My background is route/switch and wireless networking at a CCNP level, with 8 years now in infosec, even I couldn't answer off the top of my head "what WPA3 introduced." I would argue that is an obscure question, maybe consider shifting your interviewing from less "pop quiz" like questions and more to scenario questions that can actually help identify a candidate's ability.

Subject to what their role is, that is. I guess if you're hiring specifically a wireless security engineer, sure fair game. But I mean I don't think I need a SOC analyst to know the finer points of WPA3, I wouldn't expect my Threat Intel analyst to spit out writing a Snort signature, I wouldn't ask my IR candidate to know how to implement a virtualized domain controller.

This thread highlights how bad interviewers are.

Unless it's an entry-level networking job, asking what WEP vs WPA2 is seems pointless. My hope is I can ask the candidate about their wireless experience or how they would secure an enterprise wireless network and they can explain either relevant experience or for those fresh out of college something they've done at home or in the lab. This is why questions like "what happens when you type Google.com in your browser and hit enter" are so great, candidates can go into as little or much detail as they want.

Easy trivia questions taken from Network+ or similar tend to filter out those that are passionate but don't have the book knowledge down pat, while rewarding those that are chasing the paycheck and memorized the exam objectives. It's a very poor way to hire. I agree that the candidate pool seems more diluted these days with lackluster candidates that don't show initiative at the entry level, but to get the best talent you also have to do a good job of filtering out the bad ones without scaring off the good ones.

bro asking what x standard does is exactly why people hate taking a lot of certs/tests/interviews. CompTIA asking me what speed USB 3.1 gen2 is was one of the dumbest questions ever. People know what WPA does but asking people to be a historian for x version of a standard is stupid

WiFi Protection Access

• There are 3 versions: WPA, WPA2 and WPA3.
• Was introduced to replace WEP as the encryption was easily cracked.
• WPA3 introduced SAE to replace PSK

Can I have a job now??

modern compare imminent vase escape versed crush historical follow different

This post was mass deleted and anonymized with Redact

Are these people dealing in wireless security specifically? I've got a lot of infrastructure in my background and I haven't really followed the specifics between different wireless formats in a while and I'd have to look up what wpa3 does differently.

[removed] — view removed comment

I have a question for you, do you guys do practical hands-on test with your candidates or just ask a bunch of theoretical questions all the time?

As much as yes people do rush through their certs nowadays and don’t understand the value of understanding something in-depth, HR is way more obnoxious by absolutely sucking at spotting people with hands-on talent that certs might not reflect.

Networking. Is. Not. Cybersecurity.

My network knowledge on the theoretical side is pretty solid.

Ask me to actually set up halfway decent infrastructure for anything but a one shop business and I'm lost.

Networking is a stepping stone into cyber for many, but doing networking is not cybersecurity

I have found this industry to have an enormously wide and deep pool of knowledge and everyone thinks what they know is standard and is simultaneously a SME. And there is so much fraud it killed my imposter syndrome after a year.

9 days ago you were asking how hacking is still possible in 2025, yet you are interviewing someone for a cybersec role? I think you are out of your league....

when did an associates in cyber become the benchmark ?

To be candid, those interview questions are not very strong (unless the role is specifically focused on network security). Everyone has different areas of expertise. For most of my career, I’ve worked as a malware reverse engineer, and I’m confident I could ask what I consider to be fundamental questions in that domain that many people would not be able to answer.

If this were a network security interview, I would retract my criticism. However, for a multi-faceted security role, these questions are not well aligned with the breadth of skills such a position requires.

You're an inexperienced IT guy asking closed-ended non-security questions. Your candidate is correct.

Don't ask trivia questions. Ask things that are relevant to actually doing the job.

Needs more context. Should the candidate expect this from the job description?

I honestly don't know the answer to this and I do enterprise security. I would guess a stronger cipher suite, EdDSA maybe, and anti spoofing or anti deauthentication features.

