The information security industry faces a severe skill shortage. IT departments cannot find enough experienced applicants to employ, despite advancement in IT security technologies like Secure Web Gateways, Next Generation Firewalls, and Cloud Access Security Brokers (CASB). The shortage has grown so urgent that IT professionals report that a lack of trained professionals is the number one challenge to effective information security today. That makes effective recruiting one of the highest priorities for IT departments, but interviewing effectively, it turns out, can be really hard.
Interviewers must consider a few factors during the process. The first priority, obviously, is to find candidates with the talent and knowledge necessary for a position. Beyond these prerequisites, however, companies need to consider a candidate’s ability to grow and learn new skills. With threats and emerging security technology moving faster than ever before, security professionals must be able to adapt to change and learn new skills.
The experts say they use the interview process to gauge not only an applicant’s technical skills, but their ability (and willingness) to solve problems. Finally, IT and security do not exist in a bubble. An interview should assess a candidate’s ability to deal with other departments to understand their needs and make security an organization-wide initiative. Here are the interview questions to ask to evaluate applicant’s technical and soft skills.
Ability to Think Like a Hacker
Hackers have evolved beyond the basement. When faced with nation-state groups and organized crime rings, security needs to be proactive. That means thinking of threats before hackers do.
- You have a vending machine in your break room, what are the different ways you would like to hack this machine?
Ability to Communicate Risk
Risk is naturally one of IT’s top priorities, yet they need to translate this concern to other departments like non-technical business leaders or end users in business units.
- You have discovered a security flaw in your company’s product.
- How do you convince a product manager and engineering board of the risk?
- How do you evaluate the risk of a security flaw you find?
There’s no substitute for the basics. Candidates need to understand the fundamentals of networks and computing.
- Explain the full process occurring when you go to a browser and visit a URL. Explain how SSL works.
- How would you store passwords in your database? Why do you choose this method? What are the advantages/tradeoffs compared to other options?
IT and security require a lot of technical knowledge and even more patience. You are guaranteed to deal with colleagues who have no knowledge of security best practices and may not even believe it is important. IT professionals are also guaranteed to find themselves in high pressure situations, and the interview process should capture an idea of how they will behave. By the way, it’s okay to dislike compliance certifications as long as you accept them as a necessary evil.
- How would you handle the response to a breach where you had to work through the night, when the security vulnerability was a simple error on an end user’s part?
- How would you work with engineers who are not versed in security?
- What do you think about compliance certifications?
- How do you prefer to be managed?
Hear Straight from the Experts
We asked several IT practitioners for their opinions on the most important interview questions. The theme of hiring customer-focused, resourceful professionals was consistent across their recommendation. Read their tips for hiring all-star IT and security professionals below.
Mark Thiele, Chief Strategy Officer, Apcera
“The question would depend on the role, but this one would apply to anyone with a support requirement (software, infrastructure, etc.) leadership position: What would you tell someone on Monday morning after they spent most of Sunday fixing a problem? Hopefully they will say something like, ‘How many times have we had a problem with this system? What do you think the root cause is and how can we remove the problem?’ A bad response would be, “I’d buy s/he lunch and give them an atta’ boy in front of the team.” For a senior support individual contributor: What process do you go through personally both before and after you have to make an emergency fix to a live in production system?”
Christina Morillo, VP, Technology and Information Risk, Morgan Stanley
“If I asked you to create and implement a new process/technology, what would be your first step/approach? I want to learn about their problem-solving approach. I would even get into specific details.”
Vi Bergquist, CIO, St. Cloud Technical & Community College
“These are four of my recent favorites: Think of a time when you felt successful in your current or past job; a time when you had a particularly satisfying experience and you believe you really made a difference in the lives of customers. Were there other people who were important? Were there particular resources available that helped your success? If you get hired and you can pick any laptop, what do you get? I want to see if people get fired up abut new technology here – what they select is not important, it’s about keeping up with new tech trends and being excited. Tell us about a time you worked in a team environment. What were some of the challenges you faced and what role did you play? What does Customer Service mean to you?”
Paul Dumbleton, Manager of Infrastructure Security Engineering, Perrigo
“What feeds to you read daily? What does you home network look like? What is the difference between a white hat and a black hat hacker?”
Lincoln Quinton, CIO, Florida Department of Corrections
“What is your strongest professional skill and who made the greatest contribution to help you develop that skill? What skill do you most need to develop? Who would give you credit for influencing their career and why? What culture traits do you look for in your employer?”