IT is notorious for its skills shortages, whether real or perceived. This is especially true in IT security, an area where hiring managers and recruiters have long lamented the lack of available talent.
(ISC) 2’s Cyber ââSecurity Workforce Study 2020 estimates that there will be 3.1 vacancies globally this year. That’s down from 4 million the year before, but it’s still a huge number.
The United States Bureau of Labor Statistics estimates that the number of employed information security analysts alone will increase by 31% between 2019 and 2029. If it isn’t already evident, it’s much faster than the average for all occupations, according to the BLS.
Numbers like these mean plenty of hires on the horizon – and plenty of interviews, even if most of those interviews are conducted remotely for the foreseeable future.
[ Get prepared. Read also:Â How to spot a great software developer: 7 interview questionsÂ andÂ 10 top DevOps engineer interview questions for 2021Â .]
8 security questions for job interviews
We asked a group of leaders and security practitioners to share with us some of their top interview questions right now.
What do interviewers look for when they ask security applicants these questions?
Of course, we also asked them for some tips on how to develop good answers, or what they’re looking for when asking candidates these questions. You can use them in your interview preparation if you are in the workforce. (Obviously, the specific questions will vary by role, interviewer, and organization – but they’ll give you a foundation.) And if you’re the hiring manager, you can look at them from that perspective.
Interview question 1: Talk about a security related project that you have automated. What were your research processes and what tools did you use?
Automation remains a hot topic in business and technology contexts, but security is a particular facet of IT where interest is skyrocketing. The threat landscape is simply too big and too fast-paced for most organizations to keep pace, unless their human talents are helped by a machine.
âWith cloud computing and digital transformation, automation is a mandate,â says Wayne Crissman, director of security at Fugue. âBut when it comes to security automation around incident response or automated remediation, there can be business risks and often organizational resistance to security automation. IT security professionals should be prepared to discuss the benefits and risks of security automation in various use cases, and how to manage those risks.
Check out our two recent articles for further reading on the topic: 5 Approaches to Security Automation and What is Security Orchestration, Automation and Response (SOAR)?
Being able to discuss security automation is also a chance to show that you can think beyond security threats and responses and understand how security connects with the rest of the organization. Crissman notes a related question: How do you âsellâ security to the C suite and other areas of the business and help break the legacy notion that security teams are bottlenecks that hinder competitiveness? Automation could be part of this story.
âThe company demands that we innovate faster than our competitors – without breaking the rules that can put our data at risk. “
âThe company demands that we innovate faster than our competitors, without breaking the rules that can put our data at risk,â says Crissman. âTherefore, security is more than security. It’s all about speed and agility. IT security professionals must demonstrate that they understand the full return on investment of security tools and initiatives that are as much about helping the business compete as they are about improving security.
[ Containers and Kubernetes can help here. Read also:Â How to automate compliance and security with Kubernetes: 3 ways. ]
Interview Question 2: Create a fictitious organization in a particular industry (such as financial services or retail). If you were the CISO of this organization, how would you prioritize the CIA triad and why?
Not to be confused with the Central Intelligence Agency, the CIA Triad is a security model that focuses on securing data at different stages of its lifecycle, from processing to transit to storage. It stands for Confidentiality, Integrity and Availability. As the Center for Internet Security notes, this is important because virtually all cyber attacks violate at least one of these fundamental concerns.
“It’s not always about aligning with my personal thoughts, but rather demonstrating that they are critically thinking about the ‘why’ behind their response.”
The question is one that Casey Martin, vice president of detection and automation at ReliaQuest, will ask security candidates in interviews. There is not necessarily a correct answer; rather, it is an opportunity to dig into a person’s strategic mindset.
âIt’s not always about aligning with my personal thoughts, but rather demonstrating that they are critically thinking about the ‘why’ behind their response,â says Martin.
At the heart of the matter is the assumption that, especially when faced with limited resources, a security team may choose to prioritize these three pillars in a particular order of importance based on their business or role. its sector, explains Martin.
âCritical infrastructure would likely prioritize uptime due to the need to keep lights on and water running, followed by integrity to ensure the infrastructure / OT is functioning optimally,â says Martin – for example, to avoid situations like the recent hack of the water system. in Florida.
Interview Question 3: Explain the MITER framework and its use for security teams – like I’m five years old and not exposed to it.
The MITER ATT & CK framework is a shared knowledge base of real-world cyberattack methods that some security officials say is gaining traction in the business world. Essentially, it’s about making what might have been the purview of governments and national intelligence agencies widely available for threat modeling and other security plans. It’s free and open to any person or team.
“The purpose of this [question] is to see if they can break the topic down into simple terms, because having to teach other people something advanced forces them to fully understand the topic in the first place, âsays Martin.
Interview Question 4: Describe how a cloud misconfiguration attack happens – and the steps you would take to prevent it.
Security professionals may need to help spread the word about the importance of cloud configurations to those outside the security realm.
Bad cloud configurations generally refer to all the parameters of a cloud platform or tool that are not optimally tuned according to best practice or are simply forgotten or ignored. They represent a significant security risk as hybrid cloud and multi-cloud environments develop. Security professionals should be able to discuss this, in part because they may need to help spread the word about the importance of cloud configurations to people outside the security realm.
[ Learn more about hybrid cloud strategy and security. Get the free eBooks, Hybrid Cloud Strategy for Dummies and Multicloud Portability for Dummies. ]
âMost organizations now have a large cloud footprint,â says Crissman. âWith cloud misconfiguration being the leading cause of data breaches in the cloud, it is critical that IT security professionals understand how cloud infrastructure works and how to secure it, from infrastructure as code to runtime cloud environments. Take the time to learn how cloud infrastructure [platforms and tools] work, how and why configuration errors occur, how they are exploited and how to avoid them.
You should be able to explore specific platforms and tools based on the job description. Do your homework on the platforms and tools that this particular organization uses.
Let’s take a look at four more questions to use or expect: