Somewhere in the middle of most CISO loops, the format changes. The behavioral questions stop, someone slides a scenario across the table, and the interview becomes a simulation. In loops I’m running right now, as a security executive at a large technology company interviewing for CISO seats, this session has been the single biggest differentiator between candidates who advance and candidates who get a polite email. It is also the session almost nobody prepares for correctly, because most people prepare content when the exercise is scoring behavior.
This guide covers the three scenarios that dominate these sessions, the failure modes that kill otherwise strong candidates, and the mechanics of actually running the room. It pairs with the broader CISO interview guide and the question bank; read those for the rest of the loop, and read this before any session labeled “case study,” “working session,” or “scenario discussion.”
Why Companies Put You in a Simulation
Here is the honest reason tabletop interviews exist: a company cannot reference-check your judgment under pressure. Your references will confirm you built a program, hired well, and got along with legal. None of them were in the room at 2am when you decided whether to pull the plug on production, and even if they were, they will not give a hiring committee the unvarnished version. So the company does the only thing it can do. It manufactures the pressure and watches you directly.
That framing tells you what is being scored, and it is not encyclopedic knowledge of ransomware variants. Panels are scoring four things:
- Prioritization. Given ten urgent things and capacity for three, which three, and can you say why in one sentence each.
- Communication up versus down. Whether you instinctively speak differently to the engineer, the CEO, and the board, and whether you know which of those three you are talking to at any given moment. If this muscle is weak, the board presentation guide is where to build it.
- Comfort with incomplete information. Whether ambiguity makes you decisive or makes you stall for more data that will never arrive.
- The decide-versus-escalate line. Which calls you make on your own authority and which you bring to the CEO, general counsel, or board, and whether you can articulate that boundary before you are asked.
Every scenario below is a delivery vehicle for those four measurements. Keep them in view and the specific plot details matter much less.
One insider note before the scenarios: the case you get is very often not hypothetical. Panels reuse their own history. If the scenario includes oddly specific details (a particular SaaS vendor category, a weirdly precise timeline, a named-but-anonymized “engineering leader who resists MFA”), you are probably being walked through a sanitized version of something that actually happened to them. Treat those details as load-bearing. They were included because they mattered last time.
Scenario One: The 2am Ransomware Call
The prompt is some variant of: “It’s 2am. Ransomware has encrypted roughly 30% of your endpoints and it’s spreading. Walk us through your first 24 hours.”
The failure mode
The most common failure is the candidate who answers as a senior engineer instead of an executive. They go straight to containment tooling: isolate via EDR, block the hash, pull network segments, check backups. All correct, all things their incident commander should be doing, and all evidence to the panel that they are interviewing for the wrong job. When a Director answers with tooling, the panel concludes they have found a very good Director.
The second failure is the opposite: pure process recitation. “I would activate our IR plan per the runbook” repeated in different words for ten minutes. No decisions, no tradeoffs, no evidence you have ever been in the seat.
The strong arc
The strong candidate spends the first ninety seconds establishing command structure, not containment:
- Incident command. Name an incident commander who is not you, and say why: your job in hour one is decisions and communication, not keyboard work. This single move separates operators from executives faster than anything else in the loop.
- Privilege. Get legal counsel engaged immediately so the investigation proceeds under attorney-client privilege. Candidates who mention privilege before they mention forensics get a visible nod from whichever lawyer is on the panel. Related insider detail: if the company carries cyber insurance, the carrier’s approved-vendor panel constrains which forensics firm you can call, and mentioning that constraint signals you have lived through a real claim rather than read about one.
- The disclosure clock. Say out loud that regulatory and contractual notification clocks may already be running (SEC materiality assessment if public, customer contractual SLAs, state and international breach statutes) and that you need a decision log from minute zero because everything will be reconstructed later.
- Communication cadence. Set it explicitly: updates to the executive team every two hours, first CEO conversation within the hour, and a rule that nobody freelances external statements. Then, and only then, talk containment, at the altitude of “isolate, preserve evidence, assess backup integrity, establish blast radius” with your IC executing.
Then decide something. The panel will inject a decision point: “the attacker demands payment,” “a journalist emails your comms team,” “the CEO wants to keep the largest customer’s environment online.” These injections are the real exam. Panels routinely score the mid-scenario injection more heavily than your opening, because absorbing a curveball without losing structure is the thing they cannot get from references. When the injection lands, do not defend your existing plan. Update it, say what changed and why, and keep moving.
On ransom payment specifically: the strong answer is a framework, not a position. Payment is a business decision made with the CEO, counsel, and the carrier; your job is to bring them recovery-time estimates with and without the key, sanctions exposure, and a recommendation. “I would never pay” and “I would pay” both fail. “Here is who makes that call and what I put in front of them” passes.
Scenario Two: The 20% Budget Cut
The prompt: “The company just missed its number. Your security budget is being cut 20%. What goes?”
