You’re interviewing candidates for a security analyst position. One is a history major with no formal technical experience. The other has an advanced degree in computer science, with a focus on cybersecurity, and 10 years’ experience in pentesting and security operations center environments.
Which candidate do you hire?
If you’re Keatron Evans, principal security researcher at security education provider InfoSec, the history major gets the job. By asking the right questions, Evans could see through the candidate’s resume and credentials to the most highly valued security analyst traits: troubleshooting and problem-solving skills, curiosity, desire to learn, and an innate passion for cybersecurity.
Demand for this role higher than ever, a trend that is likely to continue, with the US Bureau of Labor Statistics projecting that employment for security analysts will grow 31% from 2019-2029. The following interview questions will help you stay ahead of that curvey, ensuring you make a successful security analyst hire.
How someone talks about topics like the three-way handshake or the TCP communications standard can reveal a lot about their grasp of security fundamentals.
In Evans’ case, the inexperienced candidate discussed TCP as if she’d studied it not just in a textbook but also in a computing environment. “Even though she had the least experience of all the candidates, she answered as if she'd authored the protocols in question, like TCP, herself,” he says.
Other basics include distinguishing between symmetrical and asymmetrical encryption and describing where each would be best used, the anomalies that indicate a compromised system or how to deal with a man-in-the-middle attack, says Travis Lindemoen, managing director in the cybersecurity practice at Nexus IT Group. “You’re listening for the processes they’ve been trained on to remediate that type of attack,” he says.
Framework familiarity is also a telling detail, says Chuck Brooks, president of Brooks Consulting International and adjunct faculty at Georgetown University, whether from NIST, SANS or MITRE. “There are a lot of elements in these frameworks that give you a map to follow for basic defenses and risk management,” he says.
What really impressed Evans, though, was how the inexperienced candidate he interviewed (and ultimately hired) problem-solved a technical scenario that required answering 10 questions about handling a data breach. The exercise involved two computers—one connected to the cloud-based lab environment to do the task and a second one connected to the internet to research needed information such as up-to-date details on a recent exploit.
“She used the research computer masterfully, while the more experienced people didn't even bother touching them,” Evans said. “For that reason, most of them missed the final two questions that had to be answered from reviewing the packets and memory dumps.”
Evans also intentionally required candidates to give the virtual machine a static IP address to operate on the network—which they’d only know by reading the instructions. “It took one candidate 15 minutes to stop complaining that nothing was reachable and realize he had to follow the instructions,” he says. “A lot of SOC work is paying attention to detail as well as reading notes and processing information gathered by other analysts.”
Alternatively, a breach scenario can be explored conversationally. This more interactive approach can highlight how the candidate thinks, communicates, and collaborates. Interviewers can also tailor questions as they go (filling in information, digging deeper, etc.) to jibe with the candidate’s experience level.
First though, it’s important to establish a comfortable atmosphere, as a nervous person can be hard to read, says Dom Glavach, chief security officer and chief strategist at CyberSN, a career and staffing firm focused on cybersecurity.
That’s why Glavach starts by asking about a well-publicized breach like the SolarWinds attack in terms of the indicators of compromise (IOC), lessons learned or the attack methodology used. “Even if they’re not familiar with it, they can take a few seconds to do a search on IOC and SolarWinds,” he says. This reflects the on-the-job reality that security analysts shouldn’t be judged on their immediate knowledge but on their ability to quickly assess risk and talk about remediations.
From there, Glavach moves to the scenario conversation, such as: Today’s Monday. You’re coming off a great weekend and see two odd login alerts the night before, from New York and San Francisco, within five minutes of each other, one of which was successful. You also detect a Cobalt Strike and beacons in the southern office. What do you need to do to triage this?
The rest of the conversation simulates what would occur in the security operations center (SOC) among colleagues, Glavach says, in terms of collaborating on ideas, sharing knowledge, assessing how dire the situation is and what should be done to remediate it. “I’ve heard answers that reveal the candidate is not as experienced as their resume led me to believe,” he says. “Resumes tell the story, but the person tells the novel.”
Another scenario-based approach focuses on the first move the candidate would make or the first question they’d ask when, for example, they receive a new piece of threat intelligence or an advisory about a newly discovered vulnerability in a system or device.
