Skip to main content

Interviewing Security Awareness candidates: What do you think this job is?

One of my all-time favourite ways to initiate a job interview is to ask the candidate what they believe the job they applied for is all about. Nine times out of ten, the candidate repeats verbiage from the job posting because they’ve never actually performed the role before. Most candidates for an individual contributor position are trying to break into the cybersecurity field. They don’t have an accurate understanding of what people with the job title actually do all day. That’s fine by me. The candidate’s answer usually allows me to pause the interview process so my board members and I can explain what the role really is and what they’d be expected to accomplish. Most of the time – another nine times out of ten, I’d wager – our explanation leaves the candidate a stunned. They’re caught off-guard as their expectations crumble. Again, that’s fine.

After giving the candidate a moment to think, I ask what about what I’ve just revealed to them strikes them as most and as least interesting. This lets me evaluate how the candidate acts when they’re forced to respond off-script. They can’t have a rehearsed speech since this isn’t a “standard interview question.” More importantly, this is where a candidate can demonstrate a healthy sense of candour: “Wow” one fellow replied. “Now that you’ve put it that way, this isn’t at all what I thought I was applying for and I don’t think I’d like doing this job.”

No matter how the candidate answers, I like to follow up by asking what they want to do long term. Sure, they applied for my job because they need a job. That’s a given; no one survives in America without either (a) working or (b) being born into a wealthy family, and people from the (b) category don’t apply for individual contributor jobs (they receive high-level jobs in daddy’s gold buddy’s company as part of the birthright). I know why the candidates are in the room with me and I empathize. What I most want to know is how taking the job I’m offering might help them eventually reach their goal.

I’ve heard HR types argue that one should never ask a candidate anything other than purely technical questions, then offer the role to whichever candidate scored the best marks on technical acumen alone. That would be fine if we were interviewing robots. People aren’t machines and should never be treated as if they were. Taylorism has always been pseudoscientific nonsense; a justification for cruelty, bigotry, and abuse of workers. I interview people: complex, nuanced, and imperfect living beings with problems, needs, and ambitions. Acknowledging that truth is the first important step to creating a healthy and productive office culture.

That’s one thing a robot has going for it over a human: no industrial machine has (to date) developed racist or sexist beliefs. AIs, on the other hand …

More often than not, I’ve found that an honest dialogue at the top of an interview facilitates a more effective interview overall. We, the employer, come clean about the work we need done. The candidate comes clean about the work they want to do. We then discuss how effectively one might serve to the other in both directions. If we both agree that the interview is worth continuing, we carry on. If not, we still have most of an hour to provide our guest with mentoring and encouragement.

I’ve heard HR types argue that it’s not our responsibility to “help” an outsider. Just ask your questions and send them away, they sneer. I find that mindset callous. I once had two thirds of my candidates for a role realize after my first questions that they had accidentally applied for the wrong job. The listings on our organisation’s website for completely different roles had been 95% identical in wording, leading outsiders to apply for seemingly identical roles. These two candidates were so far outside their qualifications and professional interests that taking our job – had we offered it – would have been a waste of everyone’s time. Exactly the sort of ill-fit that an interview is supposed to reveal.

I absolutely wouldn’t call that a failed interview Not only did we avoid “car crash” levels of drama down the road, discovering the mistake early on allowed us to use the rest of the interview period to help the candidates find and apply for jobs that they really wanted. They both left happy, we dodged a disaster, and other supervisor in different parts of our organisation got more highly motivated candidates to interview. Everybody won.

That illustrates one of my two main motivations for asking people what they really want to do in the long run. I don’t ask “where do you see yourself in five years” because five-year plans are for apparatchiks. They’re fantasy at best. No, I ask “what do you want to do?” This is more helpful, as it tends to show the limits of a candidate’s understanding of the career field.

Most of the time, people trying to break into IT have a romanticized idea of what the work must be like based on pop culture tropes. Explaining what the work is actually like can sometimes shock a person … and sometimes thrill them with possibilities they’d never considered.

I’ve heard dozens of non-technical applicants say that they want to become technical project managers because a career counsellor or professor had shined them on about how lucrative a job that could be for people who don’t code. Often, a quick “tour” of the job fields available in IT is enough to spark genuine excitement in younger applicant. When you discover what truly inspires a worker, then you can map how to get from here to there.

That aside, there’s one more important reason to ask a candidate what they want to do rather than just re-hash what they’ve already done: people in IT get typecast. By that, I mean that the first major role a candidate completes in their career tends to define them thereafter. This doesn’t affect the young people who are applying for their first-ever job … but it sure as hell affects everyone applying for their second and subsequent jobs.

If you’ve not heard of it, I’m going to let Wikipedia define “typecasting” because their editors said it better than I could: “In film, television, and theatre, typecasting is the process by which a particular actor becomes strongly identified with a specific character, one or more particular roles, or characters having the same traits or coming from the same social or ethnic groups. There have been instances in which an actor has been so strongly identified with a role as to make it difficult for them to find work playing other characters”

The exact same thing happens in technical hiring, especially in the “disposable contractor” sector. The role you’ve done most recently performed (or the task you’ve done the most) becomes the entirety of what you are. You just came off a three-year gig managing LINUX servers? As far as most HR screeners and hiring managers are concerned, that means you’re a “UNIX sysadmin” and will never be anything else! It doesn’t matter if you always wanted to be a Threat Analyst or a Blue Teamer or a Project Manager. If you had wanted to be one of those things, then you should have already been hired in that role and have a minimum of three years’ experience if you want to do it now. Obviously, the thinking goes, if you haven’t been hired for that role before, that means you weren’t qualified then and aren’t qualified now … and never will be. You only get one chance to qualify.

To really add insult to injury, the first few jobs that a young person is offered out of school are almost never in the field or specialisation they wanted or trained for. If we’re going to forever brand a worker by their last job title, we might as well assign career paths based on purely random chance. Call it “occupational roulette.”

This is a staggeringly self-destructive hiring practice because it discounts the essential nature of modern white-collar employment: all the best jobs require experience, and there’s no way to gain experience if you don’t already have it. This robs an organisation of the most promising available talent because it keeps demanding ultra-rare left-handed unicorns instead of growing and cultivating technical talent.

This practice especially harmful to niche roles like Security Awareness, since we haven’t existed as a formal career path for very long. This means there are very, very few people sporting SA jobs on their résumé. In fact, if you don’t demand that HR screeners ignore previous job roles, you’ll be lucky to get any candidates at all … which is ridiculous. Sure, SA work requires some unique skills, however nearly anyone can be taught and mentored over a year or two to become proficient as a junior IC. “Titles” don’t make a person successful; curiosity, enthusiasm, and dedication are what count.

So, yeah. The next time you’re sitting an interview board, give my preferred method a try. Set the bog-standard HR list of safe and useless questions aside and start the event by asking a few critical questions to help frame the rest of the discussion: what do you think this job is? Now that you know what it is, what about it do you like and dislike? With that in mind, what is that you really want to do in your career? The answers to those questions will open up a range of potential “wins” for the organisation and for the candidate. They might even help identify that “diamond in the rough” that’s going to be your star player a few years down the line. Give it a shot.


All rights reserved Teiss Recruitment Ltd.