3 Outside-the-box Questions to Ask During a Cybersecurity Interview by@chrisray

3 Outside-the-box Questions to Ask During a Cybersecurity Interview

image
Chris Ray HackerNoon profile picture

Chris Ray

Chris Ray is a senior member of a local 35+ B-league hockey team and also occasionally blogs about cybersecurity topics.

Interviewing, and being interviewed for that matter, can be a stressful event. If you are like me, then it doesn't matter which side of the table you're on. You approach this situation with the same focus and zeal you do a new technology or project.

For me, when interviewing, I initially used the popular lists you find via Google from sites like Indeed, Glassdoor, et al...

This led to asking questions that candidates had likely prepared for. They had good responses, some would even go deep and exemplify past experiences to satisfy the inquest. This is exactly what you should do, it’s what I would do!

However, it left me with a list of candidates that made selection even more difficult. I needed a new approach; I needed a way to force the answers to provide insight into the humans and not data about their experiences and skillsets.

The following (short) list of questions is a conversation starter. I assume if you’re interviewing someone, you have already asked via email/application if they have X, Y, or Z skills and for how long they have been building those skills. The interview is not the time to work through a checklist; the candidate has probably taken time off from work to meet. Do them a favor and ask engaging questions.

3 Questions to Ask During a Cybersecurity Interview

  1. What do you do, and why do you do it?

    This question asks them about themselves, as well as their role and how they view their duties. This is a great starter question because it’s asking them about a topic they should know pretty well (taking the edge off the interview...hopefully) and will give insight into how they view their current employer, working conditions, mission and so forth. Do they understand why they do what they do? Do they find they are being "wasted" on menial tasks? Are they overworked? Nearly every word in their response will provide tremendous detail about who they are.

    I like to see a nuanced reply to this question. Usually, this turns into a back and forth, some laughs and the candidate will find shared experiences in our background. This gives me (and you) the ability to understand their responses better in the following questions.

  2. What do you know about our company, and why do you want to work here?

    While question one is a tee-up for the candidate to talk about themselves, question two is now asking them to articulate why they applied to this job with this company. While it’s possible they could BS a response to this question, a BS answer is pretty easy to spot. The answer will lack passion or depth of knowledge about either the company, its product, culture, etc...

    In their reply, I just want to learn more about them and the company I work for. How is it viewed by an outsider? What is attractive about this role or company? I also want to know if they spent a few minutes to learn about this role or did they "easy apply" on LinkedIn and Indeed (playing the numbers game)?

  3. Ask a practical question; present them with a common challenge that is faced by someone in this role.

    The ideal question to ask here is one that doesn't require knowledge of internal or bespoke tooling and processes. I’ll give an example below; it’s one that was asked of me once.

    While this kind of question is very specific and deeply technical, it was appropriate for the role I interviewed for. It’s also a great question because I didn't need to know anything about the company ahead of time.

    A good answer to this type of question will demonstrate knowledge of the tech while ALSO demonstrating the candidates’ ability to create a method or process on the fly (self-manage).

    For instance, a good reply to this kind of question would indicate the usage of some type of attacker emulation product (maybe Atomic Red Team by Red Canary - https://github.com/redcanaryco/atomic-red-team) AND a crude process to track progress, document success or failures and maybe some basic reporting on the progress of efficacy.

That’s it. Those three questions will serve you well. As with most things you find on the internet, you can try and copy/paste this into your "code" but you will have to update things like variables (match your orgs processes). This is a great start though.

If you leverage these during an interview I would love to get some feedback from you, maybe there is a #4 or #5? Let me know!

Comments

Signup or Login to Join the Discussion

Tags

Related Stories