An information security program is only as good as the people that comprise it. This is why it is critical that you identify the best job candidates and weed out the rest during the information security interview process. Over my career, I have battle tested these interview questions, adding them and dropping them to get my final refined list that fits into the 30 minute final interview. These questions assume the candidate has had a basic level of technical screening. Here are the questions I typically use, and the explanations behind each.
#1) What attracted you to the field of Information Security?
I want to see if this candidate started because they saw a paycheck, or if they are truly passionate about the field. A great information security interviewer will have a passion for their profession, that carries over into the quality of their work and the effectiveness of the InfoSec program.
#2) What brings you to us?
This question is designed to elicit why they are looking for work. A response from the interviewer that they are here because they burned down their old company and now need a new place to work would of course raise a red flag.
#3) Do you pursue any information security research outside of your current employer?
I like to see candidates who enthusiastically brag about their test lab at home, or what they have recently done at an Information Security conference or convention. I want people on my team who take pride in their work, not a ticket pusher who is just in it to close as many tickets as possible and go home.
#4) Why would you like to work in this position?
This question often identifies candidates that have the wrong impression of the day-to-day duties for the information security job. If I am hiring for an information security policy analyst then I don’t want their entire answer to be how much they enjoy systems security auditing.
#5) How did you find out about this job?
This is one of those unintuitive questions that consistently reveals information about the candidates motivations for interviewing. I like to hear that they hear about the job through industry publications or associations, in that they are more likely to be passionate about the field and the future work that they do. I also like to hear referrals from other company employees or that they are internal candidates, which means that the interviewee already has knowledge about the company culture.
#6) How have you used <insert resume keyword here> in your career?
This is a question that many times has ended the interview once it became apparent that the employee does not know anything about the acronyms listed on their resume, aside from what they studied on their CISSP or CEH exam. I have found candidates can almost always give you the definition of any term or acronym on their resume, but a surprising number that fudge their resume can’t tell you how it is used in the real world.
#7) How do you keep up to date with new information security risks and threats?
A junior information security analyst with up to date information on the latest threats and risks is just as valuable, if not more so, than a senior information security analyst who is basing his or her decisions off of information that is ten years old. This question also keys in on the employees interests. If they list off a number of news sites that all deal with forensic investigations, and they are being hired as a data loss prevention specialist, then this may be a sign that they are desperate for work and will take a job that does not match with their skills and more importantly their interests.
#8) How would you respond to a user asking if they can FTP our employees SSN’s to our health insurance company to perform reconciliation?
A bad answer is “tell them they can’t do it because FTP is not secure”. An information security specialist needs to be a part of the solution. A good response is when the interviewee points out not only that FTP is not secure and why, but that there are more secure options such as sFTP, or if the interviewee would dig deeper into the user’s need to send full SSN’s in the first place.
#9) How would you explain what a SSL certificate is to your aunt or uncle?
This question will demonstrate the ability for the candidate to convey technical information to a non-technical crowd, which is important for most positions I have hired for. If the candidate throws alphabet soup in his explanation (TKI, OU, MD5), he or she may have communication issues when hired. I used to ask for an explanation to your mom, but “aunt or uncle” has a much less likely chance of hitting an emotional chord if their mom is deceased.
#10) What is your experience with…?
If I see a gap in the interview candidates resume for a critical job function, I’ll make sure to determine if it is something that they have no experience with, or just didn’t have room for in their resume. Common items include:
- DLP (Data Loss Prevention)
- Vulnerability Management
- Penetration Testing
- Web Application Security
- Network Scanning
- Information Security Frameworks (e.g. NIST, ISO, HITECH)
- Industry Regulations (HIPAA, PCI, HITRUST)
- Experience with Ticketing Systems
- Antivirus Products and Infrastructure Design
- Log Manager \ SIEM
- Information Security Training
- Policy Creation and Management
#11) How will your past experience help the team to be successful in this position?
If the interview candidate is only strong on paper, this question will show it. The answer typically shows if the person is simply academically knowledgeable or real-world knowledgeable.
#12) What metrics do you see valuable in this field?
This question is designed to put them under stress, and requires the right follow up questions to be effective. For example, if the candidate answers “Number of infection attempts”, ask what to do when the number goes down. Does down mean good because less workstations are being infected or does up mean good in that the infection attempt was detected and thus not allowed to succeed. Perhaps down means good because users are following safer internet browsing activities, or perhaps up means good because users are installing antivirus more consistently.
#13) What are your strengths in this position?
This is a standard question designed to highlight where the candidate sees himself strongest.
#14) What are your weaknesses in this position? Alternately, what area’s do you see the most growth needed for this position?
The way the candidate handles this question is typically more enlightening than what they actually say. The typical candidate struggles to walk the fine line between a BS answer and an answer that will not scare the interviewer off. I make sure to record my notes to the candidates answer while the candidate is answering the next question, to avoid sweaty palms and the candidate getting overly defensive about his answer once he or she sees you making notes.
#15) What has been your most important work-related idea?
I like to end the interview on a high note, and this gives the candidate a chance to brag about his past accomplishments. A big red flag, and one I see too often, is when the candidate can’t come up with any accomplishment worth telling us about. If I am looking for a position that needs to transform the practice or procedure of my organization, not having any track record of success will go far towards eliminating him or her from the running.