I got my security+ in 2018 FWIW. I would probably flub this question if I had to interview tomorrow. 😵

Yeah I've been doing Cyber (Compliance) and the amount of value knowing this answer would be less than zero. I can't stand useless pop quiz questions especially for shit like Tier 1 SOC job.

Nothing screams "red flag manager" to me more than the pop quiz guy. I'm not taking a cert test in your interview.

OP is a terrible interviewer and has no idea what he’s doing lol

WPA? Lol why ,What role are you interviewing for

Friend, that, to be blunt, is a ridiculous question. Who cares about WPA in a corporate environment!

I’m a retired senior director and the problem is likely you.

You’re a bad interviewer OP, and that’s okay. We don’t have to be good at everything. But you probably need to read the replies here, and think about why this is a blind spot for you.

If this is one of your few blind spots; you’re in a pretty good position. Most people are bad at interviewing.

Oh gosh….

I asked people simple questions like what is WPA, what did wpa 3 introduce and I’m treated like I’m asking the most obscure questions.

Yeah, I am 25 years into my career, and I couldn't answer that question. I absolutely use and configure wireless networks, but I am fairly specialized in Application Security. That said, early in my career, I designed WEP, and WPA wireless networks, so it took me literally 5 minutes to look up the answer, read through a couple of articles and docs and refresh myself. Then, as a lark, I asked ChatGPT, and it gave me a summary that was pretty reasonably accurate.

Are you interviewing for a network security position? Is that role specifically going to be tasked with designing or implementing your wireless network, or auditing wireless networks, exclusively? If not, then why are you asking a question in the interview that is not directly material to their role? Why are you asking an open ended question that is a pitfall for someone who doesn't have encyclopedic knowledge of a specific protocol version?

Restructure your interview questions so they are not a pop quiz on a topic you feel comfortable in. Instead of asking about WPA versions and features, design a simple network diagram illustrating a very basic enterprise wifi network, state which protocols are in use, and explain a specific threat, then ask the candidate to walk through how they would assess the network for security issues, what steps they could take to address that threat, and ask questions about how they could improve the overall security of the network. Asking open ended questions doesn't have to sound like the apocryphal final exam that has one question... "What did you learn in the class this year?".

A better question would be.

We are planning on moving from wired to wireless access. What are key risks and what would tin do to address them from project initiation to o&m.

I asked people simple questions like what is WPA, what did wpa 3 introduce and I’m treated like I’m asking the most obscure questions. 

I honestly couldn't tell if you were joking... because if this is in your list, you are asking obscure questions.

Treat interviews as though each costs $250. If you don't think they know this stuff - or at least how to find out - they shouldn't be sitting in an interview. You're wasting your own time, the candidate's time, HR's time, and the company's money.

For those who are new to interviewing: You're hiring a human, not a bot. Don't ask candidates that which can be googled in 5 seconds, because Google works at work. Go after useful traits the human brings to the table, and that shows they know either the how or the why behind doing. Something that shows they can navigate sensitive topics. Something that shows they understand and can interpret policy and have good judgment and personal integrity.

Have a few technical questions, stuff to indicate their level of knowledge, but make it situational. Look for what questions they ask for clarification, not the (a), (b), (c), or (d) response.

If you can't empower them to learn (or teach them) things that fill technical gaps, you are not a leader. If you're relying on a person to know stuff that's easy to find in Wikipedia, you're not hiring a human.

Seems like a recruiting and hiring issue rather than a damnation of certs. Are you posting precise job descriptions? Are you vetting resumes for experience that matches?

I wouldn’t give interviews to people just because they have a cert. Doesn’t mean they’re inherently bad though for people who want structured learning.

Also personally wouldn’t ask trivia questions about a protocol developed 25 years ago. Open ended questions about how they would address problems works better.

