7 screening questions for evaluating candidate fit for cybersecurity roles
"What is your name? What is your quest? What is the airspeed velocity of an unladen swallow?" Granted, asking a potential employee about Monty Python may tell you a lot about their personality, but not necessarily a lot about their skills as a cybersecurity professional. Likewise asking people hyper-technical questions may give you someone that has studied super hard very recently, but may not always showcase people that have dealt with strategies and various environments.
Today we're going to go over seven questions that can help narrow down the field to professionals that have concepts down pat and can adapt to different situations quickly.
What should you learn next?
1. Tell me what you saw when you came through the building
With the possible exception of interviews in high-security areas, many interviews include a quick walkthrough of a general area and in some cases the server rooms as well. When the walk is complete, and everybody is getting settled into the interview location, it can be very effective to just ask the person “What did you see? What stood out to you?” You might get the usual “sorry, I wasn't paying attention,” or, “you've got a lot of nice stuff here,” but once in a while you'll get someone that responds with “I saw some people with sticky-note passwords and unlocked user systems with nobody there.” The reason why I like this particular question is that it works as a tremendous icebreaker if they say “I noticed that you're using X product too. Did you ever run into this problem where it…” and off you go. Immediately the person is more comfortable, and the entire attitude in the room may change from a high-stress, high-stakes question and answer event to a chat between colleagues about tips and tricks.
2. Have you ever worked with some of the systems we use? What can you tell me about them? Have you ever seen them fail before?
Building off of the last question somewhat, this may require a bit more expansion on the hardware and software solutions that your company is using if they weren't clear on the job listing. This can include something like “We use X for our backups, and it's worked very well for us over the years. Have you ever seen them fail?” Again, this is veering off of the usual course and more into the person's experiences, potentially bad ones at that, but it allows them to tell their story with the good and bad thrown in because that's what you're asking for. This is another way to de-escalate the situation, where the person can get more relaxed and more comfortable telling the interviewer what they need to hear.
3. Do you have any security horror stories you've experienced? What did you learn from them?
Everyone has horror stories about really bad things that have happened in the past. Believe it or not, though, this question is as much about what is not said as it is what is. Some events can be shrugged off, while others can keep you awake at night, cause you to completely break down and leave you at 2 a.m. with a bottle of whiskey and a foreboding sense of what is waiting for you in the morning. The average person can deal with a typical daily situation pretty well. Go to work, take care of basic tasks, work on long-term projects, maybe one or two elevated problems to work out, see what's coming down the pipe later in the year and go home. When things get messy, however, that's when you find out just how people perform under pressure at various levels, how your systems function when in non-standard situations, and if everyone is wise enough to use the experience to learn very expensive lessons. While this is a bit more in the traditional interview question, coming at it from a different angle can help to give more honest and heartfelt answers to this question.
4. What are some resources on your daily checks?
Everyone has daily checks: websites, channels, RSS feeds, podcasts etc. Whatever helps them to figure out what's going on in the world, and what has the chance to impact you, your people and your organization. Comparing notes on where you go can lead to surprising benefits for both parties, where the interviewer finds out about some new resources that they can also use but also you find out what kind of person they are.
Interviewing a person is just as much about finding out what kind of personality they have as it is a raw technical skill. If they would be a good fit for other people already in the department. If they would be butting heads all the time, it might not be the best idea to bring them in if that's not what you want (sometimes it is, but that's another article). At worst, this question will help better understand who is in front of you. At best, however, it can again help the interviewee become more comfortable with giving more complete answers, especially if the interviewer shows interest in some of the topics.
5. How many times have you had to speak directly with vendor support recently regarding potential security matters? Can you say what they were about?
The larger the organization, the less likely they are to run everything without support. At a consumer level, a lot of people get away with not getting extended support on their equipment because it just costs more and it can sometimes just be a rip-off depending on the vendor. For a piece of tech that costs around $59.99, you can easily get away with this but when it comes closer to $599,999, that's an entirely different story. Organizations need production systems and resources to be active as much of the time as possible, and this is before you bring in requirements such as service-level agreements (SLA's) where the organization can be legally required to be up-and-running at a specific level at nearly all times. Some interviewees may be surprised that a larger organization requires support contracts with their vendors, while for others it's just business as usual. In either case, it will give more information on the background of the person and in some cases provide an opening for another experience.
6. What did you learn from your colleagues in your previous position?
No one person can know everything. However, it can seem like they get awfully close sometimes. One of the key advantages of working in an organization where there are lots of very bright people in close proximity is the enormous amount of knowledge crammed into one location. Many times about topics that you'd never otherwise have access to. These can be topics like how to repair a vehicle or how to slipstream a custom Windows installer, but it can rapidly escalate to how to fix a rocket and how to track a person half a world away. Being able to gain not only knowledge and insight but also benefit from the person's passion and attitude can help a person figure out if they want to go into that field in the future in just such a situation as an interview. Understanding how the interviewee got to this place and time can be extremely important in figuring out if they're going to be around for a long time. The last thing you want to do is hire somebody, only to find out that they're gone in three weeks because they couldn't stand the work.
7. How would you try to break into our network?
This is the big one. Even if you don't gain any information from the other questions, this will show you how the person thinks and how they would use the information they gained in a matter of minutes to try to overcome untold dollars and hours spent to protect assets. Answers on this will run the gamut of “I will hack into the main webpage and work my way down, I'll drop thumbsticks in the parking lot and gain access when somebody plugs one in,” to “I will brute force my way through a remote access firewall” or the classic “I'll find the nearest Starbucks and just wait a while until somebody shows up with an unlocked laptop and goes to the bathroom.” These answers will showcase the user's faith in their technical skills, capacity for thinking around corners and ability to use social engineering to accomplish their goals. All qualities you look for in a cybersecurity professional.
What should you learn next?
Evaluating a cybersecurity candidate
Some of these questions are typical interview questions, but some are also very relative to the person. Some questions can relax the situation and make it less of a formal interview and more of exchanging stories from two professionals. The faster you're able to relax the interviewee, the easier and more accurate your job as the interviewer will be. Landing the right person however is only half the job. The other half involves training, experience and access to resources to help fill in blank spaces.