You\u2019re interviewing candidates for a security analyst position. One is a history major with no formal technical experience. The other has an advanced degree in computer science, with a focus on cybersecurity, and 10 years\u2019 experience in pentesting and security operations center environments.Which candidate do you hire?If you\u2019re Keatron Evans, principal security researcher at security education provider InfoSec, the history major gets the job. By asking the right questions, Evans could see through the candidate\u2019s resume and credentials to the most highly valued security analyst traits: troubleshooting and problem-solving skills, curiosity, desire to learn, and an innate passion for cybersecurity.Demand for this role higher than ever, a trend that is likely to continue, with the US Bureau of Labor Statistics projecting that employment for security analysts will grow 31% from 2019-2029. The following interview questions will help you stay ahead of that curvey, ensuring you make a successful security analyst hire.What is TCP?How someone talks about topics like the three-way handshake or the TCP communications standard can reveal a lot about their grasp of security fundamentals.In Evans\u2019 case, the inexperienced candidate discussed TCP as if she\u2019d studied it not just in a textbook but also in a computing environment. \u201cEven though she had the least experience of all the candidates, she answered as if she'd authored the protocols in question, like TCP, herself,\u201d he says.Other basics include distinguishing between symmetrical and asymmetrical encryption and describing where each would be best used, the anomalies that indicate a compromised system or how to deal with a man-in-the-middle attack, says Travis Lindemoen, managing director in the cybersecurity practice at Nexus IT Group. \u201cYou\u2019re listening for the processes they\u2019ve been trained on to remediate that type of attack,\u201d he says.Framework familiarity is also a telling detail, says Chuck Brooks, president of Brooks Consulting International and adjunct faculty at Georgetown University, whether from NIST, SANS or MITRE. \u201cThere are a lot of elements in these frameworks that give you a map to follow for basic defenses and risk management,\u201d he says.How would you handle this data breach?What really impressed Evans, though, was how the inexperienced candidate he interviewed (and ultimately hired) problem-solved a technical scenario that required answering 10 questions about handling a data breach.\u00a0The exercise involved two computers\u2014one connected to the cloud-based lab environment to do the task and a second one connected to the internet to research needed information such as up-to-date details on a recent exploit.\u201cShe used the research computer masterfully, while the more experienced people didn't even bother touching them,\u201d Evans said. \u201cFor that reason, most of them missed the final two questions that had to be answered from reviewing the packets and memory dumps.\u201dEvans also intentionally required candidates to give the virtual machine a static IP address to operate on the network\u2014which they\u2019d only know by reading the instructions. \u201cIt took one candidate 15 minutes to stop complaining that nothing was reachable and realize he had to follow the instructions,\u201d he says. \u201cA lot of SOC work is paying attention to detail as well as reading notes and processing information gathered by other analysts.\u201dHow would you triage these alerts?Alternatively, a breach scenario can be explored conversationally. This more interactive approach can highlight how the candidate thinks, communicates, and collaborates. Interviewers can also tailor questions as they go (filling in information, digging deeper, etc.) to jibe with the candidate\u2019s experience level.First though, it\u2019s important to establish a comfortable atmosphere, as a nervous person can be hard to read, says Dom Glavach, chief security officer and chief strategist at CyberSN, a career and staffing firm focused on cybersecurity.That\u2019s why Glavach starts by asking about a well-publicized breach like the SolarWinds attack in terms of the indicators of compromise (IOC), lessons learned or the attack methodology used. \u201cEven if they\u2019re not familiar with it, they can take a few seconds to do a search on IOC and SolarWinds,\u201d he says. This reflects the on-the-job reality that security analysts shouldn\u2019t be judged on their immediate knowledge but on their ability to quickly assess risk and talk about remediations.From there, Glavach moves to the scenario conversation, such as: Today\u2019s Monday. You\u2019re coming off a great weekend and see two odd login alerts the night before, from New York and San Francisco, within five minutes of each other, one of which was successful. You also detect a Cobalt Strike and beacons in the southern office. What do you need to do to triage this?The rest of the conversation simulates what would occur in the security operations center (SOC) among colleagues, Glavach says, in terms of collaborating on ideas, sharing knowledge, assessing how dire the situation is and what should be done to remediate it. \u201cI\u2019ve heard answers that reveal the candidate is not as experienced as their resume led me to believe,\u201d he says. \u201cResumes tell the story, but the person tells the novel.\u201dWhat\u2019s your first move after receiving new threat intelligence?Another scenario-based approach focuses on the first move the candidate would make or the first question they\u2019d ask when, for example, they receive a new piece of threat intelligence or an advisory about a newly discovered vulnerability in a system or device.For Peter Gregory, senior director for cybersecurity at GCI Communication Corp. in Anchorage, Alaska, and former cybersecurity advisor, the answer should focus on knowing whether the threat is relevant to the organization, \u201cwhich points right away to the need for effective asset management so security analysts can quickly get the answer to that,\u201d he says. Even if the candidate isn\u2019t familiar with asset management\u2014which, based on Gregory\u2019s former consulting experiences, he says many companies do a poor job of\u2014they should indicate a realization of how valuable asset management is for problem solving.\u00a0Evans\u2019 \u201cfirst-move\u201d question revolves around what to do when a data breach has compromised a specific machine. A less experienced candidate might suggest shutting down the machine and taking an image of the hard drive. Someone with more experience would focus on doing proper memory diagnostics\u2014because most advanced attackers don\u2019t write to the hard drive\u2014as well as network packet analysis to determine the breach\u2019s origins. \u201cShutting down the machine is a basic forensics technique, but it\u2019s not focused on incident response,\u201d Evans says.Other good responses would focus on the importance of aligning with incident response policies that are in place or having an accurate network diagram representing where key systems and devices are. \u201cA big part of incident response is containing the incident, and you can\u2019t contain if you don\u2019t know the boundaries of the environment,\u201d Evans says.Is cybersecurity your job or your lifestyle?For those who excel in cybersecurity, their interest in the topic is not a 9-to-5 thing; it\u2019s a passion that pervades their everyday lives. To find out if that\u2019s the case, Lindemoen likes to ask about the candidates\u2019 home network setup. \u201cI look for whether they\u2019re using WPA2 vs. WPA and WEP and whether they set up a separate network for when guests use their home wireless network,\u201d he says. \u201cThey\u2019re simple things, but it provides some insight into how they think about security in their personal lives.\u201dLindemoen also asks about which cybersecurity conferences they\u2019d most like to attend if they could, and why. Rather than naming a well-known conference, \u201cthey might mention one that\u2019s in a niche they\u2019re focused on or are truly passionate about.\u201dParticipation in capture-the-flag (CTF) and other cyber calisthenics events and activities is another good barometer, Glavach says. Because these programs are free, they can be even better about revealing passion than costly certifications are. \u201cIf there\u2019s a candidate with no certifications but they participated in CTFs similar to a DEFCON CTF or a SANS Holiday Hack, that shows me they\u2019re very committed,\u201d he says. \u201cIt shows a high level of curiosity and commitment to their craft.\u201dGlavach also asks questions about the offensive side of cybersecurity and how an attack works, including the need for collaboration among the attackers. \u201cI like to ask what their favorite attack is as a defender, or the most fascinating attack they\u2019ve read about,\u201d he says. \u201cEveryone has something they\u2019re super curious about.\u201dCan you complete a sentence without using a buzzword?Successful security analysts are also people who Gregory calls \u201cbilingual\u201d\u2014able to talk from both a technology and business perspective. \u201cThey need to be able to have a conversation with a business executive without using a single IT or security acronym or buzzword and easily express themselves in business terms,\u201d he says.To explain the importance of asset management to a CFO, for instance, a bilingual security analyst might say, \u201cIf we just knew what we had, we could spend less time figuring that out when a new threat appears and more time protecting this business,\u201d Gregory says.Glavach assesses communication skills by asking candidates to first describe a well-publicized attack as if talking to a peer during a daily SOC meeting, with the focus on understanding what\u2019s needed to defend against it. Then, he asks the candidate how he\u2019d turn that same information into an awareness campaign for non-technical people in the business. The conversation quickly becomes about doing so without using words like \u201ccredential stuffing\u201d or \u201creconnaissance.\u201d \u00a0Another tactic is asking what to do if a senior executive requests his home device to be set up on the corporate network even when it\u2019s against company policy, Lindemoen says. \u201cI\u2019m looking for a diplomatic response that\u2019s trying to get to the root of what the executive needs and is looking for a win-win that doesn\u2019t violate the policy or expose the company to outside risk,\u201d he says.What can you tell me about AI in security?Faced with a dynamic threat landscape and continuously emerging technologies, both on the defensive and offensive sides, security analysts need to be naturally curious and always willing to learn more.\u201cPeople are under the impression that you need an expert coder or someone immersed in IT,\u201d Brooks says. \u201cBut that\u2019s not necessarily the focus of cybersecurity, which is really multifaceted. It involves getting people who can learn because the threats keep changing and morphing.\u201d\u00a0Brooks recommends asking candidates what they know about artificial intelligence and how it\u2019s used both on the dark web and for automating threat detection. \u201cI\u2019d look for at least an elementary understanding of what it means to a cyber posture, to fortify defenses and understand what the threats are,\u201d he says. \u201cIn today\u2019s age, AI plays such a big role and you have to have an understanding of it because you\u2019ll be using it yourself.\u201dHow would you have handled the Colonial Pipeline attack?Cybersecurity is as much an art as a science, which is why the best hires are creative thinkers who aren\u2019t stuck on the status quo. A great way to assess their level of innovation is to ask what the candidate would have done differently when faced with the same situation as a well-publicized attack, even if it is with the benefit of 20:20 hindsight. \u201cIt gives me an idea of how disruptive their ideas are, in a good way,\u201d Glavach says.