Cyber security interview questions from hiring managers
Author: Nicola Lumb | Date published: 30/07/20
After job writing an effective cyber security job description, interviews are the next hurdle to jump on the way to finding that perfect cyber security candidate to join your company. Some people love doing them, some see them as another necessary evil in the recruitment process, but what sort of things should you ask within a cyber security interview?
– What will help you identify the best from the rest?
– What kind of questions do the industry experts ask?
– What’s the logic behind them and what are they trying to find out?
Lucky for us, some lovely contacts in the industry shared their favourite cyber security interview questions…
What was the last thing you broke?
Mainly because they like hiring tinkerers, finding someone who enjoys taking things apart, seeing how they work and trying to put them back together in a better way. This can lead to multiple follow up questions where they can delve deeper; what happened next, how they resolved it, did they fix it etc?
Do you cheat at video games?
This is a great question! For the interviewer, it’s to see if people flail, try to figure out if there’s a ‘right’ answer and to see their honesty.
What is SQL injection, and can you explain it to me like I’m a developer? What is it? How does it work? Why do I care? What’s the risk? How do I fix it?
This is an interesting one, as well as wanting the candidate to be concise and correct in their answers, they are also looking to make sure the candidate doesn’t speak down to the developer, become arrogant or impatient. It’s a nice mix between the technical and personality fit.
What did you learn last week?
Again, this can be on any topic but what we like about this is that we all know cyber security technologies, cyber security threats and the knowledge around them are constantly improving. Would you really want a candidate stuck in their ways and not willing to learn anything more, or would you prefer someone who is constantly trying to improve their knowledge base and skill set?!
Preparation is key…
Similarly, to writing a job description within cyber security, companies need to approach interviews with a structure and process that’s going to work for candidates and give them the best experience. Being unprepared and ‘winging it’ doesn’t give candidates a good experience, they fall out of love with your interview process and nine times out of ten, join a company with a slicker process way before your 7th stage ends…
It doesn’t matter what you want to do during the interview stages, chuck in a whiteboard exercise, get them to do a tech test, take them to an escape room – just make sure the stages you choose help you identify the best candidates for your company and that you give them a nice quick process to go through.
Questions to ask in a cyber security interview…
What sort of questions should you ask in a cyber security interview? What do other hiring managers in the industry do? Are there any nuggets you’re not currently asking that you can introduce into your interview process?
We have found there are three types of interview questions that work within cyber security: the generic, the scenario and the technical. The combination of all three should give you a good arsenal of questions to use throughout your cyber security interviews, and should help you uncover if the bright-eyed, bushy tailed candidate interviewing in front of you is going to add value to your organisation.
Let’s start with some generic interview questions…
– How do you want to progress in your career?
– Why did you (or do you) want to get involved in cyber security?
– What is your proudest achievement?
– How would your team describe you?
– Why are you interested in our company?
– Why are you looking to leave your current role?
With these, the answers are quite important. If they don’t want to progress their career (say you’re looking for a SOC Analyst but they’re midway through their OSCE and really want to go down the pen testing route) with a development path that matches your company, are they going to become a long term and valuable employee? If their current team thinks they’re obnoxious, direct but hardworking are they going to fit into your culture? If they show no interest in your company and come up with a nice reply of “I want more salary”, does that show you they are committed to working for you for the long term or chasing the money?
Here come the technical teasers for you…
– What’s the difference between symmetric and public-key cryptography?
– What is the difference between an HIDS and a NIDS?
– What is XSS and how would you explain it to a 10-year-old?
– What is WEP cracking?
Ultimately, with the technical questions there’s an absolute right answer and you’re testing their cyber security knowledge/experience all in one go. A tip for this section is to look through the CV before the interview and tailor the questions around this. If they’ve listed multiple SIEM tools you could ask “what are the functionality differences between AlienVault and Splunk?” or if they’ve gone with lots of Kali toolkits you could ask “how would you use Burp Suite to test web applications?” The benefit of asking specific technical questions based on their CV is that you can tell if they’re being little Pinocchio’s. If they’re lying about specific technology they’ve worked with what else are they lying about…?
Now let’s look at the scenario bunch…
– You find out that there is an active problem on your network. You can fix it, but it is out of your jurisdiction. What do you do?
– If you were going to break into a database-based website, how would you do it?
– How would you lock down a mobile device?
– We’ve found a new threat through our SIEM, what questions should we be asking ourselves?
– How would you handle account brute forcing?
These are different kinds of questions and the answer is probably not as important, but it’s to show how the candidate’s brain works and how they approach a problem. It shows that, if there was a brand new cyber security issue/problem within the company, you can trust this potential candidate to crack on and figure out a solution, rather than you holding their hand and taking over.
One of our contacts mentioned he loves to use “describe what happens when you type google.co.uk into your web browser and press enter” as his scenario-based question. Again, there’s not a right answer but what he’s looking at is how candidates answer this and if they (in his words!) are pedantic. He’s had two really good answers to this; one completely wrong in terms of the answer but strong convictions, a good thought process and something that became a really good discussion, and the other (probably what was meant by pedantic!) went through the OSI stack, the full handshake, the IP, DNS look up, the redirection to HTTPS etc.
This isn’t an exhaustive list and there’s a bucket load more examples you can reference but it helps to show that having three different types of interview questions can give you a real insight into a candidate’s background, their experience, their attitude and if you see their nose grow after each answer. There’s plenty more examples here:
Despite the advice above there’s good news when it comes to selecting the best cyber security interview questions – it’s entirely your choice. What matters is that the questions you ask are relevant to your company, they help identify the best candidates for your team and that you enjoy using them in interviews. We suggest the term evolution becomes a key mantra of your interview question process; take feedback on the questions, assess if they are bringing you the answers you need, see how people are reacting etc. Like your tech stack evolves into an efficient beast, so should your cyber security interview questions.
If you’re a hiring manager getting ready to interview cyber security candidates and you want some interviewing advice or tips on streamlining your recruitment process and reducing your time to hire, please get in touch.