What kind of questions can you ask in a cyber security interview?
Interviews, post job descriptions, are the next hurdle to jump on the way to finding that perfect cyber security candidate to join your company. Some people I spoke to love doing them, some see them as another necessary evil in the recruitment process, but what sort of things should you ask within a cyber security interview?
What will help you identify the best from the rest?
What kind of questions do the industry experts ask? What’s the logic behind them and what are they trying to find out? Lucky for me, some lovely contacts in the industry gave me their favourite cyber security interview questions…
What was the last thing you broke?
Mainly because they like hiring tinkerers, finding someone who enjoys taking things apart, seeing how they work and trying to put them back together in a better way. This can lead to multiple follow up questions where they can delve deeper; what happened next, how they resolved it, did they fix it etc?
Do you cheat at video games?
I love this question. For the interviewer, it’s to see if people flail, try to figure out if there is a ‘right’ answer and I suppose to see their honesty.
What is SQL Injection and can you explain it to me like I’m a Developer? What is it? How does it work? Why do I care? What’s the risk? How do I fix it?
This is an interesting one as, as well as wanting the candidate to be concise and correct in their answers, they are also looking to make sure that they don’t speak down to the developer, become arrogant or impatient. It’s a nice mix between the technical and personality fit.
What did you learn last week?
Again, can be on any topic but what I like about this is that we all know cyber security technologies, cyber security threats and the knowledge around them are constantly improving. Would you really want a candidate stuck in their ways and not willing to learn anything more, or would you prefer someone who is constantly trying to improve their knowledge base and skillset.
Something Benjamin Franklin once said…
Before we look at the types of questions we’ve seen work within interviews, we need to pay homage to one of Benny’s (to his friends!) famous quotes about preparation. Similarly to writing a job description within cyber security, companies need to approach interviews with a structure / a process that is going to work for candidates and give them the best experience. Higgle-dee-piggle-dee-ness doesn’t give candidates a good experience, they fall out of love with your interview process and nine times out of ten, join a company with a slicker process way before your 7th stage ends…
It doesn’t matter what you want to do during the interview stages, chuck in a whiteboard exercise, get them to do a tech test, take them to an escape room – just make sure they help you identify the best candidates for your company and you give them a nice quick process to go through.
“Judge a man (or woman – come on Voltaire where was your equality!) by his questions rather than his answers”
What sort of questions should you ask in a cyber security interview? What do other people in the industry do? Are there any nuggets you’re not currently asking that you can introduce into your interview process?
Personally I think there’s three types of interview questions that work within cyber security; the generic, the scenario and the technical. The combination of all three should give you a really good arsenal of questions to use throughout your cyber security interviews and uncover if the bright-eyed, bushy tailed candidate interviewing in front of you is going to add value to your organisation.
Let’s start with what I like to call the generic bunch…
How do you want to progress in your career? / Why did you (or do you) want to get involved in cyber security? / What is your proudest achievement? / How would your team describe you? / Why are you interested in our company? / Why are you looking to leave your current role?
With these, I suppose the answers are quite important. If they don’t want to progress their career (say you’re looking for a SOC Analyst but they’re midway through their OSCE and really want to go down the PenTesting route) with a development path that matches your company, are they going to become a long term and valuable employee? If their current team thinks they are obnoxious, direct but hardworking are they going to fit into your culture? If they show no interest in your company and come up with a nice reply of “I want more salary”, does that show you they are committed to working for you for the long term or chasing the money more than Scrooge McDuck.
Here come the technical teasers for you…
What’s the difference between symmetric and public-key cryptography? / What is the difference between an HIDS and a NIDS? / What is XSS and how would you explain it to a 10 year old? / What is WEP cracking?
Ultimately, with the technical questions there’s an absolute right answer and you are testing their cyber security knowledge / experience all in one go. A tip for this section is to look through the CV before the interview and tailor the questions around this. If they’ve listed multiple SIEM tools you could ask “what are the functionality differences between AlienVault and Splunk?” or if they’ve gone with lots of Kali toolkits you could ask “how would you use Burp Suite to test web applications?” The benefit of asking specific technical questions based on their CV – you can tell if they are being little Pinocchio’s, if they are lying about specific technology they’ve worked with what else are they lying about…?
Now let’s look at the scenario bunch…
You find out that there is an active problem on your network. You can fix it, but it is out of your jurisdiction. What do you do? / If you were going to break into a database-based website, how would you do it? / How would you lock down a mobile device? / We’ve found a new threat through our SIEM, what questions should we be asking ourselves? / How would you handle account brute forcing?
Different kind of question and, from my point of view, the answer is probably not as important. It’s to show how the candidates brain works, how they approach a problem and why would an interviewer want to know this…? Ding ding ding, it shows that, if there was a brand new cyber security issue / problem within the company, you can trust this potential candidate to crack on, figure out a solution; rather than you holding their hand and taking over like a parent when their child has to make an active volcano for a school project…
One of my contacts mentioned he loves to use “describe what happens when you type google.co.uk into your web browser and press enter” as his scenario based question. Again, there’s not a right answer but what he’s looking at is how candidates answer this, if they (in his words!) are a pedantic arse – he’s had two really good answers to this. One completely wrong in terms of the answer but strong convictions, a good thought process and something that became a really good discussion. The other (probably what was meant by pedantic arse!) went through the OSI stack, the full handshake, the IP, DNS look up, the redirection to HTTPS etc.
This isn’t an exhaustive list and there’s a bucket load more examples you can reference but it helps to show that having three different types of interview questions can give you a real insight into a candidates background, their experience, their attitude and if you see their nose grow after each answer. There’s plenty more examples that can be found at;
It’s not just Jerry Springer who can have a final thought…
Firstly, despite the advice above there’s good news when it comes to selecting the best interview question – it’s your choice. What matters is that they are relevant to your company, they help identify the best candidates for your team and that you enjoy using them in interviews. What I would suggest is that the term evolution becomes a key mantra (similar to the little train that could “I think I can, I know I can”) of your interview question process; take feedback on the questions, assess if they are bringing you the answers you need, see how people are reacting etc. Like your tech stack evolves into an efficient beast, so should your interview questions.