The Do’s And Don’ts Of Cybersecurity Interview Question Design

We are thrilled to announce the publication of our latest tool for security and risk leaders: The Forrester Cybersecurity Interview Questions Checklist.

As a security leader, I spent an inordinate amount of time designing my interview questions for those joining my team. My key concern was never around finding the person with the perfect technical or subject matter skill set — I could easily discern that from a CV, and perfection is overrated anyway. Instead, I worried about how they will manage the numerous stakeholders, supporters, and detractors and represent our team’s values and brand to the organization. I worried about how to test whether or not they will elevate my team and positively impact their teammates or direct reports, and I worried about my own subconscious biases and how to hire based on merit, not “personality.”

On this side of the house, as analysts speaking to hundreds of security leaders and professionals each year, Jess, myself, and colleagues hear horror stories from our clients, candidates, and the industry as a whole on interview processes and questions. The list of challenges is broad and deep, with some examples noted here:

  • Asking well-meaning, but ultimately inappropriate, questions (such as asking candidates about their willingness to meet deadlines at all costs)
  • Security leaders trying to discern a brilliant mind from a brilliant jerk
  • Singular focus on technical skills
  • Misguided talent filtering practices (such as reluctance to not hire talent who worked in a firm that had a security breach)
  • Well-meaning questions accidentally excluding half the population (such as one directed at an entrant into the field who was asked: “You’re very good at math for a girl. How does that feel?”)
  • Security leaders failing to spot early red flags (one interviewee once told me, “Obviously, you’re not technical,” when I asked him if he had any questions for me — luckily, this was an obvious red flag, but others are less so)

Hiring successful candidates requires that you learn a lot more about the candidate than just their tech skills while not running afoul of regulations or falling prey to conscious or unconscious bias.

Keep this order of operations at the forefront of your plans: the ability to foster and build stakeholder relationships, team culture fit, and technology prowess. Create better alignment with the business and business outcomes by shifting the focus of your interview questions to:

  • Prioritize stakeholder relationships and engagement. Relationships, incentives, empathy, and influence matter as security engages stakeholders across the organization. Ask questions to spot and weed out candidates who will be hostile to, indifferent to, or uncooperative with the stakeholders that you and they serve. For example, ask them to tell you about a time when they had to acknowledge that their position and certainty on a topic was not workable in an organizational constraint. Watch out for the candidate who tells you that they’ve never had to do that because their positions are always right!
  • Elevate your team’s culture. Unhappy security teams are characterized by infighting and aggression. Your interview questions need to find candidates who will elevate your team culture and identify and remove candidates whose behavior is likely to have a negative impact on your team. Ask them what part of their current workplace culture and values they would bring with them if they could and what they would like to leave behind. This is where the person starts to get real!
  • Address technical skills last. Technical acumen remains important and foundational, so create scenario-based questions to identify candidates with pragmatic and practical technology knowledge rather than those who are masters in a discipline, come with an alphabet soup of certifications, or meet 100% of your technical criteria.

A Note Of Caution: Remove Bias From Interviews

Watch that you are not excluding potential talent at the interview stage via conscious or unconscious bias. Bias in the interview process can occur unconsciously, such as when you hire based on an undefined notion of culture fit or ask questions that focus on aspects unrelated to someone’s merits for the role. To overcome this, codify the purpose, behavioral norms, rituals, and artifacts that make up your culture, and base your questions on those. Add behavior-based interview questions and techniques to your repertoire.

We would like to thank our “future of work” colleagues, especially Katy Tynan, who reviewed our research to ensure that we didn’t encounter some of these unconscious bias errors that are so easy to make.

Leave a Reply