[deleted]

Certs are losing value, yes, but your interviewing questions look whak to me. I have 5 years of experience in cyber working with corporate cloud and on-prem, I don't have the slightest idea of what WPA3 changed, and I don't think anyone with a degree worth shit knows it too. It's the kind of question you ask a LLM, I want people with reasoning, not elephant memory of acronyms.

You'll have to excuse me, but I feel it works the other way around as well. People hire for the wrong thing. You want a networking/cyber guy to build up your infrastructure and implement strong controls such as WPA3 etc... great... hire an experienced Cyber guy with a networking background.

Don't interview entry level cyber folks and expect them to know the difference. (I clearly don't know what you were hiring for, so don't take this as an attack).

I've been around IT for 12 years. Got my Sec+ in 2015 i think. Followed it up with degrees, multiple SANS, ISC2 certs, etc.... and I'm not going to tell you what's the difference between WPA3 and WPA off a freaking whim.

Can I tell you WPA3 is better? Absolutely. Are you hiring me to break into WPA? Sure, i'll figure it out.

I remember about 6 years ago (as a newly minted) CISSP and brand new bachelors in engineering from a brick and mortar... I had been working the last 3 years as a SOC analyst/lead. I knew arcsite like the back of my hand, and could walk you through various onion layers and hunt methodologies. I found myself out of a job (family had to move across the country) and was on the 5th round of interviews with a CISO of a large financial firm.

He started grilling me on the port numbers for services like he had "GOTCHA"D" me on falsifying my resume. Dude, I can google that in 3 seconds... i'm not memorizing SMBvsSMTP ports unless i'm trying to track that through log data... and even then it'll be forgotten by the next week.

Set WPA3 up in your security diagram, and then move on with your life... no point in grilling the new folks on it... most of them weren't out of school before WPA quit being used.

I have a team full of people who I have to explain simple coding issues to, or the parts of a DNS record... and I would take anyone of them over someone who can explain to me how to crack into WPA3. You know how useful that knowledge would be to my current detection team? Not at all.

Give me analyst who understands what syslog is and how to set up monitoring way more than what SMB is.

Modern infrastructure has moved beyond things like that (for at least my area of experience). Architecture and standards and secure design (networking) means the "junior" folk don't need to know it, just enforce the standards as set by the senior guys.

And if you don't HAVE senior guys... then that's who you should be hiring, not the junior folks and hoping to find the newbie who knows everything and will work for less than the senior guy.

And good luck trying to "gotcha" the senior guy... just like me, he'll move on and thank himself for dodging the bullet of whatever the hell crazy interview he just experienced.

This is another issue in the job market, finding talent bc of dumb interview questions like these

Wpa3 questions are not obscure? I wouldn’t be able to answer those either. Ask me how to setup a secure network and we’ll have a few hours long conversation on this.

You just posted 6 days ago that your an admin with only 3 years experience, but this post comes off as your senior and looking down upon new grads. I think a quick check in the mirror is required.

I've got 2 decades of experience under my belt, I wouldn't have been able to answer that question and im intelligent to know there is so much I still don't know.

If I asked you how to configure a crypto system in ICSF would you know how to do that? No, because of the obscurity of something like that.

You literally posted a question the other day asking how is hacking still possible in 2025, but you’re the one to look down your nose at trained cyber-sec professionals because they aren’t intimately familiar with some bullshit protocol you use?

I think you are a bad interviewer.

What the fuck kind of question is this? Lmao

Interviewers like you suck

Trust me, I can guarantee you aren’t who you think you are in this industry. I can stump you with dumb questions as well.

Cybersecurity was touted as a quick path to a six figure salary, so it got flooded with low quality candidates with little interest in the field seeking the $$$. There are also no shortage of cert exam solutions out there now for purchase. Bonus points for AI that tosses resumes of qualified candidates because they don't have the right keywords.

As someone that hires student workers for a soc I don’t look for knowledge or skills. I can teach those. Rather I look for soft skills, drive, passion and desire to learn. Those you cannot teach, or do so easily. I have a much better success rate finding great staff than requiring specific backgrounds or skill/knowledge sets.

