The Single Best Risk Assessment Interview Question
Geoff Wilson
There is one question that I ask in every risk assessment interview that time and time again has yielded the best results.
It is a question that goes to the heart of understanding how the business works, not just how the IT department operates.
It is a question that IT and Security Pros get to use on a regular basis as a part of business-as-usual conversations with employees across the business.
But this question should not be asked as a conversation starter. I use trust and rapport building to prep the interviewee for this question.
Because if you don’t, you’ll get the unhelpful answer, “No.”
If I have done my job well and the interviewee feels safe talking to me and doesn’t think I’m out to get them, they will open up in ways that surprise even the IT and Security Managers in the room.
The single best question I use to identify risks during a risk assessment is always my closing question.
“Are there any security risks we haven’t yet discussed that you think I should be aware of as a part of this assessment?”
I get very interesting answers.
“Although the in-store credit application is now online, we still receive quite a few submissions via fax. We’re trying to phase this out, but we have a file cabinet full of older credit applications that we are not sure what to do with.” As the Security Manager looks at me with a glint in her eye that says, “This is the first I’ve heard about this.”
Or…
“When I’m visiting a patient at their home, I like to keep my notes on a notepad as I’m working and then transfer them to the computer later in the afternoon or evening when my home visits are done.” Which is when I ask, “Where do you store these notes and do you ever dispose of them?”
The organization needs to have these conversations to become aware of these issues. And as an IT or Security Pro, you get to lead them.
Building trust and rapport is crucial and is why this question doesn’t work well in a questionnaire.
Want to learn more about how to extract the truth about risk at your organization and build a risk-focused security program?
I’m holding a webinar March 26th, 27th, and April 2nd where I will dive into how to build that trust & rapport during an interview as well as the step-by-step process by which I perform risk assessments.
I believe the Next Generation of IT and Security Professionals will know how to assess risk. Whether assessing risk on a small scale for a new IT acquisition, or on an organization-wide scale — evaluating risk and communicating options to leadership in terms of risk will distinguish the Next Generation of IT and Security leaders.
I’ve performed over a hundred risk assessments the past 15 years and have boiled down exactly what I do into a step-by-step process.
Register for my free webinar to learn this step-by-step process.
To Your Success,
Geoff
About the Author
Geoff Wilson
Geoff Wilson is CEO and Founder of Go Security Pro and is an innovative cybersecurity thought leader with deep experience in defensive cybersecurity strategies. Having trained at the National Security Agency, Geoff brings 20 years of cybersecurity experience to your organization.
Geoff has a Master’s of Information Security from Carnegie Mellon University and a Bachelor’s of Computer Science from the University of Oklahoma. He taught a graduate-level Information Security course at the University of Oklahoma for four years. Geoff is a published author, has worked for the National Security Agency, was a federal cybersecurity auditor, and has consulted with the Executive Office of the President.
Geoff is a business leader having founded Go Security Pro in early 2019 with his wife and co-founder Susan Wilson. Geoff regularly speaks at conferences, presents to executive leadership and boards, and can get in the technical weeds with IT professionals.
Geoff treats every engagement as a knowledge transfer opportunity and every client with the utmost care. He is ready to assist you with your cybersecurity challenges.
