Set needs analysis call

Focus: Structuring cyber security interviews to hire the best talent.

2 weeks. That’s how much time I had invested in recruiting for a Security Architect role. My client was a mid-size, high growth organization. Since the cyber security team was small, the position would report and interview with the Chief Information Security Officer (CISO). At the end of my initial search, I had shortlisted 5 qualified professionals. Based on my personal submission-to-hire ratio (38.6%) I was confident that we would fill the role.

After reviewing the candidates resumes, the CISO decided that he wanted to interview all of them. We agreed to set-up thirty-minute phone interviews for the first round. Ordinarily, we host phone interviews on our conference line. But he wanted to call the candidates directly. After conducting the interviews, the CISO provided very positive feedback. He thought they were all well-qualified and wanted to move forward in the process. Excited by the feedback, I called all the candidates to share the positive news.

When I spoke with the candidates, my initial excitement turned into despair. Not one of them had an interest in moving forward with the opportunity. 

The main reason was how the CISO conducted the interviews.

He started by asking qualification questions. Rapid fire questions, one after another, until the 30-minute call had concluded. This left no time for the candidates to ask questions or inquire about next steps. One of the candidates even said it felt like an interrogation, rather than an interview. In short, the CISO would have benefited from knowing how to structure a cyber security interview.

The problem:

Many cyber security leaders begin the hiring process without a well-defined plan. They fail to structure the interviews and qualification questions. As a result, this hurts both the candidate experience and hinders the decision-making process.

In the war for cyber security talent, the best candidates have many options. On average, a candidate considers 5+ roles when looking to make a career move. According to LinkedIn Global Trends report, 83% of people said a bad interview experience changed their mind about a job. Unstructured interviews lead to bad candidate experiences. This means the best candidates will pursue other options. The last thing you want is to only have B and C level candidates remain, that are less than ideal for filling a role. This is why it’s absolutely essential to know how to structure an interview in order to improve a candidate’s experience.

Supporting fact 83% of people change their mind after bad interview

The way you conduct an interview determines how candidates view the opportunity. For example, an unorganized interview leaves a negative impression on how it will be to work with you and your company. Not providing time to answer their questions at the end may leave them with outstanding questions about the role and company. Candidates may interpret the lack of time management as a sign that you won’t care about their input if they take the job. The cyber security community is small and tight-knit. Often, sharing knowledge about security strategies, tools, and best practices. Similarly, they discuss the organizations they’re considering joining and their experiences. Unstructured interviews can earn your company a bad reputation in the cyber security industry.

Not planning the questions can end up doing more harm than you might think. Asking different questions for each candidate creates more challenges downstream. When you finish each round of interviews it will be more difficult to compare candidates. Let’s take a look at how to solve these issues.


The solution:

Seeing the solution for the first time

Before posting the position, it is imperative to create a plan. As the saying goes “If you fail to plan, you’re planning to fail.” Plan how you will structure each interview and the questions asked. As a result, you will improve the candidate experience and decision-making process.

First, plan out the interview structure for each step in the process. The structure will vary depending on the type of interview. Managing expectations is a key ingredient to a positive interview experience. At the beginning of the interview share how you have structured the interview. This step will help manage the candidate’s expectations. As a result, the overall experience will be improved.

Next, prepare a list of must-ask questions for every interview. As a result of planning, you will ask the same type of questions to each candidate. In particular, have the qualifying questions in the order ranked on importance. So if you run short on time you have the most important questions answered. Later, this will help you objectively decide who should move forward or not.

How to Structure a Cyber Security Interviews:

Like a story, interview structure should have a beginning, middle, and an end. Similarly, the beginning and end of an interview is shorter than the middle. Below is an example of how to structure a phone interview.

Interviews should be like a storybook and have a beginning, middle, and end.

The Beginning: Introductions (5-10 minutes)

First, share with the candidate the structure you’ve prepared to get the most out of your time together. For example, tell them that you have five minutes for introductions. Twenty minutes for qualifying questions. Then 5 minutes for answering their questions and discussing next steps. Doing this will manage their expectations and improve their experience. This will also keep you accountable and on track while asking questions.

Next, provide information about yourself, the organization, and the role. Describe why the role is important to the success of the organization. Be sure to include the key performance objectives. Job descriptions are broad and often fail at providing the expectations of the role. You will get better answers by providing a frame of reference. As a result, they will be able to highlight their relevant skills and work examples that relate directly to the role. Lastly, share what’s in it for the candidate (WIIFYs). The opportunity for growth within the organization. Flexibility to work from home. Paid for education, training, and certifications etc. By providing this “value-add” for the candidate, the motivation to answer your qualifying questions to the best of their ability will increase.

The Middle: Qualifying Questions (15-20 minutes)

Generally, this is the heart of the interview. The questions determine if the professional you’re interviewing meets the qualifications for the role. The most essential part of this interview section is preparation. Take time to put together specific questions that will show if a candidate will be a good fit for the role. if you plan these questions beforehand, this phase should be a breeze. Make sure you ask the same questions for each candidate. Using the same questions will help you decide who is most qualified based on the same criteria. Otherwise, you will make the decision-making process more difficult for yourself.

The End: Candidate Questions & Next Steps (5 minutes)

Open up the conversation to answer the candidate’s questions. It allows you to address any of the candidates’ concerns or doubts as well as any outstanding questions about the company. Interviewing is a two-way street in which both parties must have a mutual interest. Providing a candidate with the knowledge necessary to make an informed decision is essential.

Finish the interview by managing their expectations. Let them know the next steps and when they should expect feedback. If it’s the final interview, let them know when you plan on having a decision ready. If it’s a final interview, add extra time. For example, if you plan on making a decision on the 15th, tell them that you will be reaching a decision on the 18th. That way if you run into any challenges reaching a decision, they are not left thinking that they were not selected. This framework is a starting point. You can tweak it depending upon the type and length of the interview, as well as the individual requirements for the role you are hiring for.


Coupled with the importance of improving the candidate experience.  If you missed last weeks post on the importance of the candidate experience please take a couple of minutes to read it.  Be sure to look out for our next tip 3 ways to win the war on cyber security talent.

As always please share, like, or comment below if you found this beneficial. If you disagree that’s great too! We’re always open to learning and enjoy discussing these topics with others.

If you’re currently seeking cyber security talent, looking to secure talent long term through a great candidate experience and proven results then we are the right boutique firm for you. Please set a needs analysis meeting.

Be secure, safe and happy!

Share This