PwC's Cyber, Risk & Resilience practice runs a case-heavy interview loop with strong emphasis on regulatory craft (DORA, NIS2, GDPR) and client storytelling.
A FTSE 100 insurer asks you to lead their DORA programme. Walk me through the first 90 days.
Day 1-30: discovery (legal entity mapping, register of ICT 3rd parties, current incident playbook). Day 30-60: gap analysis vs RTS, prioritisation, governance design. Day 60-90: mobilise workstreams, baseline TLPT scope, board update.
How would you design a privacy programme for a generative-AI product?
Lawful basis review per processing activity, DPIA, training-data lineage + opt-out, output filtering, retention + deletion, vendor DPA review, EU AI Act conformity mapping, transparency notices.
You discover a client has under-reported a breach to the regulator. What do you do?
Pause + document, escalate to engagement partner and Risk Management, refuse to sign off advice that perpetuates the under-reporting, advise client of obligations, withdraw if not remediated. Independence is non-negotiable.
Pitch our OT cyber offering to a UK utility CISO.
Lead with NIS2 / OFGEM driver, then offering (Purdue assessment, IDS deployment, IR playbook, board reporting), then differentiation (regulated industries practice, cleared consultants), then commercial.
Tell me about your most complex stakeholder situation.
STAR with a regulator, board or coalition stakeholder. Show influence, ethics, and a measurable outcome.
Yes — usually narrower (cyber-specific) but with deep regulatory texture. Less about market sizing, more about programme design.
No. PwC actively hires from industry CISO orgs, government and military.
Two partners, 60-75m. Expect 30m case + 30m behavioural + Q&A. Partners take it seriously — prep specific questions for them.
Premium members get the full round structure, signals, and AI-graded practice.