
TASK
Fix the decision-making gap without undermining his confidence — a coaching challenge that required observation before intervention.
ACTION
I shadowed him for a full week and identified the specific gap in his triage logic — he lacked a decision framework for ambiguous indicators. I built a decision tree tied to our alert types and SOC playbooks, then reviewed his escalation decisions with him daily for two weeks, turning each case into a coaching moment.
RESULT
His escalation accuracy improved measurably within 30 days. He became one of our most reliable overnight analysts and later used that same decision tree to train two newer hires. One coaching intervention created a repeatable capability transfer.
"Why are you leaving your current role?"
▼
I've built significant depth at PDI Technologies — I grew from analyst to the team's primary incident response authority, built the playbook framework, and expanded into multi-client SOC command. That foundation is strong. But I'm at the point in my career where I want to lead a security function with dedicated team ownership — managing analysts and engineers, driving the KPI conversation with an ISO, and partnering on a security roadmap that goes beyond reactive response. This role at a regulated financial institution, reporting directly to the ISO, is exactly the progression I've been building toward. Your environment also adds FFIEC and banking regulatory depth that aligns with my PNC background — it's not a stretch, it's a natural continuation.
"What's your biggest weakness?"
▼
My honest answer: In early leadership situations, I defaulted to doing rather than delegating — especially on high-stakes incidents, I'd want to touch the investigation myself. That's a strength in crisis but a bottleneck in team development. I recognized the pattern after noticing that certain analysts weren't growing as fast as they should. I built a deliberate practice of assigning full ownership of incidents to analysts with a check-in cadence rather than a takeover reflex. The result was faster analyst development and it freed me up for the decision-making and stakeholder work that actually requires a lead. That shift is what I want to bring to this role — leading through the team, not around it.
05
Technical Interview — Banking-Specific Scenarios
SIEM Detection Program
BANKING-SPECIFIC
"How would you build or improve a SIEM detection program for a bank?"
Start with an asset inventory and a banking-specific threat model — the primary vectors are credential theft, business email compromise, insider threat, ransomware, and third-party risk. Map those scenarios to MITRE ATT&CK techniques. Build detection use cases in Splunk ES starting with high-confidence, low-noise rules — I've done this at PDI with measurable noise reduction. Tune aggressively in the first 90 days using true/false positive ratio tracking. Layer in behavioral analytics and anomaly detection once baselines are established. Retire stale rules on a quarterly review cycle. All use cases should be documented and mapped to FFIEC's Detect domain for auditor traceability.
IAM in Banking
FFIEC / SOX CRITICAL
"How do you approach Identity and Access Management in a banking environment?"
Least privilege and segregation of duties are non-negotiable under FFIEC and SOX — I applied both at PNC. The access review cycle: quarterly for privileged accounts, semi-annual for standard users. MFA enforced across all systems, SSO where possible to reduce credential sprawl, PAM solution for admin accounts with session recording enabled. Provisioning and deprovisioning must be automated through HR system integration — leavers deprovisioned same day, zero exceptions. Every exception documented with a signed risk acceptance reviewed by the ISO. This isn't just compliance hygiene — it's the control surface that prevents insider threat and credential theft, the top two banking vectors.
Ransomware at a Bank
HIGH STAKES SCENARIO
"Walk me through how you would handle a ransomware incident at a bank."
Immediate containment first — isolate affected endpoints via EDR network containment, identify blast radius, kill lateral movement paths. Notify the ISO and legal within the first hour — banking carries FFIEC notification obligations and potentially OCC or state regulator requirements depending on scope. Preserve forensic evidence before any remediation starts. Run parallel workstreams: technical containment, executive communication, regulatory notification assessment, and customer impact analysis. Recovery from clean backups only — never negotiate or pay. Post-incident: full root cause analysis, control gaps documented in a POA&M, playbook updated, lessons-learned session within two weeks. The key difference in banking: the regulatory notification clock starts immediately, so the IR lead must be coordinating legal and compliance simultaneously with technical response.
Vulnerability Remediation
KPI-DRIVEN
"How do you manage vulnerability remediation across a large environment?"