For Peter Gregory, senior director for cybersecurity at GCI Communication Corp. in Anchorage, Alaska, and former cybersecurity advisor, the answer should focus on knowing whether the threat is relevant to the organization, “which points right away to the need for effective asset management so security analysts can quickly get the answer to that,” he says. Even if the candidate isn’t familiar with asset management—which, based on Gregory’s former consulting experiences, he says many companies do a poor job of—they should indicate a realization of how valuable asset management is for problem solving.
Evans’ “first-move” question revolves around what to do when a data breach has compromised a specific machine. A less experienced candidate might suggest shutting down the machine and taking an image of the hard drive. Someone with more experience would focus on doing proper memory diagnostics—because most advanced attackers don’t write to the hard drive—as well as network packet analysis to determine the breach’s origins. “Shutting down the machine is a basic forensics technique, but it’s not focused on incident response,” Evans says.
Other good responses would focus on the importance of aligning with incident response policies that are in place or having an accurate network diagram representing where key systems and devices are. “A big part of incident response is containing the incident, and you can’t contain if you don’t know the boundaries of the environment,” Evans says.
For those who excel in cybersecurity, their interest in the topic is not a 9-to-5 thing; it’s a passion that pervades their everyday lives. To find out if that’s the case, Lindemoen likes to ask about the candidates’ home network setup. “I look for whether they’re using WPA2 vs. WPA and WEP and whether they set up a separate network for when guests use their home wireless network,” he says. “They’re simple things, but it provides some insight into how they think about security in their personal lives.”
Lindemoen also asks about which cybersecurity conferences they’d most like to attend if they could, and why. Rather than naming a well-known conference, “they might mention one that’s in a niche they’re focused on or are truly passionate about.”
Participation in capture-the-flag (CTF) and other cyber calisthenics events and activities is another good barometer, Glavach says. Because these programs are free, they can be even better about revealing passion than costly certifications are. “If there’s a candidate with no certifications but they participated in CTFs similar to a DEFCON CTF or a SANS Holiday Hack, that shows me they’re very committed,” he says. “It shows a high level of curiosity and commitment to their craft.”
Glavach also asks questions about the offensive side of cybersecurity and how an attack works, including the need for collaboration among the attackers. “I like to ask what their favorite attack is as a defender, or the most fascinating attack they’ve read about,” he says. “Everyone has something they’re super curious about.”
Successful security analysts are also people who Gregory calls “bilingual”—able to talk from both a technology and business perspective. “They need to be able to have a conversation with a business executive without using a single IT or security acronym or buzzword and easily express themselves in business terms,” he says.
To explain the importance of asset management to a CFO, for instance, a bilingual security analyst might say, “If we just knew what we had, we could spend less time figuring that out when a new threat appears and more time protecting this business,” Gregory says.
Glavach assesses communication skills by asking candidates to first describe a well-publicized attack as if talking to a peer during a daily SOC meeting, with the focus on understanding what’s needed to defend against it. Then, he asks the candidate how he’d turn that same information into an awareness campaign for non-technical people in the business. The conversation quickly becomes about doing so without using words like “credential stuffing” or “reconnaissance.”
Another tactic is asking what to do if a senior executive requests his home device to be set up on the corporate network even when it’s against company policy, Lindemoen says. “I’m looking for a diplomatic response that’s trying to get to the root of what the executive needs and is looking for a win-win that doesn’t violate the policy or expose the company to outside risk,” he says.
Faced with a dynamic threat landscape and continuously emerging technologies, both on the defensive and offensive sides, security analysts need to be naturally curious and always willing to learn more.
“People are under the impression that you need an expert coder or someone immersed in IT,” Brooks says. “But that’s not necessarily the focus of cybersecurity, which is really multifaceted. It involves getting people who can learn because the threats keep changing and morphing.”
Brooks recommends asking candidates what they know about artificial intelligence and how it’s used both on the dark web and for automating threat detection. “I’d look for at least an elementary understanding of what it means to a cyber posture, to fortify defenses and understand what the threats are,” he says. “In today’s age, AI plays such a big role and you have to have an understanding of it because you’ll be using it yourself.”
Cybersecurity is as much an art as a science, which is why the best hires are creative thinkers who aren’t stuck on the status quo. A great way to assess their level of innovation is to ask what the candidate would have done differently when faced with the same situation as a well-publicized attack, even if it is with the benefit of 20:20 hindsight. “It gives me an idea of how disruptive their ideas are, in a good way,” Glavach says.
Get our latest insights. Subscribe to our newsletter.