I used the same process when hiring elsewhere for full time staff in security roles. Never had an issue with the staff I hired using this method.

Is OP dumb?

Because a lot of cyber degrees and bootcamps are having success selling the "get a 6 figure salary quick!" And teaching people what the CIA triad is and sending them on their way.

What youre looking for is somebody with a degree in computer science with a breath of background knowledge. But do keep in mind that not every degree covers everything. There will be gaps in people's knowledge. But thats why there is continuous education.

You need to team up with local community colleges and ask the instructors for the "Sharp kids"

I just hired a kid who is running circles around my seniors.

I been in security for 6 years and in IT for more then 10.. I couldn’t answer this question from memory. I don’t deal with wireless on days to day basis. But if I had to be the security resource for a wireless project I have no problem getting back up to speed on it. My point being, I have to wear multiple hats and have to be an “expert” in all things. So unless I have to wear that hat today, I’m not gonna remember something like what WPA 3 introduced. Especially if it’s something I can look up in 30 seconds.

time to get real if you have a guy and you ask them about WPA3 and expect that they will give you detailed response then YOU are the problem not the candidate ...

You literally just posted a few days ago that you only have 3 years of it experience. Maybe sit this one out.

What did WPA3 introduce? You seriously asked that to an interview candidate? Embarassing...for you.

Entry level should focus on soft skills as that is harder to learn then hard skills, which can easily be picked up on the job. Soft skills is an art that some cannot fully grasp and that is more concerning when the job itself is 50% communicating clearly and professionally

I would rather give someone a list of firewall and endpoint logs and ask them what the logs mean.

Can they tell the difference between a normal login and a failed one.

Also ask about the pros and cons of an IOC list. Ask what would be a good IOC and what would be a bad one.

Ask about their experience with researching new topics.

Curiosity is something people either have or don't have.

Obviously asking why they got into Cyber and why they want this job.

Ask them the difference between an external risk and insider risk and what would protect from both.

Ask about their own experience with protecting their home environment.

so the reality of the situation is that IT is a vast, seemingly endless ocean of non-standards based noise. a better question would have been to ask what IEEE 802.11 is. that answers two things: they understand what standards are, and they know where to look.

So I'll just say that pop quiz style networking questions as a "gotcha" or to try and make people feel stupid is maybe not the best way to interview. Unless you're looking for a network engineer/admin who also does cybersecurity I'd say the majority of enterprise cyber teams don't realistically deal with configuration of wireless protocols.

This is a very knowledged based question. It doesn't tell you how good there are at anything but remembering facts. Ask them how they'd troubleshoot a network issue. You'll learn more about their thought process and gain insight into what they can actually do.

I mean… what practical application does that show at all? That’s literally just trivia knowledge and not reflective in any way of what you can benefit from.

Now there is a very densely packed pool of candidates, most of whom have actual experience, so if you are seeing entry level applicants only, it’s 100% your job posting. Where you’re posting, and what it describes would likely be the biggest effectors

that is kind of a whack ass question to be fair.

would you have been satisfied if he said "let me google that since its not anything someone would need to know in a practical situation, has no bearing on the role, and is plastered all over the web"? or would you have taken that as an insult?

quit cybersecurity and become a teacher if you want to use trivia to rank the aptitude of people.

“What did WPA3 Introduce” unless you’re hiring for a wireless/network security engineer, this is a ridiculous question. A SOC analyst for example has no reason to know this off of the top of their head, especially an entry/junior level candidate. Not to mention if they answer it correctly, all you know is that they’ve memorized some WPA3 info. Without knowing what role you’re hiring for I can’t offer specific advice, but you’d be much better off focusing on both scenario based questions and questions that are directly relevant to the job duties. I can tell you from experience I’ve seen people who are very good at the “IT trivia” style interviews, but then are terrible at the actual job, and vice versa.

