Cybersecurity hiring remains a significant and ongoing concern for many organizations. Public and private entities are constantly searching for new ways to recruit and retain talent in the face of threats, such as ransomware, that continue to increase.
The Biden administration, which has made cybersecurity a significant cornerstone of White House policy, rolled out a new cybersecurity workforce and education strategy in late July to encourage more workers to seek out cybersecurity as a career. Even with these initiatives and other incentives, the U.S. only has enough cybersecurity workers to fill about 70 percent of the open positions throughout the country.
The interview process for these open positions can seem daunting for those interested in starting a cybersecurity career. Those executives hiring cybersecurity talent need to ensure candidates can act fast, think critically and respond to the pressures of the job.
At the same time, anyone overseeing the cybersecurity hiring process doesn’t want to discourage potential candidates who have a genuine interest in joining an organization’s cybersecurity team, especially when talent is at a premium.
“As an interviewer, my goal isn’t to stump someone—it’s to understand how effective this person can be on my team and how they approach challenges, how they’d communicate with me and other groups, how they balance being an all-around utility player versus being a specialist in certain areas, and how they’d approach complicated and difficult scenarios and learn something they don’t know,” said Rob Hughes, CISO at security firm RSA.
For those preparing to interview, especially those new to the field or embarking on their first career steps, cybersecurity experts and insiders have a list of five tips about the types of questions potential employers may ask and a look at how best to respond.
Demonstrate Critical Thinking Skills
For a security firm like RSA, the types of questions potential candidates are asked will likely differ from those used at other organizations. When Hughes is interviewing, he specifically looks for tech pros who demonstrate critical thinking, leadership, and the ability to guide the business to follow a security-first methodology.
“I’ll frequently ask for an experience a candidate has had or for them to answer an open-ended hypothetical question or scenario. For those who are starting their career, I’d recommend going into your interview with a few experiences that relate to a security challenge, where you’ve had an impact or where you’ve learned something,” Hughes told Dice. “Show your curiosity about security and have an answer to how you keep track of industry news. Be able to articulate why you’re interested in security and the security program at the organization.”
Candidates should also understand what regulations and compliance rules an organization is following to help get a better idea of what they will need to help improve security, Hughes added.
For candidates, Hughes noted, it’s good to ask clarifying questions to ensure that they understand what is being asked of them. “You need to understand if the interviewer is asking you for something specific or to do some critical thinking, in which case you should explain your thought process and how you would figure something out.”
He added: “I like to give an open-ended scenario and see how a candidate would work through a technical or communications issue.”
Look Beyond Technical Questions
When interviewing candidates, George Jones, CISO at Critical Start, asks potential candidates a combination of technical and other questions to test their knowledge and ability to use logic to solve problems. His interview process breaks down into three parts:
- Technical: Candidates should expect questions about operating systems, network protocols, encryption algorithms, incident response processes and security tools. This is the first opportunity for potential hires to prove they have the foundational skills to perform.
- Behavioral: Candidates will be asked about working in a team environment, handling challenging and stressful situations as well as the approach to problem-solving and decision-making. This provides the interviewer with an idea of how the candidate thinks.
- Scenario-based: Good interviewers focus on this area to assess a potential hire’s analytical thinking and problem-solving skills.
“There are generally no wrong answers here,” Jones told Dice. “I look for the approach that candidates take to solving complex problems and how they approach solution implementation. These scenarios are time-focused to introduce the element of additional stress so that the interviewer can see how you respond to pressure. Stand out here and you can make a solid impression.”
Show Interest in the Cybersecurity Field
It might seem obvious, but it’s critical to remember: you must show interest in the cybersecurity field and that the job means more to you than a steady paycheck.
For Tom Molden, CIO for the global executive engagement at Tanium, candidates need to understand specific topics, including concepts such as confidentiality, integrity and availability (CIA), encryption, defense-in-depth, the National Institute of Standards and Technology (NIST) cybersecurity framework and vulnerability management.
Candidates must conduct their own research before the interview, but also come armed with questions to ask executives, Molden added.
“Asking someone in the business what it is they really care about is a good sign of initiative. Don’t be afraid to say, ‘I don’t know,’” Molden told Dice. “Interviewers will sometimes throw in tricky questions to test whether you’ll try to fake an answer. You don’t need to know the answer to every question, it is ultimately your attitude that will get you hired.”
Understand the Business Side
While technical know-how is critical, understanding how to work within a team, communication skills, and a sense of the business requirements of cybersecurity are increasingly crucial to employers.
Understanding how C-suite executives and board members view cybersecurity is now crucial for candidates, said Mika Aalto, co-founder and CEO at Hoxhunt, a Helsinki-based security firm.
“Cybersecurity has expanded to a board-level concern, and that is being reflected in the importance that security places on understanding business operations and performing security in a way that drives the business,” Aalto told Dice. “If you’re just getting your foot in the door, prepare some evidence and stories on how you were able to solve problems creatively and collaboratively on the fly. A big part of success in this field is someone’s ability to think fast, think smart and communicate effectively.”
For a hiring manager like Grant Goodes, an innovation architect at Zimperium, cybersecurity candidates need to demonstrate knowledge of low-level and internal aspects of software and operating systems. They also need to go beyond the user and programmer levels and demonstrate knowledge of how compilers and linkers function and how operating systems interact with applications.
Goodes also wants candidates who know two or three programming languages, with the C language as a must-have. Most importantly, however, is asking candidates if they have ever hacked their own devices.
“I always ask ‘Have you rooted—or jailbroken—your cell phone?’ Never having even attempted to hack your own phone is almost self-selecting out of a cybersecurity position,” Goodes told Dice.