21
votes
What actually-useful questions should someone ask when hiring a cybersecurity professional?
Imagine you’re the manager hiring someone for a technical cybersecurity job. What non-obvious questions help you judge the candidate’s skill/suitability? What makes those questions useful?
That is, assume you’ve done the standard complement of job interview questions such as background and tool familiarity. I’m looking for stuff specific to some part of cybersecurity. It’s okay to get specific to your part of the field.
I don't trust any cybersecurity person who doesn't even have a cursory understanding of what
nmapis. It's one of the most basic tools for looking for holes in network security, and if they don't even know what its for (port scanning and fingerprinting), I'd be fairly concerned. I've seen too many 'security experts' that just paste reports from a COTS scanner into word documents and they don't have the slightest clue what they mean.But here's a key one that should be a softball with some robust answers: What is the difference between Authentication and Authorization?
Authentication is the login. Authorization is whether you should be allowed to log in and what permissions you should have.
Some questions about best practices for each would be wise.
The single greatest threat to any organization is a successful phishing attack. People are by far the weakest link in security architecture. No amount of system design will overcome somebody handing over the keys to someone who asks. I'd want to probe at them and see if they deliver a similiar conclusion.
So would you ask, "What do you think is an organization's weakest link?"
And would it be a deal-killer if they had a different answer than you did, which they could back up?
Not OP but I always like asking that question. It allows me to gauge where they stand from an experience perspective. Some folks will always spey the textbook reponse and say "People". And most of the time that is a fine answer.
But I always enjoy hearing from people who are from mature programs who say something different. For example my one could say - "Our biggest threat based on our current maturity level is XYZ and I think it's XYZ based on %EVIDENCE%.
An example of I could think of is a companies biggest weakness is data exhilaration, not because they have a poorly trained users sending data to whomever, but because of a strong lack of logical controls or poorly implemented solutions. Then I would look to see what they current process improvement plan might be.
This will allow me to understand their experiences and shows me their ability to effectively communicate areas for improvement.
Other technical questions I enjoy asking in no particular order -
Just my 2¢ as an IS/CS manager.
If not, is it a taco?
Yes. Tired after a long day. I wouldn't call it a dealbreaker, especially if they had a good justidication.
At the end of the day, strong dialog matters in many ways.
I am going to guess that you aren't hiring into a vacuum. Meaning that the company already has technical people on their payroll. Sysadmins, developers, etc. While they aren't security experts, their knowledge does overlap in quite a few areas. More so than yours as a manager. So even if you are provided with good questions to ask here, you very likely still lack the experience needed to validate the answers.
So my advice would be to involve a few people from technical roles. Either in an active role where they also ask questions or in a more passive role where they sit in to validate the answers.
This post actually serves as a concrete example. Specifically the way you introduced it, because "a technical cybersecurity job" is about as broad as it gets. So you are also going to get very broad and general suggestions here or very specific advice based on the assumptions people made. If the job description people respond to is as a non-specific as well you likely are going to be dealing with a similar issue. In fact, it increases the changes of attracting people who are smooth talkers (I guess social engineering is security related...) but lack on the technical side.
So, to even take a step back, I'd also first work on making the job requirements more specific. Ideally, by involving various technical people already on the company payroll.
Both are cybersecurity experts, but require different kinds of people.
Oh this definitely generates general responses... but there are a lot of GOOD general responses. Including the suggestions here!
Of course it depends on seniority and the role. But in my experience as a pentester, I always appreciated when places asked about the under-considered creativity of candidates. For example, a question like "What's one of your favorite hacks or stories to share from an assessment you've done?" That allows someone to talk about something interesting, whether it's creative or just technically challenging. A candidate that doesn't have a good answer for that would be a tough sell for a senior level pentester in a good firm, IME.
But bare minimum should be some familiarity with common tools, enough to be able to speak to them like someone who uses them regularly. "What are some of your most used extensions in Burp Suite?" is somewhat common for someone who purports to know web, and if they don't have an answer, they should at least be able to talk intelligently about why not.
More generally you could ask questions about their favorite topics in infosec, how they learn about new happenings, that sort of thing.
I like to pose a general problem and have the candidate walk me through how they evaluate it. The question depends on what the role is for but it should target a core skill for their role.
SOC/Incident Response: Walk me through an investigation if we get an alert for endpoint malware.
Appsec: Threat model an architecture
Solutions Architect: Secure or build a reference design
A lot of security comes down to well known fundamentals. Good engineers have experience/expertise in the tradeoffs required to solve problems. The basic questions like AuthN/Z should be covered in prescreening, expensive interviews should be spend understanding how the candidate solves problems and their experience working in orgs like yours. I would also ask how they would handle communication with leadership, and negotiating with external teams.
This was going to be my answer, usually I'm more interested in knowing whether someone is able to work through a problem rather than whether they have some specific knowledge (Even though some baseline knowledge would still be required).
A couple of questions that may be worth asking in a pre-screen are "What is the difference between asymmetric and symmetric cryptography?" or "Tell me step by step what is involved in a browser displaying a website". Both sound simple but they tackle concepts with intricacies which are not always intuitive, so are a good indicator of their technical competencies.