10 tough security interview questions, and how to answer them

Anyone who’s experienced a job interview knows that one of the keys to landing a position is answering the interview questions effectively and intelligently—without sounding like a robot. It’s no different for high-level security executives. In fact, given the importance of these positions and the need for security executives to think fast on their feet, being prepared to respond to tough questions with cogent answers is vitally important to getting hired.

We asked several security executives and hiring experts to provide examples of challenging questions job candidates might expect to be asked—and their advice on crafting the right kinds of answers.

Why is now the right time for you to make a career move?

Changing jobs is all about motivations and proper timing, says Domini Clark, principal at Blackmere Consulting, which specializes in recruiting information security professionals. “I need to know early on how motivated a person is to make a career move and what sort of opportunity is going to get them off the ledge of uncertainty,” Clark says. “Do you hate your boss because he’s a micromanager? Are you tired of traveling because you’ve missed the first three years of your child’s life? Sometimes people will elude to those factors when asked about why they’re leaving their current position.”

The timing piece adds an entirely different element to the question. “I want to know what the straw looks like that broke the camel’s back,” Clark says. “That straw is the true motivator—the rest is just window dressing.”

How will you obtain and retain top security talent for our organization in this increasingly tight market?

Everyone in the industry knows how difficult it is to find skilled security professionals. Hiring officers will want to know how you plan to address the challenge.

Suggest establishing an internal mentoring and training program, says Paul Boulanger, vice president and chief security consultant at consulting firm SoCal Privacy Consultants. That way the company can offer the staff personal growth through education and certifications, and a career path within the company itself so there’s an expectation from both sides to lay down roots and make a career, he says.

“We want to avoid burnout with particular positions, so part of the training [would involve] job rotation,” Boulanger says. “Individuals will both be able to learn new technologies and stay fresh. We see this in the DevOps/agile movement now where developers are expected to be ‘full stack.’ We should encourage this on the security side too. It makes for better employees.”

Have you been involved in a security project that failed? If so, why did it fail and what would you have done differently?

With this question, the interviewer wants to hear evidence that you can learn from past failures, says Deborah Blyth, CISO at the Colorado state governor’s office. “Often, security projects fail because there wasn’t enough buy-in to begin with, or there wasn’t enough planning and preparation to handle user impact,” Blyth says. “There are likely things you could have done ahead of time to ensure better success.”

These might include using a broader pilot group, training multiple subject matter experts at each location to help users, or providing a white-glove service for the implementation of executives and their administrative assistants. “Perhaps spending time one-on-one with some of the leaders in other areas of the business, listening to their concerns, and talking through how any issues will be supported, might help to increase buy-in for future projects,” Blyth says.

Have you ever experienced a breach?

It is understandable why an interviewer would ask this, says Jason Taule, CSO and chief privacy officer at FEI Systems, a provider of health-related technology products. “But I consider this a tough one both because of how it is worded and because there is no right answer,” Taule says. “A ‘yes’ response that you have had a breach may or may not be a reflection of the CSO’s capabilities. No one wants to admit to having had a breach on their watch, but many times they happen despite one’s best efforts through no fault of the CSO.”

On the other hand, a “no” response might suggest the candidate lacks necessary experience to successfully navigate an organization through a major breach. Taule’s suggestion: Acknowledge the seeming inevitability of breaches, “speaking to accomplishments building successful early anomaly detecting capabilities and equally effective incident response programs, [and] describing experiences gained handling less severe but otherwise reportable events instead.”

Have you ever stolen anything?

Trust is important in any employee. But it’s of paramount importance that someone charged with overseeing an organization’s privacy, risk and information security management functions have the utmost integrity, Taule says.

“This question is tough because candidates all too often provide the answer they believe indicates honesty, when in fact it proves the opposite,” Taule says. “Believing that everyone else steals, even if only a little bit—I mean who hasn’t accidentally walked home with a few pens from the office—many candidates respond yes to this question.”

Taule isn’t suggesting that anyone lie if they have indeed misappropriated something in the past. “If you have, own it, indicating that you’ve firmly put this in the past,” he says. “However, believe it or not, we don’t all steal things. So in the end there is only one proper answer to this question. ‘No, I have not stolen anything.’”

What’s one of your big accomplishments and why are you proud of it?

“Focus on the relationships that were built and the benefit to the business,” Blyth says. For example, talk about a project that enabled you to establish relationships with leaders within the marketing organization, providing a better view of the business that turned out to be instrumental in future projects.

Or provide an example of how you helped a company be more efficient, such as a consolidation of tools or services that increased security while saving the company each month in maintenance costs.

What product would you recommend we use for X?

This question comes in many forms and is problematic because of the disconnect between what the interviewer is trying to assess and what the question appears to elicit, Taule says. “The senior security executive must wear many hats, including sales person, consultant, solutions architect, and project manager to name but a few,” Taule says. “But as anyone who has ever occupied any one of these positions knows full well, this question is a trap to be avoided at all costs. The chances of choosing the right answer are not in your favor.”

There are too many organizational, operational, financial, political and cultural factors that go into selecting the best solution to any business problem. In a response, focus on the underlying objective, sharing experiences you’ve had in the past with different solutions, Taule says.

What will your priorities be during your first 90 days?

Your response should be more about building relationships and inspiring confidence in your peers and your team, rather than seeking to implement huge security wins, Blyth says. “Talk about how you’ll meet with executive leadership and your peers one-on-one to discover their priorities and how you can support them,” Blyth says. “Talk about the specific steps you will take to ensure you have a complete picture of the business, so that you can understand your role and how it supports and enables the business.”

What is your ideal next step?

“Everyone has an image dancing around in their head about how great the next step is going to be and how different it will be from their current situation,” Clark says. “Sometimes in that vision the grass isn’t just greener, it has rainbow stripes and smells like strawberries.”

Often, people stumble when explaining their “ideal” because they don’t really want anyone to shine a light on the fantasy, Clark says. “No one really wants to be told that real grass will never be rainbow colored or smell like strawberries. However, this fantasy will drive every conversation you have with a candidate about their future in your organization, particularly once you begin compensation negotiations.”

This question helps a hiring executive understand whether the candidate has truly considered what it will take to get from current state to the “ideal”.

How will you be able to provide value to the company so that when you move on, that value is retained?

“The answer lies in two paths,” Boulander says. “Let’s first understand stakeholders and their needs and ensure that we are meeting them. Establishing good governance will help ensure that these needs continue to be met from the standpoint of the business. Any new initiatives by an incoming CISO will need to address these needs.”

Second, there should be a continual education of executives and expectations managed that security tools do change over time. “It is not just the ‘new guy’ coming in, but that the threat environment will change,” Boulanger says. “The company cannot expect that a solution once put in place will last forever. Tools need to be evaluated, upgraded, or even replaced to meet the first and primary point, which is that stakeholders needs must be met. Good governance will be able to bridge any changes in personnel. [You] can help establish that.”