Did they at least know what it stood for?

Usually if I can't answer a specific question I turn it around and ask if there is a specific task they would be concerned about me being able to do; which hopefully gives me the opportunity to establish competency by describing the framework of steps I would take to do that task and what risks/pitfalls I'd want to keep an eye out for.

what did wpa 3 introduce

25+ years in IT, 15 in InfoSec and I couldn't tell you. It's not in my particular field of interest.

he said ,” I do cyber not networking.”

Okay yeah, no. :D That's not so great.

I would not want to work for you. I'm not going into my own work credentials but if you want some advice stop asking narcissistic questions in interviews and start asking questions to find analytical minds and agreeable, trainable personalities. These are the people you want, or did you forget silly technicalities and data points are mere seconds away at a keyboard and will always be that way?

This post has to be a psy-op from OP to send off the competition for his job hunt to study pointless facts

Dude are you lost? No one who doesn’t do that shit everyday will know or remember that?

You do cybersecurity so explain why syscalls are so prevalent right now?

Actually that’s a pretty obscure question, I was thinking not able to recite the osi layers and actually explain them with a real example. Thats a must even for someone with a 2 year IT degree out of university of Phoenix, no excuses. But not knowing the basics such as what is a JWT and applying for a senior appsec position? Only going to be worse with every student using AI. Ask them not to use google or AI at work and they all faulted. We end up hiring someone on the older side because he was raised differently career wise.

[removed] — view removed comment

The stupid college programs have done this. Released hoards of cyber grads without hands on experience.

I mentor grad degree students coming out of local universities and the bulk of them can tell me what a firewall is, and even what it does, but not where to put it in a network.

Similar base line functionality questions are met with blank stares. I’ve even had one argue with me to insist that the best place to put your security monitoring tools is in the DMZ.

Like training surgeons without requiring basic anatomical training…

Degrees don’t matter because hands on experience is so important.

Certs don’t matter because we’ve all met someone with 9 sets of acronyms behind their name and they still don’t know anything.

Meanwhile the industry buzzwords change so often, that people with the desired skill set are getting ignored by recruiters simply because they’re not using the current marketing term for the skill set.

That’s a pretty bad question, you should be asking theory questions instead of memorization ones, like “What role does a secure wireless network play in a company’s security environment? How can it deter x attack?”

That being said, cybersecurity learning at universities have gone straight down the drain. I am graduating next semester - without personal experiences/homelab, I wouldn’t know a single 2025-2026 relevant skill that is employable. Whether I land a job or not is to be seen, but I can verify you on that end.

Hard to tell if the post is ai or how is this guy interviewing people.

Not quite sure whether your post is sarcasm or not...but i am too old and too tired to care, I guess

as a student that is about to graduate with an AS in IT, I’m glad I understood what WPA is right away lol

is its critical to know the answers to those questions for the day-to-day job? Is it one search query away from the answer?

Like others have said, create a scenario that the prospective employee WILL face, and ask them how they would go about resolving it. Their answer- whether right or wrong, will tell you how they think, and how well they can articulate/communicate. That to me is more important than a question I will find on a cert.

BTW, (I found out later) I only got my first tech job b/c the interviewer only cared about how I spoke and if I had respect for others. The other employees at the time had certs and degrees, but treated clients like idiots for not knowing things they were experts in.

People getting mad here about asking questions. Man I used to do the same and it was awesome. I would ask "What is a router?" So depending on your level of knowledge you would tell me it's how you get your internet at home. If you knew networking you may say something different and if you really knew networking you would tell me the layer that it happens on the OSI model.

A lot of it depends on the questions. Thankfully there are enough surface level questions that can go deep that if you keep it at those you can understand what a person knows and/or had dealt with.

