Big-4 Consulting · Cyber Risk · GRC

Deloitte Cybersecurity Interview Pack

Cyber Risk Services interviews assess advisory presence, framework fluency (NIST CSF, ISO 27001, DORA) and client-facing maturity. Practice translating technical risk into board language.

// hiring focus
- Cyber Risk Services (CRS) — Strategy, Risk & Compliance - Detect & Respond — SOC, IR, threat hunting - Application Security & Cloud Risk - Identity & Access Management - Quantitative Risk + Cyber Insurance
Deloitte's cyber practice is the largest of the Big 4 and is structured around four service lines: Strategy / Risk / Compliance, Detect & Respond, Identity, and Application + Cloud. Interviews are competency-based using Deloitte's leadership shapes (Inspire, Live our purpose, etc.) and a partner-led final round for senior hires. Expect heavy emphasis on consulting craft — structuring an answer in 30 seconds, building a hypothesis, and articulating 'so-what' to a CFO, not just a CISO. Technical depth is required but is rarely the differentiator above Senior Consultant.
// hiring loop
- Recruiter / talent acquisition screen - Online assessments (Pymetrics + immersive case) - First round: case interview (cyber-flavoured business problem) + competency - Final round: partner panel — usually 2 partners + 1 director, mixing case continuation, presentation, and Q&A - Offer + grade calibration
// interviewer style + signals
Polished, consultative, very 'partner-track'. Expect 'walk me through how you'd assess a FTSE 100 client's third-party risk programme in 6 weeks' style cases. Partners probe for executive presence — calm under pushback, structured under ambiguity, and crisp commercial framing.
// recent themes & hot topics
DORA + NIS2 readiness for financial-services clients, AI risk + EU AI Act assurance offerings, quantification (FAIR), post-MOVEit / Snowflake third-party risk programmes, ransomware recovery retainers, cyber due-diligence in M&A.

Sample interview questions

  1. 01

    Walk me through how you would structure a DORA readiness assessment for a Tier 1 UK bank in 8 weeks.

    Show strong-answer outline

    Frame: scope (which legal entities in-scope), workstreams (ICT risk mgmt, incident reporting, resilience testing, 3rd-party register, info sharing), gap analysis vs current RTS/ITS, prioritised remediation, governance ask. Close with a 1-slide CFO summary.

  2. 02

    A client's CISO disagrees with your maturity rating. How do you handle it?

    Show strong-answer outline

    Acknowledge, separate evidence from interpretation, re-walk the scoring rubric with named artefacts, agree a delta workshop, escalate to the engagement partner only if blocked. Never relitigate in the steerco.

  3. 03

    How would you quantify the financial impact of a ransomware event on a £2B retailer?

    Show strong-answer outline

    Use FAIR: loss event frequency × loss magnitude. Decompose magnitude into productivity loss, response cost, replacement, fines, reputation. Anchor with industry benchmarks (Sophos / Marsh). Show range, not point estimate.

  4. 04

    Sell me Deloitte's MDR service.

    Show strong-answer outline

    Lead with outcome (MTTD, MTTR, analyst leverage), then differentiation (global SOC footprint, sector threat intel, integration with Strategic Risk), then commercial (retainer + outcome-based pricing). End with a customer reference pattern.

  5. 05

    Tell me about a time you influenced a senior leader without authority.

    Show strong-answer outline

    STAR. Pick a story with quantified outcome, a named stakeholder, and a clear influencing tactic (data, narrative, coalition). Avoid stories where you 'just escalated'.

Frequently asked questions

What grade should I target?

Manager and Senior Manager are the highest-volume openings. Director and Partner roles are sponsored hires with longer cycles.

Do I need consulting experience?

No, but you must demonstrate structured thinking. Strong industry hires (ex-CISO, ex-Big-Tech) are common at Manager+.

How important is the case?

Pivotal. A weak case round usually overrides a strong competency round.

Is it UK-only?

No — this pack maps to Deloitte UK (Risk Advisory) but the structure is similar across NSE and the US.

Run the Deloitte loop as a graded mock

Premium members get the full round structure, signals, and AI-graded practice.

Start free