Authenticated Nessus scanning on a defined cadence — weekly for internet-facing systems, bi-weekly internal. Output feeds a risk-ranked remediation tracker: Critical patched within 15 days, High within 30, Medium within 90. Exceptions require documented risk acceptance signed by the asset owner and reviewed by the ISO. Monthly KPI report: mean time to remediate by severity, open critical/high by age, patch coverage percentage. I track directional trends quarter over quarter — regulators want to see not just current status but continuous improvement. This is the framework I'd establish in the first 90 days and report to you on a monthly cadence.
FFIEC & GLBA
REGULATORY MASTERY
"What FFIEC and GLBA controls are most operationally significant for a SOC?"
The FFIEC Cybersecurity Assessment Tool maps directly to NIST CSF — Identify, Protect, Detect, Respond, Recover. For a SOC, Detect and Respond are most operational: continuous monitoring, anomaly detection, IR procedures, escalation paths with defined SLAs. GLBA Safeguards Rule requires a written InfoSec program, risk assessments, access controls, vendor oversight, and IR capabilities — all SOC-owned. The critical operational requirement is documentation: auditors want to see not just that controls exist but that they're tested regularly and that findings drive documented remediation. This is why I run tabletop exercises and maintain a live evidence repository — not just for audits, but to prove operational maturity.
Splunk Lateral Movement
TECHNICAL DEEP DIVE
"How would you build a Splunk detection for lateral movement in a banking environment?"
Start with sourcetype=wineventlog EventCode=4624 | stats values(src_ip) by dest_ip — look for one source authenticating against multiple destinations in a short time window. Layer in EventCode=4648 for explicit credential use and EventCode=4768/4769 for Kerberoasting indicators. Cross-correlate with CrowdStrike process telemetry to validate endpoint behavior. Tune thresholds based on baseline business hours traffic — banking environments have predictable lateral patterns. Add a lookup for privileged accounts to surface any admin-to-admin movement immediately. The detection isn't just the SPL — it's the correlation logic across SIEM, EDR, and network that makes it actionable.
06
Leadership & Management Questions
"How do you manage SOC team morale and prevent burnout?"
▼
SOC burnout has three root causes: alert fatigue, reactive-only work, and feeling invisible. I address all three. First, reduce noise — I've already done this; 60%+ false positive reduction means analysts investigate real threats, not ghosts. Second, give ownership — each analyst gets a specific threat domain or use case to develop expertise in, breaking the monotony of pure triage. Third, make wins visible — when the team catches something real, Paul hears about it by name, not just as a stat on a dashboard. I also advocate for sustainable rotation schedules and push back to leadership on chronic understaffing before it becomes a performance problem. Retention of trained analysts is a security outcome, not just an HR outcome.
"What KPIs would you track and report to the ISO?"
▼
Operational: MTTD, MTTR, MTTC, alert-to-incident conversion rate, false positive rate trend.
Vulnerability: Patch coverage by severity tier, open critical/high by age in days, mean time to remediate vs. SLA.
IAM: Access review completion rate, orphaned account count, privileged account exceptions pending remediation.
Risk/Compliance: Open audit findings by severity, POA&M milestone compliance rate, control test pass rate trend.
I'd deliver a monthly operational dashboard to you and a condensed executive summary to business leadership quarterly. The goal is a dashboard you can take to regulators and the board — not just internal metrics. I'd build this framework in the first 60 days and refine it based on what you need most from the ISO reporting perspective.
Vulnerability: Patch coverage by severity tier, open critical/high by age in days, mean time to remediate vs. SLA.
IAM: Access review completion rate, orphaned account count, privileged account exceptions pending remediation.
Risk/Compliance: Open audit findings by severity, POA&M milestone compliance rate, control test pass rate trend.
I'd deliver a monthly operational dashboard to you and a condensed executive summary to business leadership quarterly. The goal is a dashboard you can take to regulators and the board — not just internal metrics. I'd build this framework in the first 60 days and refine it based on what you need most from the ISO reporting perspective.
