10 interview questions for hiring cloud-literate security staff
Market researchers have been saying for a while now that organizations are having trouble finding, hiring, and retaining experienced IT security professionals with the necessary cybersecurity skills. The rise of cloud computing creates an additional hurdle to building a modern security team.
Cloud computing brings a unique set of information security challenges along with a shift in security strategy. Gartner predicts that 95 percent of cloud security incidents will be the customer’s fault, so it is critical for security professionals to understand the risks and vulnerabilities associated with cloud use.
Therefore, hiring the right employee is all the more imperative. Skyhigh Networks shared 10 interview questions that it believes accurately gauges an IT security candidates cloud literacy.
1. How can IT function as a business enabler?
The days of IT as a back-office function are over. IT and security teams need to transition from the Department of “No” to enablers for the business tools employees need. Cloud offers the rare chance for security teams to work with a blank slate and build security from the ground up, but they need to be willing to collaborate with business teams. It is no wonder soft skills will rise in IT security professionals.
2. What is the role of network boundaries or the “corporate perimeter” in information security?
The castle wall has crumbled. Data is the new perimeter, and security needs to stay with data as it moves across applications, devices, and computing environments. The industry is transitioning from a prevention to a protection model, where context and content-aware security applies policies in real time.
3. What information security challenges are faced in a cloud computing environment?
Security teams instantly lose visibility and control when data leaves the corporate network to cloud providers. At the same time, companies use enterprise cloud applications for sensitive client information, intellectual property and regulated data. Security teams worry about insider threat, compromised accounts, compliance violations and data loss in the cloud.
4. You have been asked to explore a new business solution. You have come across two software products. One is an on-premises solution, the other is cloud-based. Why would you recommend one over the other?
Even the most conservative companies have made plans to eliminate all or almost all their private data centers – and not just for better value and agility. A survey conducted with the Cloud Security Alliance shows 62.9% IT security professionals recognize that enterprise cloud providers have equal or better security than their own organizations.
5. What kind of cloud services would you block and what criteria would you choose for selecting sanctioned applications?
There are tens of thousands of cloud providers on the market, and many do not meet companies’ basic security requirements. In general IT teams will limit the use of consumer cloud services, with exceptions for departments like marketing. Service provider attributes to evaluate include encryption capabilities, multi-factor authentication, the location of data centers, and user agreement policies on data ownership.
6. Business teams come to you and ask for a solution to access corporate data on their mobile devices. How would you respond?
If security categorically denies in-demand capabilities like cloud and BYOD, employees will go around security policies, creating new threats. Rather than shut out personal devices completely, companies should take a risk-based approach. For example, security may decide employees can view but not download sensitive data on personal devices.
7. What technologies and approaches are used to secure information and services deployed on cloud computing infrastructure?
Gartner calls cloud access security brokers (CASB) a necessary security technology for companies using cloud services. On-premises proxies, DLP, and threat monitoring solutions do not extend to cloud applications by default. A CASB acts as a central control point for all cloud applications and extends the security stack into the cloud.
8. Can you explain the difference between SaaS, PaaS, and IaaS along with some of the benefits of each?
The shared-responsibility model defines the risk areas the cloud provider and cloud customer own. With infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS), the cloud provider takes responsibility for infrastructure-level risks like the physical security of servers, electricity, and reliability. With software-as-a-service (SaaS), the cloud provider handles application security as well, leaving the customer responsible for securing the use of data on the application. It is critical for security professionals to understand the breakdown of responsibility across the different types of cloud environments.
9. Can you give an example of when your team completed a cloud-based deployment and how the project benefited the business?
There is no substitute for real-world experience, and professionals with cloud deployments under their belt are in high demand. Cloud’s recent and rapid rise to prominence, however, exasperates the security skill shortage. In lieu of hands-on experience, hiring teams can look for certifications like those offered by the Cloud Security Alliance.
10. Cloud risk requires cross-departmental collaboration. What teams would you include on a cloud governance committee?
The most mature cloud security programs include a cloud governance team to evaluate which applications meet the organization’s risk tolerance. The team typically categorizes applications into approved, denied, or permitted groups based on their attributes, allowing the organization to enforce governance at scale across thousands of applications. The team should include representatives from compliance, audit, and business units.