Five Questions to Ask in Your Next Cybersecurity Job Interview

By Philip Casesa

The Nexus  |  Monday, 11 February 2019

Career development and advancement is important to most professionals and, in the case of cyberprofessionals, the current state of a wide range of available jobs and not enough skilled professionals to fill them can be a job seeker’s dream. Most working professionals can relate to the process of brushing up on information about an organization going into a job interview. Job seekers are often told preparation for what one will be asked is key. But what about the questions a candidate may have for a potential employer? Arguably, those questions are the most important aspect of a job interview, and fewer professionals spend time preparing for what to ask vs. what they will be asked.

Cybersecurity or IT professionals should seek out career opportunities that offer the right sorts of stimuli to enable their own growth. A positive corporate culture is one such stimulus. A well-rounded workforce development program is another. However, negative stimuli can be present as well, trapping employees in situations that stifle growth, push coworkers away and drain the team of talent.

So, how do job candidates evaluate whether an organization has the right set of stimuli for their own development? There are a few critical questions to ask.

Question 1: What Is the Multiyear Growth Plan for Someone in the Position?

This is the answer candidates want to hear: Knowledge, skills and abilities (KSAs) are clearly defined for this role and there are expectations for growth. There is a clear plan for the professional development and career progression of someone in this position.

Without KSAs, it is hard to set a structured plan for professional growth. KSAs can answer the questions “What must candidates know and be able to do to be successful in this role?” and “What knowledge and skills must candidates learn to be ready for their next role?” Some see KSAs as restrictive or rigid, but they can be very empowering. Knowing exactly what must be delivered to move to the next level makes it much easier to seize the opportunity and move forward. In interviews, candidates should ask pointed questions about the specific skill sets and knowledge expected of the role and how they will evolve over time. If the interviewer can answer these questions, it shows that they have a plan for employees’ growth, goals to be achieved and opportunities for advancement.

Question 2: How Long Has the Interviewer Been With the Team? What Is Their Career Story?

This is the answer candidates want to hear: Team leadership is homegrown. Managers started their careers in the organization and worked their way up. Senior positions are rarely given to outside hires.

Panel interviews, in particular, provide a unique opportunity to quickly evaluate the amount of homegrown leadership on the team. A round-robin response from the interviewers can paint a picture of an organization that develops loyal, talented employees or it can describe an organization in which top talent flees at the first opportunity.

If the team’s leaders and managers have climbed a ladder into increasingly more skilled positions, that is a good indicator that there is a workforce development program in place. However, if it sounds like most of the team members are recent additions (especially those in leadership), the turnover rate for the team may be high, training may be limited and senior roles may be given to outside hires.

Question 3: What Approach Is Used to Build a Diverse, Well-Rounded Team?

This is the answer candidates want to hear: This enterprise is actively working to build a diverse team, looking for people with a variety of backgrounds, educations, skill sets and experiences. Diversity is important to this team and at this organization.

As an industry, cybersecurity scores good marks for diversity of professional background. Many cybersecurity professionals come from backgrounds outside of the expected fields of information systems, computer science, etc. Today’s cyber leaders are just as likely to come from accounting, IT or the military. But, in other ways, diversity is severely lacking in cybersecurity. For instance, women make up only 11% of the global cyberworkforce.1

Successful cybersecurity teams require unparalleled problem solving, lots of creativity and seamless teamwork. Diversity should be the engine that drives these outcomes. An organization that recognizes diversity as both the right thing to do and a way to improve security outcomes is also likely to be an organization with a robust program for developing diverse talent internally.

Question 4: What Is the Strategy for Filling Openings on the Team? Is It to Train Up Existing Team Members or Look for an Outside Hire?

This is the answer candidates want to hear: Existing team members are offered new opportunities first. The plan for filling skills gaps on the team is to train up existing team members to equip them with these skills.

Despite the well documented skills shortage, some organization still look for outside hires to fill gaps on their teams. Finding the right person can take months, leaving the team with a significant gap in skills and the organization vulnerable. On the other hand, other organizations see a skills gap as a growth opportunity for an existing team member. These organizations have programs in place for ongoing and targeted skills development, constantly elevating employees to fill gaps and training up less experienced hires to fill open positions. This creates upward momentum for the whole team and a culture of shared goals, success and loyalty.

Question 5: What Is the Training Program for the Team?

This is the answer candidates want to hear: There is an established training program for team members at every level. Employees are given training opportunities, and there is an expectation that they will develop new skill sets.

This is a direct, obvious question, but it is one the candidate should save for last. The problem with a simple question about training is that every interviewer is ready for it. Interviewers know that training is important to most professionals, so they have a canned response ready—a response that may or may not be an accurate reflection of the training program in place.

So, candidates should ask questions that require specific answers. Ask the interviewers how the training is facilitated. Is it done in-house? Do employees attend external trainings? Is it online or in-person? How is training selected? Do employees have to find and choose the training they want? Are employees given a budget to self-select training or does the organization provide guidance? Is there a certain training provider the organization uses? Is training individual or team-based? Diving deep into how the organization’s training program works provides a more realistic picture of what it is actually doing when it comes to professional development.


Many prepare for interviews by trying to anticipate the questions they might get asked. While this is important, preparing questions for the interviewer is equally important, especially regarding opportunities for professional development. The answers to these questions will help job seekers determine if a team is the right fit and potentially help them take a step forward in their career path.

Editor’s Note

This article is excerpted from an article that appeared in the ISACA Journal. Read Philip Casesa’s’ full article, “Growing a Cybersecurity Career: Five Questions for the Next Job Interview,” in volume 6, 2018, of the ISACA Journal.

Philip Casesa

Is the director of product development at Focal Point Data Risk, bringing years of insights from roles in cybersecurity, software development and consulting. Prior to Focal Point, he spent 11 years as the director of IT/service operations for (ISC)2, leading and growing a team of enterprise architecture, applications, operations, security and web staff. At Focal Point, Casesa is focused on translating his experience into new offerings from Focal Point Academy, a leading provider of hands-on cybersecurity training, working with its elite team of educators to pioneer new models for building world-class enterprise cybersecurity organizations.


1 Frost & Sullivan, The 2017 Global Information Security Workforce Study: Women in Cybersecurity, USA, 2017