"What would your first 90 days look like in this role?"
▼
Days 1–30 — Listen and assess: Meet every analyst and engineer one-on-one. Review existing playbooks, detection use cases, and the current tool stack. Attend all standing meetings as a listener. Review the last two audit reports and any open findings. Map integration gaps across SIEM, EDR, and IAM. I learn the environment before I change anything.
Days 31–60 — Quick wins: Address the single highest-priority detection gap I identified. Close any open audit findings within my authority. Establish a weekly team standup and a monthly metrics review cadence. Build the first draft of the KPI dashboard framework for your review.
Days 61–90 — Strategy: Present you with a 12-month operations roadmap. Propose the top three automation initiatives with business case estimates. Establish a formal KPI reporting cadence and socialize it with the business unit stakeholders I'll need to partner with on IAM and compliance.
Days 31–60 — Quick wins: Address the single highest-priority detection gap I identified. Close any open audit findings within my authority. Establish a weekly team standup and a monthly metrics review cadence. Build the first draft of the KPI dashboard framework for your review.
Days 61–90 — Strategy: Present you with a 12-month operations roadmap. Propose the top three automation initiatives with business case estimates. Establish a formal KPI reporting cadence and socialize it with the business unit stakeholders I'll need to partner with on IAM and compliance.
"How do you prioritize when everything feels urgent?"
▼
Triage by actual business impact, not perceived urgency. In a bank, anything touching customer data, payment systems, or regulatory compliance escalates immediately — everything else gets risk-ranked. I use a likelihood × impact matrix and communicate trade-offs clearly to the ISO when resources are constrained. The critical discipline is documentation: what we prioritized, why, and what risk we accepted. That documentation protects the team and surfaces accountability at the leadership level, not just the analyst level. It also becomes your evidence trail if a regulator asks why something wasn't addressed immediately.
"How do you build relationships with IT and business teams who see security as a blocker?"
▼
Security gets seen as a blocker when it shows up late — when we say no after teams have already built something. I embed security early: a seat at the table in project kickoffs, security requirements documented upfront, and a fast-track review process so teams aren't waiting weeks for a security opinion. I train my team to be approachable and solutions-oriented — the answer is "here's how we can do this securely," not just "no." That cultural shift takes time and starts with how the security team shows up in the first interaction with every new partner. The goal is to be the team they call before a decision, not after they've already made it.
07
Your Questions — Ask At Least 3
Why Your Questions Matter More Than You Think
Asking smart questions is how you signal leadership-level thinking to Paul. Interviewers remember candidates who ask questions that reveal operational sophistication. Don't ask anything answered in the JD. Ask about the gap they're trying to close, the maturity of what exists, and the regulatory timeline — these are what a leader would need to know.
Q1
What does the current SOC team structure look like — how many analysts and engineers would I be overseeing, and how is the shift coverage currently organized?
Q2
What SIEM platform are you currently running, and how mature is the existing detection use case library relative to the FFIEC Detect domain?
Q3
What is the biggest operational gap you're hoping this role closes in the first 90 days — is it detection coverage, IAM governance, team leadership, or something else?
Q4
What regulatory exams or audits are coming up in the next 12 months that this role would need to support directly?
Q5
What is the current state of automation in the SOC — is there an existing SOAR platform in place, or is that something this role would help evaluate and propose?
Q6
How does the ISO prefer to receive operational reporting — dashboards, written briefings, or standing meeting presentations?
Q7
How does the bank currently handle third-party vendor risk assessments — is that within the scope of this Operations Lead role, or does it sit separately?
Q8
What does success look like for this role at the 6-month and 12-month mark — how would you measure whether your Operations Lead is delivering impact?
