Congratulations, your brilliant cover letter and compelling CV have worked. You are down to the last few applicants. All that stands between you and the dream job is the interview and the questions they are likely to ask. You know that for the interview you will dress smartly, arrive in plenty of time and make a good impression in every way you can. You know a lot about cyber security, which is why they asked you for an interview, but what questions will they ask, and how will you go about answering them?
Before we get into some example interview questions, it is important to first understand how you should answer any interview question.
How to answer an interview question
There are four parts to answering any interview question effectively:
1. Listen to the question (and show you have listened)
You can do this by writing down a few key words, especially if the question was a long one. You can also ask for clarification, which not only shows you are listening, but also helps you deliver a more relevant and concise answer.
2. Consider the context of the question
What is the scope of the role you have applied for? What type of specific risks might the employer or their industry have? What is behind the question?
3. Answer the question in a concise and relevant manner
You of course need to show that you ‘know your stuff’ but it is also important to show that you can communicate clearly and concisely. Don’t waffle. If you have specific experience related to the question, you should absolutely reference it.
4. Ask if they want more information?
“Does that answer your question?” is a great way to check you have given them what they want to hear, and if not, gives you a second go at giving a better answer.
Example questions and advice
Below are some questions that you may get asked in your interview. The words may vary, but you are likely to come across variations at some point in the interview. We have added a few notes as to what you might want to build into your answer.
Question: How do you relay differently an Information Security risk to someone in Finance, someone on reception and the CEO? How do you sell the benefits to each?
Advice: Think about the roles of those people, and how an information security risk would impact their day-to-day role. What benefits (good things!) do they get from you helping to mitigate the security risk? How would you communicate effectively to these people?
Question: Talk me through how you would establish a Security strategy in our business? And how do you calculate a required budget?
Advice: A great tip for any questions about strategy is to think “what are we trying to achieve?” Think about “stakeholders” – which is another way of saying who are we trying to protect from the risk? Staff? Customers? Suppliers? Budgets can be worked out once you know what you are trying to achieve and who is involved.
Question: What are the key attributes to a quality Information Security Leader?
Advice: Questions like this often have an answer in the original job advert. “We are looking for a hardworking and diligent ISL with a keen eye for detail and excellent communication skills.” Re-read the job advert before any interview!
Question: What are the most important things to you when selecting the correct Security products and tech?
Advice: Budget? Compatibility? Upgradability? Support? Scalability? Think about the context of the employer and their business. Don’t fall into the trap of saying “I have always used XXXXXX, it’s great”. Why is it good? Why does it meet the needs of the business?
Question: How would you make sure we are unbreachable? (trick question)
Advice: Make it clear you know this is a trick question. Talk about balancing security risks vs the need to be able to access data legitimately. Think about how you would address that balance.
Question: What is your understanding of the use of Security frameworks and how should they be applied to us?
Advice: This is a great question, or rather two questions! A brief text-book answer on frameworks followed by you showing you know about them in real life. The key part of this question is “how can they be applied to us”, so reference their business a lot.
Question: How much of a risk is cloud computing?
Advice: Short questions are often more complicated to answer, as you need to fill in some of the details yourself. Another two-part question – the security risk of Cloud and how you might go about addressing those risks.
Question: What challenges do you foresee as the CISO here? What challenges do you see to our wider business?
Advice: The word “here” means they want the question answered in the context of their company. Be honest, if you think there is a challenge, mention it is a constructive manner and touch upon how you might address it. “Wider business” questions can be tricky, but if there has been a recent news article about the company (an acquisition for example) think about the security issues that might arise from that.
Question: What has been your biggest mistake whilst leading a Security function? How have you learnt from this?
Advice: You will very often get a question like this. Be honest, in a constructive manner. Everyone makes mistakes, give specific answers of what you learned and how you would stop the mistake happening in the future.
Question: How important is it for someone from Security to sit on the board?
Advice: The answer is of course “very”, but why? Show that you understand the types of roles on a board, finance, operations, sales etc, and why security matters to them.
Question: What is your management style? How does this adapt to differing characters?
Advice: A tricky question! Think about leadership vs bossing, coaching vs telling. There is no correct answer. Focus on how to get the best out of people. “I naturally have a more coaching style of leadership, but absolutely there are times when I pull the reins in and need to provide a more direct style of management.”
Question: What is your approach to Security Awareness training? And how often should it be conducted?
Advice: Talk about the training you have given in previous roles and why it worked (or didn’t). Show you understand the need for effective and efficient training and that ‘more’ is not always ‘better’.
Question: What metrics do you or would you use to measure the effectiveness of a good infosec programme? How would you know if it is failing?
Advice: What metrics? How would you collect them? Could you set targets or red-amber-green bands? How would you review effectiveness? Are the metrics by themselves enough to show when something is failing? Try and balance technical insight with business awareness.
Question: What will be the effect of compliance on your decision making?
Advice: This is an open question, depending on the context in which it was asked. Make sure you are clear what the term ‘compliance’ relates to. You might want to give an example of where the need to adhere to compliance rules, makes for a difficult decision, or one with knock-on consequences. How would you handle that? Do you have an example from a previous role?
Question: How important is being cost-effective in your vision for our organisation’s Infosec posture?
Advice: Another question that hides two! Show you understand the need for value-for-money as well as discussing your vision for infosec in the organisation.
Question: How much do you consider emerging risks to your strategy?
Advice: A great opportunity to talk about emerging risks, both from a generic cyber perspective as well as from any industry specific issues that might be emerging. Needless to say, emerging risks are important!
Question: Are you willing to be fully accountable for Security here?
Advice: If full accountability for security is part of the job description, then the one-word answer, “yes”, is all you need. If the scope of your role is slightly less, then make it clear you know the boundaries, but the answer is again a simple “yes, within the scope of my role.”
Question: How can you help our business grow?
Advice: A tricky and slightly odd question, but they do come up. Think about being a team player, looking for growth opportunities, working across departments etc. Your security role is helping others to do their job more effectively and that will help the business grow.
Interview questions vary in style from company to company. Take your time to understand what the question really means and give an answer which shows you have listened. If you get a technical question and don’t know the answer, say so and say how you would go about finding out if the question arose in real life. If you don’t understand the question, say so and ask for clarification. You are being asked these questions so the interviewers can find out about you, so don’t hold back! Make sure you have a couple of questions to ask them at the end too!
You need to show you understand the question and have the skills, knowledge and experience to answer, in a way that can add value to their business and make them want to select you for the job.