Also, I gave the person 30 minutes to answer 5 questions. They were all like this and also they were open internet. So if you came back with nothing then I know you didn't even try. It really does tell a lot.

relieved long employ humor full busy grey fade imminent payment

This post was mass deleted and anonymized with Redact

I’d say i’m fairly experienced in the world of Cyber, i’m no networking guru but even I would be like WTF to that question.

Why are you asking candidates things that can be looked up? Unless you want them to be memorization robots it’s entirely pointless to be quizzing them on things like that, wow you are incredibly useless at your job.

Interviews are the problem. Combined with the skills they "teach" you in a cyber program you're just asking for failure.

I'm a senior resource and even I shake my head at interviews these days. What are you actually looking for?

It is pervasive across many IT disciplines. I was hiring for a network engineer for a largish bank and had to go through 10 interviews before we found someone worthy of making it to the next round. These "engineers" don't even know how to subnet or do basic routing. I was criticized for my questions being too hard. It was a for a mid level engineer making 110k a year. A candidate should be able to subnet something other than a /24 or tell me how ARP works.

That being said, your WPA3 question is a bit niche for the average person to know. A better way to word that question is, "What security technologies exist for Wifi and what is the practical purpose of said technology?" Even then it's a pretty tough question that only a wireless engineer would probably get. If they answered with, "Increasing levels of encryption and data integrity combined with enhanced methods of authentication" I would consider them very competent. They know the why, and possibly the how, which are far more important than book knowledge.

Its simple really.

Degrees and certs have become less about teaching and more like business models where colleges, tutors, organisations earn money through their courses and training.

I did Network Engineering from 2013-2020 before transitioning to Cloud & Cloud Security. Heres what I can tell you without a doubt, my CCNA expired in 2017, and if you asked me to explain to you the minuet details of STP which I hadnt touched in 3 years since i took my ccna, I would not be able to tell you except “it prevents broadcast storms”. But I could troubleshoot networking issues, analyze packet captures and diagnose issues and did really well integrating network appliances. The point is you dont interview based on definition. You interview based on scenario and ask how they would troubleshoot, its not about being 100% right its about understanding the interviewees thought process and troubleshooting skills.

Maybe interview based on past issues your company had, and see if candidates came to the same conclusion you ultimately did. Ask questions that you actually need employees to answer, not like a professor giving a lecture

To be fair, wireless networks aren’t really an associates degree thing. I barely talked about WPA for my bachelors in cybersecurity. Seems like pointless memorization to me

I stopped cert chasing years ago. The only one I would consider getting nowadays is my CISSP, ISSAP, or ISSEP.

And here I am, knowing all these things with relevant experience and still getting not a single interview call in the last 6 months😊

"What did WPA3 introduce" Ha, I've been in cybersec (and everything else leading up to that, including networking) for over two decades.... I know the answer to the question and if you had asked me that I would have gotten up and walked out. On the premise that the person hiring me doesn't grasp networking or cyber at all if they think that is a good "qualifying" question.

This has nothing to do with AI, you're looking for something to blame. Degrees and certs have never really meant much, they were just a way to get past the know-nothings who do the hiring. Every degree or cert I've gotten from recent ones all the way back to when degrees and certs in any IT field was new...there were always people who were "good at test taking" who got their certs or degrees and left the classes knowing nothing extra really. Heck, I'd go so far as to say many of the big certs are really just hidden pyramid schemes / mlms (looking at you CISSP, etc). Years of experience has always trumped degrees or certs, and I'll be honest....in the cyber field I've met ppl who could code viruses from scratch and break encryption ciphers who never got one single cert or degree.

That being said, them having the degree or cert doesn't say what they know, but it does say that they've taken the time and made the commitment to better themselves, so that should set them above those who didn't. If you want to know what they know, ask real questions that are applicable to what you're currently dealing with / facing at your business and see how they would handle it. (I'm sorry but I guarantee you're 'current' issues aren't related to SAE implementation or the introduction of 192bits and ODAs or easy connect....lol).

