IT is famous for its skill shortages, whether real or perceived. That’s particularly true in IT security, a field where hiring managers and recruiters have long bemoaned a lack of available talent.
(ISC)2’s 2020 Cybersecurity Workforce Study estimates that there will be 3.1 unfilled positions worldwide this year. That’s down from 4 million the previous year, but it’s still a huge number.
The U.S. Bureau of Labor Statistics estimates the number of employed information security analysts alone will grow 31 percent between 2019 and 2029. If it’s not already apparent, that’s much faster than the average for all occupations, according to BLS.
Numbers like these mean lots of hiring on the horizon – and many interviews, even if most of those interviews are conducted remotely for the foreseeable future.
[ Get prepared. Read also: How to spot a great software developer: 7 interview questions and 10 top DevOps engineer interview questions for 2021 .]
8 top security job interview questions
We asked a group of security leaders and practitioners to share with us some of their top interview questions at the moment.
Of course, we also asked for some tips on how to develop good answers, or what they’re looking for when they pose these questions to candidates. You can use these in your interview prep if you’re on the job market. (Obviously, specific questions will vary by role, interviewer, and organization – but these will give you a foundation.) And if you’re the hiring manager, you can consider these from that point of view.
Interview question 1: Talk about a security-related project that you automated. What were your research processes and what tools did you use?
Automation remains a white-hot topic across business and technology contexts, but security is a particular facet of IT where interest is skyrocketing. The threat landscape is simply too big and too fast for most organizations to keep pace with unless their human talent has machine help.
“With cloud computing and digital transformation, automation is a mandate,” says Wayne Crissman, director of security at Fugue. “But when it comes to security automation around incident response or automated remediation, there can be business risks, and oftentimes organizational resistance to security automation. IT security professionals should be prepared to discuss the benefits and risks of security automation in a variety of use cases, and how to address those risks.”
Check out two recent articles from us for some extra reading on the topic: 5 approaches to security automation and What is SOAR (Security Orchestration, Automation, and Response)?
Being able to discuss security automation is also a chance to show that you can think beyond security threats and responses and that you understand how security connects with the rest of the organization. Crissman notes a related question: How do you “sell” security to the C-suite and other areas of the business and help break down the legacy notion that security teams are bottlenecks standing in the way of competitiveness? Automation could be part of that story.
“The business demands that we innovate faster than our competitors – without breaking the rules that can put our data at risk,” Crissman says. “Therefore, security is about much more than security. It’s about speed and agility. IT security professionals need to demonstrate that they understand the full ROI of security tools and initiatives that are as much about helping the business be competitive as it is about improving security.”
[ Containers and Kubernetes can help here. Read also: How to automate compliance and security with Kubernetes: 3 ways. ]
Interview question 2: Create a fictional organization in a particular industry (such as financial services or retail). If you were the CISO for that organization, how would you prioritize the CIA triad and why?
Not to be confused with the Central Intelligence Agency, the CIA triad is a security model that focuses on data security at various phases of its lifecycle, from processing to transit to storage. It stands for Confidentiality, Integrity, and Availability. As the Center for Internet Security notes, it matters because pretty much every cyberattack violates at least one of those fundamental concerns.
The question is one that Casey Martin, VP of detection and automation at ReliaQuest, will ask security candidates in interviews. There’s not necessarily a correct answer; rather, it’s an opportunity to dig into a person’s strategic mindset.
“It’s not always about aligning with my personal thoughts, but rather demonstrating they are critically thinking through the 'why' behind their answer,” Martin says.
At the core of the question is an assumption that, especially when faced with limited resources, a security team may choose to prioritize those three pillars in a particular order of importance based on their business or industry, Martin says.
“Critical infrastructure would likely prioritize availability due to the need to keep the lights on and the water running, followed by integrity to ensure the infrastructure/OT is running optimally,” Martin says – for example, to prevent situations like the recent water system hack in Florida.
Interview question 3: Explain the MITRE framework and its use for security teams – like I'm five years old and don’t have any exposure to it.
The MITRE ATT&CK framework is a shared knowledge base of real-world cyberattack methods that some security leaders say is gaining steam in the business world. It’s essentially making what once might have been the purview of governments and national intelligence agencies widely accessible for the purposes of threat modeling and other security planning. It’s free and open to any individual or team.
“The goal for this [question] is to see if they can break down the topic into layman’s terms since having to teach back something advanced to other individuals requires them to fully understand the topic in the first place,” Martin explains.
Interview question 4: Describe how a cloud misconfiguration attack happens – and steps you would take to prevent this.
Cloud misconfigurations generally refer to any settings in a cloud platform or tool that aren’t optimally tuned according to best practices or that are simply forgotten about or ignored. They’re a significant security risk as hybrid cloud and multi-cloud environments grow. Security pros should be able to discuss them, in part because they may need to help evangelize the importance of cloud configurations to people outside of the security realm.
“Most organizations now have a significant cloud footprint,” Crissman says. “Because cloud misconfiguration is the number-one cause of cloud-based data breaches, it’s critical that IT security professionals understand how cloud infrastructure works and how to keep it secure – from infrastructure-as-code to runtime cloud environments. Take some time to learn how cloud infrastructure [platforms and tools] work, how and why misconfigurations occur, how they’re exploited, and how to prevent them.”
You should be able to drill down into specific platforms and tools based on the job description. Do your homework on the platforms and tools this particular organization uses.
Let’s look at four more questions to use or expect: