All that stands between you and the dream job is the interview and the questions they are likely to ask.
You’ll know a lot about cybersecurity, but what questions will they ask? And how will you go about answering them?
Example Cyber Security Interview Questions
Below are some questions that you may get asked in your interview. The words may vary, but you are likely to come across variations at some point in the interview.
We have added a few notes as to what you might want to build into your answer.
How do you relay security risks to someone in finance, someone at reception and the CEO? How do you sell the benefits to each?
Answer Advice: Think about the roles of those people, and how information security risks would impact their day-to-day roles. What benefits do they get from you helping to mitigate the security risk? How would you communicate effectively with these people?
Talk me through how you would establish a Security strategy in our business? And how do you calculate a required budget?
Answer Advice: A great tip for any questions about strategy is to think, “What are we trying to achieve?” Think about “stakeholders” – which is another way of saying, who are we trying to protect from the risk? Staff? Customers? Suppliers? Budgets can be worked out once you know what you are trying to achieve and who is involved.
What are the key attributes of a quality Information Security Leader?
Answer Advice: Questions like this often have an answer in the original job advert. “We are looking for a hardworking and diligent ISL with a keen eye for detail and excellent communication skills.” Re-read the job advert before any interview!
What are the most important things to you when selecting the correct Security products and tech?
Answer Advice: Budget? Compatibility? Upgradability? Support? Scalability? Think about the context of the employer and their business. Don’t fall into the trap of saying, “I have always used ‘x’, it’s great”. Why is it good? Why does it meet the needs of the business?
How would you make sure we are unbreachable? (trick question)
Answer Advice: Make it clear you know this is a trick question. Talk about balancing security risks vs the need to be able to access data legitimately. Think about how you would address that balance.
What is your understanding of the use of security frameworks, and how should they be applied to us?
Answer Advice: This is a great question, or rather two questions! A brief text-book answer on frameworks followed by you showing you know about them in real life. The key part of this question is “how can they be applied to us”, so reference their business a lot.
How much of a risk is cloud computing?
Answer Advice: Short questions are often more complicated to answer, as you need to fill in some of the details yourself. Another two-part question – the security risk of Cloud and how you might go about addressing those risks.
What challenges do you foresee as the CISO here? What challenges do you see to our wider business?
Answer Advice: The word “here” means they want the question answered in the context of their company. Be honest, if you think there is a challenge, mention it is a constructive manner and touch upon how you might address it. “Wider business” questions can be tricky, but if there has been a recent news article about the company (an acquisition for example) think about the security issues that might arise from that.
What has been your biggest mistake whilst leading a Security function? How have you learnt from this?
Answer Advice: You will very often get a question like this. Be honest, in a constructive manner. Everyone makes mistakes, give specific answers of what you learned and how you would stop the mistake happening in the future.
How important is it for someone from Security to sit on the board?
Answer Advice: The answer is, of course, “very”, but why? Show that you understand the types of roles on a board, finance, operations, sales, etc, and why security matters to them.
What is your management style? How does this adapt to differing characters?
Answer Advice: A tricky question! Think about leadership vs bossing, coaching vs telling. There is no correct answer. Focus on how to get the best out of people. “I naturally have a more coaching style of leadership, but absolutely, there are times when I pull the reins in and need to provide a more direct style of management.”
What is your approach to Security Awareness training? And how often should it be conducted?
Answer Advice: Talk about the training you have given in previous roles and why it worked (or didn’t). Show you understand the need for effective and efficient training and that ‘more’ is not always ‘better’.
What metrics do you or would you use to measure the effectiveness of a good infosec programme? How would you know if it is failing?
Answer Advice: What metrics? How would you collect them? Could you set targets or red-amber-green bands? How would you review effectiveness? Are the metrics by themselves enough to show when something is failing? Try and balance technical insight with business awareness.
What will be the effect of compliance on your decision-making?
Answer Advice: This is an open question, depending on the context in which it was asked. Make sure you are clear about what the term ‘compliance’ relates to. You might want to give an example of where the need to adhere to compliance rules makes for a difficult decision, or one with knock-on consequences. How would you handle that? Do you have an example from a previous role?
How important is being cost-effective in your vision for our organisation’s Infosec posture?
Answer Advice: Another question that hides two! Show you understand the need for value-for-money, as well as discussing your vision for infosec in the organisation.
How much do you consider emerging risks to your strategy?
Answer Advice: A great opportunity to talk about emerging risks, both from a generic cyber perspective as well as from any industry-specific issues that might be emerging. Needless to say, emerging risks are important!
Are you willing to be fully accountable for Security here?
Answer Advice: If full accountability for security is part of the job description, then the one-word answer, “yes”, is all you need. If the scope of your role is slightly less, then make it clear you know the boundaries, but the answer is again a simple “yes, within the scope of my role.”
How can you help our business grow?
Answer Advice: A tricky and slightly odd question, but they do come up. Think about being a team player, looking for growth opportunities, working across departments etc. Your security role is helping others to do their job more effectively and that will help the business grow.
Final thoughts
Interview questions vary in style from company to company. Take your time to understand what the question really means and give an answer which shows you have listened.
If you get a technical question and don’t know the answer, say so and say how you would go about finding out if the question arose in real life. If you don’t understand the question, say so and ask for clarification.
You are being asked these questions so the interviewers can find out about you, so don’t hold back! Make sure you have a couple of questions to ask them at the end, too!
You need to show you understand the question and have the skills, knowledge and experience to answer, in a way that can add value to their business and make them want to select you for the job.
Looking for your next role?
Check out our current roles at Intaso today and see where a career in cybersecurity can take you, or register with us so we can help you find a job!