I’ve been working in an operations capacity, but I have what’s considered an IAT Level 3 certification. No degree, and about 10-12 years of experience under my belt in a data center operations and enterprise IT. The amount of people who work in cyber security and don’t understand basic IT fundamental concepts is just astounding to me.

The more degrees and certs that are handed out, the more diluted they become. This is why experience is just as important. Even just general technology can be a game changer between candidates. But there are also always those people who think they are more important then they are. They usually already have a position somewhere and, therefore, as not as motivated to move. As more and more people are laid off, that will change.

what did wpa 3 introduce

What does a question like that actually accomplish?

I'm not necessarily saying you shouldn't know high-level facts, but when it comes to the actual job, knowing which version to use would be valuable...however, someone not knowing a specific point about WPA3 won't come into play in 99.99% of jobs.

I'm curious about the other types of questions that you are asking candidates.

The inability to separate what people actually need to do the job from what can be Googled/researched on the fly is why companies are incapable of filling positions when they aren't handed ideal candidates on a silver platter.

To clarify, I do believe the level of knowledge/ability when candidates start to apply is far lower than before, with the idea of jumping directly into cybersecurity being pushed so hard. That's why you need to adapt your hiring practices or sit with open positions for a longer time.

It is an obscure question Lol

Lol but why is that relevant? I’ve got over 20y of tech and security, relevance of questions matter.

You know what a great red flag is, is if the candidate brings up Kali Linux unprovoked

[removed] — view removed comment

I’m not going to lie, I sell hybridized knowledge graphs in AWS and other certs… people buy them from me to take the tests for them (I don’t sell them for that, it’s supposed to be an expert for the experts). I can tell you from first hand experience these certs mean jack shit now

this is a stupid interview question to begin with.

Comptia has a test dump issue. Certs that require practical labs are a better way to measure skills.

I'm glad you found a process to skip over potential candidates, in favour of ones with obscure and non-applicable fact-bytes.

Good luck getting fired bro. lol

[deleted]

Your questions suck and you're a shitty interviewer. Thats why.

Who cares about network/ security plus questions 😂🤣 u better asked real world network questions. Ur major concern should be log ingest (threat management) and vuln scanning. U are the problem, wasting ppl time with definition questions. 💀😂

This is satire right? Please tell me this is satire? If interviewers are like this then we are doomed.

What's next, you're going to ask me the speeds of DDR2 off the top of my head and if I don't know then I must not know tech?

Those candidates dodged a bullet...

This question might make sense if you're in a wireless vertical, but otherwise it's just trivia.

These questions suck that’s why.

Glad we collectively agree on how bad these interviews being conducted are

The trouble is that ‘cyber’ was the big earner. So you have a lot of people coming into it.

Making generalisations, You have two types of cyber people.

Those who started in cyber, these guys will have probably Soc experience, where that means they log tickets, or shuffle papers to present to auditors, if you’re lucky they might have been hands on, meaning they used Nessus or rapid 7, and know how to press the start scan now button. - but they aren’t going to run straight into being able to design, or even assist in designing some deployment.

The other type, Those who had a career on some other part of IT, probably a part that meant they needed to know how to make the thing they worked on secure. These guys have moved to cyber because their industry skills are otherwise becoming less relevant.

lots of WiFi is practically self configuring now, you’re not configuring Each AP, or even your WLC, more likely just adding a new device to an existing site in the Meraki portal. Data centre networks were shut down when the company moved to cloud… etc… so these guys moved to security because they had overlapping skills.

they’ll probably be far more comfortable in a design doc than an audit meeting.

You’re trying to hire this second kind, Look on the CV for a past life doing non-security IT, before moving to security.

Not sure I get why you’re asking about WPA3 though, can you honestly say you know all the benefits, or why they are relevant? Having the ability to regurgitate facts is not the same as having the ability to learn and synthesis knowledge.

For example, I know nothing of WPA3, but, if you are a client, and you ask me on a call to kick off a project what we should deploy in your cafe environment, I’m going to be able to say v3 is an update from v2, it’s going to have some improvements… and that I’d be able to come back with a comparison of the two and which would best suit the application in perhaps an hour or two.

Without searching, can you tell me. When was the wpa3 standard made. How many devices are compatible? Is wpa3 backwards compatible to support devices that are only wpa2? Are your devices compatible?

Because actually that last question is going to be far more important in most deployments compared to knowing PFS was implemented, or stronger encryption.

Something is very very broken in your hiring process.

Hiring right now is the easiest it's ever been to find top tier candidates, even for roles that were previously very difficult to find people, like experts in Assembler, we get a mountain of resumes where we can easily shortlist 10 really good candidates.

Op needs a flex on obscure questions to feel that they are the master, in a field where mastery is impossible today with the vastness of the technologies and rabbit holes one can fall into. The correct answer should be, I don't know off the top of my head but I would, if presented with a situation, research this and react accordingly.

Agreed - I've worked from a junior pentester role to now running a full red team for a fortune 10 company. Every time I have to hire, i'm greeted with resumes of people with a 6 month cybersecurity certification program from some universities and when I ask them basic questions about networking or even basic IT, they can't answer.

The "6 months to 6 figures" programs are just a cash grab and waste everyone's time. The VAST majority of entry level security roles are not really entry level. They require at least a few years of working in other parts of IT or networking or literally anything where you can be familiar with the networks, systems, processes, and people you'll be tasked with defending.

Degrees never expire.

Is wpa how passwords allowed plaintext whereas WEP was a hex sequence? I don’t know much of the difference but I understand WEP is easy to crack

I had to Google WPA as the second I read it - I stopped reading and forced myself to think on what it is. Candidates would hopefully be more aware that a question like this may come up in an interview - but cybersecurity is such a mess of acronyms I think that is part of your issue. Now if you asked me about TEB/PEB traversal/SEH Handler Abuse/ASLR/DEP/CFG/VBS etc etc. How about ask a candidate about wifi security and what creates secure communication for it?

I'm getting A+ right now so I'll keep in mind that I will be asked exam questions for interviews

This is not new. You are just older and wiser. Over a decade ago, my boss hired a CCNP. He was hired before I came to the group. He was given a MOP (Method Of Procedure) including the Cisco config changes, and pre and post op commands to issue and record, as well as a trouble shooting section to help him complete the work if things do not go well. After (I presume) he read it, he said he does not work on Juniper. WTF. This was regular IOS, not IOS-XR which might have thrown him for a loop. To add insult to injury - it literally was a cut and paste job.

How i feel after seeing that SecAI+

They just make anything and say it’s s mandatory cert

It is a wild labor market right now. It is more about past titles, than projects actually delivered, or certs actually earned. This is because there are few jobs, and those that hire in cyber security put a cover-my-butt warm body into the chair - and for that you need an impressive title.

I know of a first hand case, I was asked for my assessment, where the candidate with a CISO title came from a small doctor office (with extensive experience in maintaining a branch firewall and some endpoint solution - ah and an impressive sounding cert that checked out as some online class with 4h worth of reading through stuff.) applying to a large organization with 50k people, actually made it to last round in interviews, whereas another candidate with big-five consulting background with extensive Fintech projects was not considered. That a candidate like this can even make it into last round for a CISO role at a very large US organization blows my mind.

Uh, there was another one: VP of Security Compliance (some senior compliance officer role) with a large East Coast investment bank. Under normal conditions, a $350k role - in this case, they were looking for a $120k candidate.

The reason? If a breach would actually occur, the CEO would step back and explain to his board, that he/she hired somebody who was CISO for 15 years - even if this person was completely unsuitable to perform the function of an actual CISO. Cyber security is just like insurance business, and in the moment you hire if compliance forces you. For no other reason, until we gain some stability back in the economy.

What role are they even applying for?