It goes without saying that cyber security is as broad as it is wide so understanding the line of questioning a candidate should be preparing for at interview will of course be subject to the specific job title, industry, and level of seniority. However, guided by a recruitment expert in the cyber security field, we have picked out some key questions to ask, from entry level cyber security jobs to senior directors.
If you’re applying for entry level cyber security jobs…
Bucking the trend of how most candidates like to frame their interview prep, Matt Garvey, Director of Eagna Consulting suggests shying away from those now clichéd questions around company culture. “No one’s going to turn round and tell you their culture’s bad and you shouldn’t come and work there,” asserts Garvey, “but people still ask those questions and the truth is you’re going to get the same answer from every person you ask.”
Rather, cyber security hopefuls should be focusing more on the role they’re applying for. Ask provocative questions, for example ‘What does a day in the life of a cyber security analyst entail at this company?’. You need to be able to understand what the day to day looks like before you sign up to take it on. Ask them where the role sits in the company and what specifically you’ll be overseeing in terms of security.
“Cyber security covers a lot of different areas,” says Garvey, “so you want to understand things like whether you’ll be focused on prevention or more incident response.”
Something you should also be asking, regardless of the level of seniority, is what the current set-up is. Ask them how their cyber security practice is set up. Where does this role fit in? What sort of technologies are you utilising at the moment? What are you finding to be the most effective?
Is there scope to build something out here, or is this just a business-as-usual role that will see you coming in and simply maintaining what’s already there, upgrading when necessary and ensuring no threats are coming through? As an analyst you’ll likely be coming in at that lower level and that maintenance piece will be a big part of your role, but what you want to understand is whether you’re expected to be coming at the job from a prevention or incident response angle.
If you’re applying for mid-level cyber security jobs…
If you’re applying for a mid-level cyber security role in say a consulting firm or software company, you should be focusing your questions around the clientele. Who are the clients these companies are working with? What are those clients engaging them to do? What sort of clients will I be working with? Plus, with cloud security being a prominent area of cyber security currently, you may want to ask whether you’ll have an opportunity to look at cloud security within your role.
Depending on which type of company you’re going into, for example a big bank or corporate versus a smaller firm, you need to understand the context of your role. In the bigger companies you’ll probably be working in a very specific area of cyber security, covering that as part of a broader team, whereas if you’re going into a smaller company, you may well end up being THE cyber team.
So, the questions to ask will be, how does my role fit in within the company? What sort of technologies are currently in play? What will I actually get to do? What is the career development for this role? You also want to be asking how that development happens so you can understand what is expected of you in order to progress your career.
If you’re applying for senior-level cyber security jobs…
If you’re coming in with the experience of a team leader or director, the line of questioning will advance in kind. At this level you'll want to understand how the team you're coming into is set up. Who’s in the team? What are their capabilities? Where are the gaps? Is the team responsible for the security of the whole organisation or are they just looking after a specific area? And perhaps most importantly, does the role have a seat at the table? “By that we mean, does this role influence the organisation’s cyber security policy,” says Garvey, “because it’s very difficult at the senior level of cyber security to do your job effectively if no one’s listening.”
This particular issue may not be relevant in the current business climate due to the majority of our global workforce working remotely, thereby placing a bigger emphasis on the importance of cyber security. Right now, businesses know they need to place their funding and investment into cyber security, but regardless this is an important question for candidates at that this level to be asking.
Lastly, ‘Are we more reactive or proactive in terms of our cyber security policy?’. This is an important one, because a company that is reactive to cyber security threats is likely to have more holes and vulnerabilities in their system leaving them open to attack, and thus making the job of their cyber security team much more difficult.
You may also be interested in the below articles: