Kat Sweet

Security leader. Connector. Pun architect.

If I Gave Honest Answers to Biased Security Interview Questions

Warning, contains some swearing.

These are all actual questions that I’ve encountered as an interviewee for security roles, and they’re all ones that I avoid like the plague as an interviewer, as they not only rarely provide meaningful insight into what kind of coworker the candidate would be, but can be loaded with various flavors of bias.

What’s your greatest weakness?

I’m constantly afraid of dying! What’s yours?

I see that we’re still taking interview questions from dating profiles, and the answers you can expect from candidates will be every bit as disingenuous. Allow me to introduce you to my old friend stereotype threat. I have an immense amount of privilege, coupled with a dwindling number of fucks to give, and I’m still in a demographic whom much of society believes is naturally bad at computering. When I’ve got a stranger trying to assess my capabilities in 45 minutes, I’m unlikely to admit any weaknesses that play right into that hand. This question is also tiptoeing very close to probing for invisible disabilities, which you are most definitely not allowed to ask about. 

If you’re asking me this to see how I perform under pressure, all this shows me is that you, and by extension others in your org, have very little regard for psychological safety. Was the 8-hour bender of questions with my future hanging in the balance not “under pressure” enough?

My therapists, close friends and partners get to have a window into my actual greatest weaknesses. Occasionally I get super vulnerable on Twitter about things like having ADHD, dealing with financial insecurity during the Great Recession (it wasn’t that great), surviving a traumatic relationship in high school, and processing my dad’s death. Those topics are all highly inappropes for a job interview.

Do you have any security certs?

I have the GSEC, GCIH, and GCIA, which were free via a scholarship. In related news, I still can’t be in the same room as post-it tabs. I plan to let my certs expire, because that renewal fee is much better spent paying down my student loans. While I have no regrets about the time I spent earning the G-things, if they had cost me any money, I probably wouldn’t have any certs.

My question to you is: why do you care how I got the knowledge that I have?

I leveraged the educational resources that I had at my disposal and could conceivably use given my constraints of time, money, and location. The particulars of an educational path depend so much on an individual’s circumstances - being prescriptive about the one true correct way to learn about security gets us nowhere.

I would also bet cash money that if I’d said the words “Certified Ethical Hacker” you would’ve silently judged me.

What’s your favorite SIEM?

Slack. Yes, you heard me. You’re probably looking for exposure to expensive proprietary detection tooling that promises to be a single glass of pain, or something. The specific tools change (not to mention the specifics of the problems they solve), so why focus on tools rather than mindsets? As for the mindset: the process of combing through alerts and building automated response actions sucks, and the party-corgi emoji makes it suck less. Next question.

What does your home lab look like?

It’s my phone and it’s full of audiobooks. Here’s a thought: I spend my day immersed in security. When I have precious time and mental capacity to learn things after hours, maybe, just maybe, I want to learn about things other than security.

Plus, shit’s expensive. When I was going back to school, it took months for me to own a “home lab” computer - my old laptop didn’t have enough memory to run VMs or handle dual booting well. I was working so hard to get into security and felt demoralized every time someone would say “you really need a good home lab”.

Recite the cyber kill chain(™).

  1. Breaches

  2. Are

  3. Never

  4. This

  5. Linear,

  6. Assholes

  7. (™)

Did you take apart your parents’ computers when you were a kid?

Ah, so this is an unstructured interview and you somehow managed to veer even further off-script from the infosec interview question list that you googled on your way in.

What you’re really asking is 1) whether my parents earned enough money to afford a computer when they were still really expensive, 2) whether I was confident enough in avoiding harsh consequences for breaking my parents’ expensive possessions, 3) whether you can bond with me over a shared childhood hobby - a sense of camaraderie which might cause you to gloss over my red flags.

My parents were civil servants; we never lacked food or shelter but didn’t live in the lap of luxury either. They both grew up working-class and generally approached expensive technology with the attitude of “we’re doing fine with what we already have.” We got our first computer in the late 90s, and at that point what I most wanted to do with it was play Epic Pinball and type up my stories using every font imaginable, with some artisanal late 90s clip art for good measure.

What port does ping use?

Look, fam, I already told you that I have a GCIA, so let’s assume that I know my ass from a hole in the network layer. If I didn’t know the answer, would that make me a bad teammate? I know you’re expecting me to use this question to flex my very impressive knowledge of rote security trivia that I have absolutely never used in a security job - or, if I fail the question, you get to feel self-important for knowing that ports are associated with the transport layer, congrats, you get a cookie - but can we please ditch this in favor of more interesting trick questions, say, what port does PingID use?

Can you write a fizzubuzz on the whiteboard?

Ma’am this is an Arby’s.

What do you do in your spare time outside of security?

Oy vey, lots to unpack here. We’ve reached the “culture fit” portion of the interview! This is where you get to ask all of those illegal questions without really asking them, like finding out my age or whether I have any dependents. Whether or not you realize it, you’re searching for someone who looks like you, favoring the candidates whose responses make you feel good - and the candidates who HAVE SPARE TIME. You love to hear about spare time consumed by side projects, travel, and quirky hobbies… not so much working second jobs to make ends meet, going through a messy divorce, caring for a sick parent, or desperately trying to recharge spoons due to a disability.

For my part, allow me to disappoint you. If you’d asked me this three years ago, I’d have told you that my free time was not free, it was quite expensive because I couldn’t work (and had no paid leave) while recovering from major surgery - and the pulmonary embolism that the surgery caused - so forgive me for not having the energy to do a CTF from my sick bed in between doses of painkillers. And now? You wouldn’t expect a thirtysomething to be mired in elder care, but it’s an increasingly soul-sucking part of my world and the phrase “personal IR” has become a staple of my lexicon. But hey, I don’t have any kids, so I can totally be on-call over the holidays.

Oh and I pole dance. Is that quirky enough?

Where do you get your security news?

Cue thinly-veiled over-indexing on “the community”. These days, in addition to Twitter I tend to get my news largely from coworkers and other people in the industry - which is a thing that you’ll probably like to hear, but is also an unfair advantage that newbies or those who don’t or can’t attend conferences or meetups are less likely to have.

I’ve made a choice to be very visible both on Twitter and at cons - the former was a matter of career survival when I lived in a city that lacked much of a security community, and now, well, a big part of my job is being visible on my employer’s behalf (not here though, this is just me talking). But I’ve had teammates who were much less entrenched in the security community and - spoiler alert - they were still very good at their jobs.

If you’re using this question to gauge my depth of knowledge in your problem space: I read your company blog about 15 minutes before this interview. Bear in mind that before my last gig, I had never even heard the phrase “zero-trust” and in short order I could confidently take off my analyst dress and put on my thoughtlederhosen* about it.

Where do you see yourself in five years?

Um. Apparently not working for you. 

What’s your current salary?

Okay yeah we’re done here.


*h/t @swagitda for introducing me to the word “thoughtlederhosen”