10 tough security interview questions, and how to answer them

Recently hired security leaders share what hiring execs want to know in interviews.

A businessman walks through a keyhole-shaped doorway into field of question marks.
NullPlus / Getty Images

Many organizations are looking for cybersecurity skills and struggling to fill positions because demand has been pacing supply. That doesn’t mean anyone with experience in security can sail through a job interview and be hired on the spot, however.

Job candidates need to be prepared to answer tough questions. In many cases, there’s no exact right answer, but how candidates react and formulate responses can go a long way toward making a positive or negative impression.

We asked security executives and hiring experts to share suggestions of questions candidates can expect to hear, and how they should respond in ways that will make good impressions.

What is the project or initiative you've led that you are most proud of in your career thus far?

The answer to this question will reveal what candidates enjoy most about what they've done, says Domini Clark, founder and CEO of Blackmere Consulting, a cybersecurity recruitment and leadership consulting firm. “This question hits the specific passion of an individual, revealing not only what they love but what they felt was a satisfying achievement for them personally,” Clark says.

For example, if a CISO is most proud of the policies he created for an organization, he will fit better in an organization where that’s valued over the CISO who was most proud of the products or security architecture he put in place.

Why do you want to leave your current position?

Industry research shows that security executives have average tenures of between 24 and 48 months, says Jason Taule, vice president of standards and CISO at HITRUST Alliance, which develops and maintains risk and compliance management frameworks.

“If you find yourself among the group of CISOs with a shorter tenure, how do you respond when asked why you left your previous position?” Taule says. “If you left for better salary or benefits, I think you come out and say it—provided your resume doesn’t show a long-term pattern of job hopping. If you left because your previous employer didn’t respect the role or position and you’re looking for a company who ‘gets it,’ here, too, I think you’d do well to be direct about it.”

An increasing number of CISOs are leaving for integrity reasons rather than be party to unethical or illegal activity, or because the previous employer was accepting an undue level of risk, Taule says. In this case, when responding to the question, “you will find yourself in situation that calls for a delicate touch and diplomacy,” he says. “I think a good place to start would be to emphasize the positive aspects of whatever happened without revealing specifics.”

What has been your most epic failure and what did you learn from this experience?

The strongest leaders have failed many times and have learned to embrace failure as their greatest tool for learning, Clark says. “The best and brightest wear their failures as a badge of courage,” Clark says. “This question touches the emotional core and reveals how comfortable they are with themselves and with their failure, how risk tolerant they are, how confident they are in their ability to learn from and recover after failure, as well as their overall thinking process under pressure.”

It’s a big plus when candidates can approach this question with a sense of humor, vulnerability, and authenticity, Clark says.

What is the most complex security initiative you have led or made a significant contribution to in the last two years?

Security executives will be called upon to handle complex, pressure-filled initiatives. Interviewers want to know what candidates can take on and how they cope with complexity.

“This is a detailed question that helps me understand this person's view of ‘complexity,’ their bandwidth for size and scope,” Clark says. “This will be different for a five-person security team versus a Fortune 10 organization.”

How would you identify and develop a diverse talent pool to meet the organization’s needs?

Diversity means more than participation from members of protected worker classes, says Bill Bonney, president and founder of consulting firm eCyber Advisory Group. “It also means diversity of thought, job skills and job domains,” he says. “We cannot rely on growing or hiring enough cyber analysts or cyber engineers to meet our needs without changing the way we deliver products and services.”

Developing this talent pool will include short-term activities such as making the organization an attractive place to work.

What would you do to ensure that you and your team consistently provide high-quality service to the organization?

On a basic level, security teams are delivering a service to their organizations: keeping data, networks, systems, applications, devices, and other IT components safe from intrusion. “Quality and service are not accidents; they are the result of passion to do the right thing and a principle of continuous improvement,” says Steve Hunt, consultant and CISO principal consultant at Hunt Business Intelligence.

Hunt suggests a response in which a candidate describes how he will engage the team in a quality and service culture built around performance excellence frameworks. Candidates need to be prepared to demonstrate how they will maintain a high level of security services to business users, he says.

How do you see your role and the senior leadership team’s role in a breach?

This type of question or some variation of it is likely to come up in an interview. It’s important to have a strong response ready.

One approach is to describe concrete actions to take upon being hired, such as an immediate review of the escalation paths for incident response and ensuring that every member of the senior leadership team understands their role pre-breach, during a breach, and post-breach, Bonney says.

“I see three fundamental elements of breach management: dealing with the incident itself, communication with all our stakeholders, and operational resilience for the company,” Bonney says.

How would you measure the value of your effect on the organization's brand?

Just as high-quality service is important, so is the ability to measure and demonstrate value to the business. “Two common ways to assess the value is to look at the ‘top line’ and the ‘bottom line,’” Hunt says. Security executives need to show how their work will have the potential to impact the top line in the form of new revenue opportunities, higher customer satisfaction, and new areas of growth.

They need to demonstrate their potential impact on the bottom line through cost cutting via reduced risk and more efficient security processes.

Why is now the right time for you to make this career shift?

The wording of this question is important, Clark says, because it does not "lead" the answer. “There are as many reasons to make a change as there are thoughts in our brains, and an honest and authentic answer to this question helps me understand the true motivations driving change,” she says.

The fact is, “most people don't like major change very much and they are experiencing some duress if they are willing to upend their work life,” Clark says. “The next step in their career will be influenced by these motivations.”

For instance, Clark wouldn't want to put someone into a leadership position if the motivation for change is that the individual does not like to manage people. “Similarly, I wouldn't put someone in a national consulting role if their motivation is driven by a need to stop traveling so much,” she says.

What’s your ideal next step?

“We all have our dreams and desires, and often we try to fit what we want into someone else's ‘container’ because we don't see the right container in front of us,” Clark says. “When we can get a well thought-out answer to this question, it can open up possibilities and opportunities that may not have been obvious before.”

People change jobs to get closer to feeling as if they are living out their purpose, Clark says, and companies should want to know as much about that purpose as possible in order to ensure there is a right match, particularly in when making critical hires.

Copyright © 2020 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline