Here’s How to Hack Your Next Cybersecurity Interview

What exactly are hiring managers and recruiters looking for in potential cybersecurity hires?

Let’s find out.

Whether you’re looking for your first job in cybersecurity, a promotion, or an entirely new role, chances are at some point you’ll have to chat with an interviewer about your background, experience, education, interest in the role, and perhaps most importantly: why you’re a good fit for the position. To make this daunting process a bit easier, we sat down with a several hiring managers and recruiters to determine how they approach the cybersecurity interview, the questions they ask, and the types of answers they’re looking for.

Oliver Legg, Lizzie Verbeek, Shobha Iyer, Rob Cuttito, Ross Gisondi, Michelle Rhodes, and Kris Rides explain how you can ace your next cybersecurity interview.

The Problem Solver

“The reality is that despite the huge skills gap, landing that first cybersecurity role is not easy,” says Oliver Legg, Co-Founder & Cybersecurity Recruiter at Aspiron Search. “Of the entry level roles that exist, many of them require basic IT or development fundamentals that are rarely gained from a cybersecurity degree. My best advice to aspiring cybersecurity professionals is to widen your focus of what your first role could be and lengthen your time frame of getting into security. Working in help desk or networking is an excellent way into a SOC type role, which in turn can lead into loads of areas of defensive security or security engineering. If you have a computer science background and are interested in the coding side, you might be a good fit for application security, a role that would benefit from a slid development background. There are also a number of areas of security that are not strictly technical: Take GRC, or data privacy, or security awareness. All of these offer exciting career paths that are slightly less known. Having a solid grasp of technology is still hugely beneficial in these roles, but they remain accessible to applicants without a technical background. My top interview tip for any level would be to demonstrate you’re a problem solver. Security is all about understanding and solving different problems covering technology and the business, and your mindset towards approaching these is a critical.”

Why Cybersecurity?

Verizon’s Senior Cybersecurity Talent Advisor, Shobha Iyer, shares her thought process on interviewing candidates. “My questions can vary, depending on what stage the candidates are at in their career and the seniority of the position. In every case, I make it my goal to always extract the best from the candidate during these interviews. During my initial screening calls, I’ll ask: Why did you choose cybersecurity? I’m looking for answers that reveal their passion and strengths in intangible areas, sense of duty, morality, purpose, and such. Credentials may demonstrate the hard, technical skills one has developed, but may not necessarily reveal your ‘why’.

Shobha also likes to gauge how a candidate stays up to date with the ever-changing industry. “What are some current industry trends you’ve been following? I look for candidates to offer up some specific news websites, security forums, podcasts, or blogs, or provide an example of a recent incident they’ve read about.”

Lastly, she emphasizes the importance of being able to communicate and explain technical concepts: “I’ll ask a candidate to describe a specific technology or product related to the role they’re applying for: this helps me understand their ability to communicate complex topics to non-technical folks. Soft skills are a highly desirable trait in cybersecurity.” She adds,: “If you really understand a topic, you’ll be able to explain quantum theory to a kindergartner.”

Security is Part of a Bigger Picture

Cybersecurity consultant and former recruiting manager at Petroplan, Lizzie Verbeek tells us: ”I like to figure out the [candidate’s] level of passion for the career, so any home lab work, public speaking, volunteering, blogging, research around specific topics, examples of real world experience, even if it’s part of their education or training). Any previous technology work especially networking and understanding how security fits into the overall landscape of an organization, is always a plus.” Lizzie recruits for a variety of information security roles, including: Security Engineer, Cloud Security Architect, IT Security Manager, Forensics and eDiscovery, Linux Security, Application Security, Threat Hunter, Penetration Tester, and more.

Let’s Get Specific

Rob Cuttito, who calls himself the “Cybersecurity Whisperer”, and serves as Verizon’s Senior Manager of Cybersecurity Talent Acquisition, likes to ask candidates a seemingly simple question that reveals more than it appears to:  “What areas of cybersecurity are you most interested in? ” He explains: “Entry level candidates often don’t have a clear understanding of the different areas, so this tells me they haven’t really explored the various career areas.” 

