Competency Based Questioning - part 2
08:30 Friday, 10 September 2021
UK Cyber Security Council
In an earlier article we described the fundamentals of how to behave in an interview that uses the popular technique of Competency-Based Questioning, or CBQ. In this, the next piece in an occasional series about CBQ, we will look at a common CBQ question and consider how we might answer it.
Q: "How do you maintain good working relationships with your colleagues?"
Rule 1 of interviews: understand the question before you answer it. Is the interviewer asking how you stay on good terms with the people in your team? Or are they more interested in the relationship between you and the users out there in the business? We can’t tell, so the next step is simple: ask for clarification.
A. "Do you mean my colleagues in the security team, or the users in the business?"
There’s no shame in asking for clarification. In fact, we consider it a good thing because as well as showing that you have a level of confidence, it also demonstrates that you think about questions and ask for more information if you need it, rather than leaping in and giving an answer that doesn’t fit what the questioner was looking for.
We will assume that the interviewer clarifies the question by saying: "The users in the business"; this probably means they’re thinking of the common perception that the security people seem hell-bent on impeding the business teams from doing their jobs. So, we might respond like this:
"As you’re aware, the cyber team is often perceived as telling people what to do - or, equally, what they’re not allowed to do. I find that it’s much easier if colleagues understand the risks of a cyber attack - if they get why we need to be cautious, and why we sometimes have to ask them to do inconvenient things in the interest of defending ourselves - they’re much more engaged and happier to work with the security team. And so I explain what we do and why we do it, hopefully in a non-techie way they comprehend. I’ve also found that telling or showing colleagues about actual attacks on our company makes security much more real - they engage more when they realise that a threat really is relevant to the company and to them".
The answer isn’t overly long, but it packs in the components. It starts by setting the scene, briefly describing the problem we’re trying to solve. It talks of "I" rather than "we": remember, this is an interview for you as an individual, not you and your team. Phrases like "I find" demonstrate experience - this is a more powerful approach than "I think" or "I believe" because "I find" is saying you've done it, not that you’re thinking of what might be. And it gives some clear examples of what actions you have taken to address the problem that you led with, one of which takes the extra step of pointing out that you know you need to use non-technical terms when explaining to users.
In 130 words, probably taking no more than 40 seconds, you’ve packed a great deal into a single answer.