08
Salary Strategy & Negotiation Scripts
PRICING RULE — DO NOT ANCHOR AT ANALYST PAY
This is a management + compliance + operations role at a regulated bank. Price it accordingly. Your 8+ years, MSSP leadership depth, GRC/banking compliance experience, and the scope of this role (team ownership, ISO reporting, FFIEC/GLBA compliance authority) justify a significant premium over a Senior SOC Analyst comp. Counter at $145K minimum. Your walk-away number is $130K. Anything below that undervalues the scope.
| Scenario | Market Range | Your Target | Notes |
|---|---|---|---|
| InfoSec Ops Lead, On-Site Banking | $120K – $150K | $145K anchor | Base range for this exact JD scope |
| With team management scope added | $140K – $160K | $150K target | Direct report authority commands premium |
| With FFIEC/GLBA compliance ownership | Up to $175K | $160K ceiling | Full compliance ownership in regulated banking |
| Walk-Away Floor | — | $130K hard floor | Below this: role scope doesn't match compensation |
SCRIPT 1 — FIRST OFFER: COUNTER CONFIDENTLY
"Thank you — I genuinely appreciate the offer and I'm excited about this opportunity. Based on my research on market rates for InfoSec Operations Lead roles with team management scope and FFIEC/GLBA compliance ownership in the financial sector, and given that I'm bringing 8+ years with a documented track record of leading incident response and delivering measurable operational improvements, I was targeting something closer to $[145-150K]. Is there flexibility to get there?"
SCRIPT 2 — THEY PUSH BACK: HOLD OR TRADE
"I understand. If the base isn't flexible right now, I'd love to explore other levers — a signing bonus, an additional week of PTO, or an earlier performance review at 6 months tied to the 90-day KPI framework I'd establish. I'm excited about this role and I want to find a structure that works for both sides."
SCRIPT 3 — VERBAL OFFER: NEVER ACCEPT ON THE SPOT
"This sounds really promising — I'm genuinely excited about what we discussed today. I'd love to take 24–48 hours to review everything carefully before I give you my answer. Could you send the offer in writing? I want to make sure I'm fully committed when I say yes."
Negotiation Psychology
Always counter. A $10K–$15K counter costs you zero goodwill and succeeds more often than candidates expect. Robert Half placed you — the recruiter Brian Burkholder has an incentive to close the deal. He is an ally in negotiation, not an adversary. Call him first after you receive any offer to understand the flexibility ceiling before negotiating directly with the bank.
09
Pre-Interview Checklist — Click to Track
NIGHT BEFORE
✓
Re-read Paul Kankwende's LinkedIn profile — internalize his language and priorities
✓
Review the full JD one more time — mark the 4 pillars with your proof points
✓
Practice your 90-second opening pitch out loud — time it
✓
Select your 3 strongest STAR stories and rehearse each result with the metric
✓
Confirm MS Teams meeting link works (Meeting ID: 268 656 893 457 592)
✓
Charge laptop and test audio/video — have phone dial-in number as backup
✓
Have your resume, this playbook, and notepad visible — not in another window
DAY OF — MORNING
✓
Read your pitch aloud one time before joining — warm up your voice
✓
Join Teams 5 minutes early — confirm your background is professional
✓
Have water nearby — negotiating and talking dry out your voice
✓
Remember: you are interviewing THEM as much as they're interviewing you
AFTER THE INTERVIEW
✓
Send thank-you email to Brian Burkholder within 1 hour of call ending
✓
Note any technical questions you were unprepared for — prep the answers
✓
Call Brian to debrief and ask about next steps and feedback
✓
If offer comes: review in writing, call Brian before negotiating directly
10
Post-Interview Thank You — Ready to Send
To Brian Burkholder — Send Within 1 Hour
Hi Brian,
Thank you for facilitating today's conversation — I appreciated the introduction and the context you provided going in.
I wanted to confirm that I'm very interested in moving forward. The scope of the Information Security Operations Lead role aligns well with where I am in my career, and my conversation with [interviewer name] reinforced that the environment and challenges are exactly what I've been working toward.
A few things I noted that make this a strong fit: the banking regulatory environment mirrors my PNC background, the team leadership scope is the progression I've been building toward, and the ISO reporting structure gives me the visibility to drive real operational improvement.
I'd welcome any feedback from the team and am happy to provide references or any additional materials you need.
Looking forward to next steps.
Best,
Adolf Muna
(210) 632-7151 | adolfmutanga@gmail.com