In an effort to better understand the candidate’s motivations, Rob asks: “What have you done on your own to gain experience and knowledge beyond education and certifications? In asking this, I’m trying to find out who is really interested and passionate about security, and who is applying just because they’ve heard the industry pays well.”

For senior level candidates, he prefers to hone in on the specifics of what the candidate’s previous responsibilities included. “Describe the makeup of your team; who does what compared to what you do? What other teams do you partner with? Many candidates tend to use the word ‘we’ when answering questions about what they do; I want to know what the individual does in comparison to their team. I also want to see who you work in conjunction with to see if that would translate to our processes and structure.”

Communication is Critical

Ross Gisondi — the US head of Cybersecurity at Hamlyn Williams — shares his thoughts on the importance of communication. “One of the most important skills that I assess during the interview process is communication, especially when determining what level role you’re qualified for. The more senior the role you’re applying for, the more relevant this skill will be. In senior roles, you’ll be partnering with stakeholders or clients who might not have technical backgrounds, so your ability to translate technical concepts will go a long way. If you’re looking to land a CISO or management type position, you’ll likely be negotiating your budget to build the world class security program you were brought on to to build. Being able to effectively communicate these issues to your leadership will help you make a strong case for a budget. As a penetration tester, you’ll need to clearly document and explain the risks and potential impact associated with any vulnerabilities you discover. If you’re looking for long term career growth and to set yourself apart from other highly technical candidates in the market, it’s a great idea to work on your written and spoken communication skills.“

Solving Interesting Puzzles

Praetorian’s Principal Talent Partner, Michelle Rhodes shares her philosophy on interviewing candidates: “I’m honest and transparent during all communication with anyone interested in our company. During my initial call, the first puzzle I try to solve is: Do you want to work here? Or are you just looking for a bump in compensation or a job to fill your resume up? I listen and narrow down on passion — If a candidate demonstrates an evident passion for security, they are likely to have the drive to work hard to learn and succeed. Task-relevant experience is much less important than passion. 30 years ago, AOL came out with dial-up internet. Now everything sits in this ‘cloud’ thing. In 10 years, will there be something faster, cheaper, and more manageable? How will it be secured? I ask myself, ‘can this candidate help solve Praetorian’s next puzzle?’ I aim to understand how they align themselves with their core values, view security, and their role in solving the security problem. We are also trying to ensure a mutually good fit. Your time is essential and should be valued. Communicate upfront: On day one of a new job, there should be no surprises.”

The Job Search is a Project

Kris Rides, CEO at Tiro Security advises applicants: “A job search is a project that involves multiple steps through a process to get to the end goal of getting a job. So I’ll always ask: ‘How have you gone about your job search so far?’ This gives you an idea of how methodically the candidate works, how much planning has gone into the project, and how well they’ve stuck to the plan. I’ll also ask: ‘What has been most enjoyable or challenging about the job search process so far?’ I’m looking for honesty, trying to learn what motivates or frustrates them. Plus, if you can see patterns in different candidates’ answers you can learn how to improve your hiring process. I like this next question and its follow up: What area of cybersecurity are you most passionate about and why? I’m looking for this to lead into a discussion about what they know about that area, how they’ve learned about it and what they’ve done to try and gain hands on experience. The most successful people are successful because of their passion for what they do. If you love what you do, your work becomes less stressful, and in an industry like cybersecurity where you’re often working In stressful situations this is an invaluable quality. That’s not an excuse for a business to not do their best to alleviate that stress. However when your competition is constantly evolving and improving their knowledge and skills it helps when your employees are driven to do the same.”

Several common cybersecurity recruiting and hiring themes emerged from these conversations with recruiting experts, hiring managers, and founders, including: passion for you work, ability to learn quickly, explaining technical concepts, problem solving skills, process-oriented thinking, building home labs, technical writing, and the importance of clear communication. These tips from Lizzie Verbeek, Shobha Iyer, Rob Cuttito, Ross Gisondi, Michelle Rhodes, and Kris Rides offer a glimpse into the mind of how interviewers think, and will go a long way in helping you ace your next cybersecurity interview.