The 3 questions to ask during an cybersecurity interview

Interviewing, and being interviewed for that matter, can be a stressful event.  If your like me, than it doesn't matter which side of the table your on.  You approach this situation with the same focus and zeal you do a new technology or project.  

For me, when interviewing I initially used the popular lists you find via Google from sites like Indeed, Glassdoor, et al...

This led to asking questions that candidates had likely prepared for.  They had good responses, some would even go deep and exemplify past experiences to satisfy the inquest.  This is exactly what you should do, its what I would do!

However, it left me with a list of candidates that made selection even more difficult.  I needed a new approach, I needed a way to force the answers to provide insight into the human and not data about their experiences and skill sets.  

The following (short) list of questions is a conversation starter.  I assume if your interviewing someone, you have already asked via email/application if they have X Y or Z skills and for how long they have been building those skills.  The interview is not the time to work through a checklist, the candidate has probably taken time off from work to meet, do them a favor and ask engaging questions.  


1. What do you do and why do you do it?

This question asks them about themselves, as well as their role and how they view their duties.  This is a great starter question because its asking them about a topic they should know pretty well (taking the edge off the interview...hopefully) and will give insight into how they view their current employer, working conditions, mission and so forth.  Do they understand why they do what they do?  Do they find they are being "wasted" on menial tasks?  Are they overworked?  Nearly every word in their response will provide tremendous detail about who they are.  

I like to see a nuanced reply to this question.  Usually this turns into a back and forth, some laughs and the candidate will find shared experiences in our background.  This gives me (and you) the ability to understand their responses better in the following questions.


2. What do you know about our company, and why do you want to work here?

While question one is a tee-up for the candidate to talk about themselves, question two is now asking them to articulate why did they apply to this job, with this company?  While its possible they could BS a response to this question, they are pretty easy to spot.  The answer will lack passion or depth of knowledge about either the company, its product, culture, etc...

In their reply I just want to learn more about them and the company I work for.  How is it viewed by an outsider?  What is attractive about this role or company?  I also want to know if they spent a few minutes to learn about this role or did they "easy apply" on LinkedIn and Indeed (playing the numbers game)?


3. Ask a practical question, present them with a common challenge that is faced by someone in this role.

The ideal question to ask here is one that doesn't require knowledge of internal or bespoke tooling and processes.  Ill give an example below, its one that was asked of me once.

If you were asked to evaluate an XDR solution, how would you test its efficacy?

While this question is very specific and deeply technical, it was appropriate for the role I interviewed for.  Its also a great question because I didn't need to know anything about the company ahead of time.  

A good answer to this type of question will demonstrate knowledge of the tech while ALSO demonstrating the candidates ability to create a method or process on the fly (self-manage).  

For instance, a good reply to this question would indicate usage of some type of attacker emulation product (maybe Atomic Red Team by Red Canary - https://github.com/redcanaryco/atomic-red-team) AND a crude process to track progress, document success or failures and maybe some basic reporting on progress of efficacy.  


Thats it.  Those three questions will serve you well.  As with most things you find on the internet, you can try and copy/paste this into your "code" but you will have to update things like variables (match your orgs processes).  This is a great start though.

If you leverage these during an interview I would love to get some feedback from you, maybe there is a #4 or #5?  Let me know!