What is really being tested
This scenario tests whether you cut by risk or by politics, and whether you can behave like a member of the executive team rather than a department defending its territory. There is frequently a finance leader in the room for exactly this session, and they are listening for one thing: whether you talk in risk and dollars or in tool names. A candidate who says “we’d have to lose the CSPM and maybe consolidate the SIEM” has already failed with that person, even if the cuts are sensible, because the vocabulary is wrong for the audience.
The failure modes
The first failure is defending everything: “honestly, we’re already underfunded, a cut would be irresponsible.” Every panel has heard this from their current security team. It reads as either naivety about how companies work or as a preview of a difficult executive peer. The second failure is the eager amputator who instantly volunteers cuts without consequences attached, which reads as someone who was padding the budget all along.
The strong arc
The strong move is to put real options with real consequences on the table and make the tradeoff a shared executive decision:
- Restate the goal. The company needs the money; your job is to find the 20% that buys back the least risk, not to relitigate the cut.
- Show your cut logic. People, programs, and tooling get evaluated differently. Tooling consolidation and vendor renegotiation come first because they are reversible. Program deferrals come second with an explicit “this pushes X risk into next year” attached. Headcount comes last, and if it must come, you name what stops being done rather than pretending the same coverage continues with fewer people.
- Attach consequences in business language. “Option A saves this much and extends our detection gap for cloud workloads; Option B saves the same and slows customer security reviews, which touches sales cycle.” Then: “Here’s my recommendation, and here’s the residual risk I’d ask the executive team to explicitly accept.”
That last clause (asking the business to formally accept the risk your cut creates) is the senior move. It shows you understand that risk acceptance is the company’s decision and your job is to price it. Candidates who also mention protecting one or two asymmetric line items (“I will fight for the IR retainer, because it is cheap and its absence is catastrophic”) demonstrate they know the difference between spend and leverage. This is also, incidentally, the same muscle you will use in compensation negotiation: options, consequences, and a clear recommendation beat defensiveness in both rooms.
Scenario Three: The Acquisition Next Month
The prompt: “We’re acquiring a 300-person company. Deal closes next month. What do you do?”
The failure modes
The classic failure is the audit fantasy: a candidate describes a comprehensive assessment (full pen test, architecture review, complete vendor inventory) that would take a quarter, for a deal closing in four weeks. It signals they have never been inside a real deal, where diligence access is negotiated, time-boxed, and often limited to documentation, questionnaires, and a data room. The mirror-image failure is the candidate who treats it as purely post-close integration and skips diligence entirely, missing that their real job pre-close is informing the deal itself.
The strong arc
Split the answer at the close date, explicitly.
Pre-close, with realistic access. Say what you can actually learn in two weeks: external attack surface scanning (no permission needed), breach history and disclosure record, their security questionnaire responses read for what is absent rather than what is present, key-person risk on their security team, compliance attestations and, as an insider detail, the scoping of those attestations, because a clean report that covers one product and excludes the acquired crown jewels is a red flag generic diligence misses. Your pre-close output is not a remediation plan; it is input to the deal team: material risks that affect price or terms, anything that belongs in reps and warranties, and an honest “here is what we could not assess.” Candidates who mention that a discovered incident pre-close can trigger renegotiation or escrow show they understand why the deal team is asking.
Post-close, sequenced. Day-one priorities are identity and access boundaries (you do not flat-connect the networks, you decide what federates and when), plus getting their environment into your visibility, and a decision on which of your policies apply immediately versus after a grace period. The panel wants sequencing logic, not a wishlist. A useful line: “The first thirty days are about visibility and containment of unknowns, not remediation.” If a transition services agreement leaves the target running on the seller’s IT for six months, say how that changes your plan; most candidates have never heard the acronym, and the corp dev person in the room definitely has.
Running the Room
Content gets you to par. Mechanics are how you beat the field, because the panel is imagining you in front of their board and their engineers.
Think aloud, in structure. Silent thinking reads as freezing; unstructured rambling reads as chaos. Narrate your organization: “Three tracks here: technical containment, legal and regulatory, and communication. Let me take them in that order.” You are demonstrating what your incident bridge sounds like.
Use the whiteboard. If there is a whiteboard or a shared doc, use it inside the first five minutes without asking permission beyond “mind if I use this?” Physically standing up and structuring the problem changes the room’s perception of who is running the session. Panels talk about this afterward; “they got up and took the marker” appears in debrief notes as a proxy for executive presence.
Timebox yourself. Announce it: “I’ll spend two minutes framing, then go deep wherever you want.” These sessions are usually scheduled for forty-five minutes, but the panel’s impression is largely fixed in the first ten. A self-imposed timebox shows you respect other people’s time under pressure, the exact quality boards want during a real incident.
Ask two or three clarifying questions. Not ten. Good ones change your answer: “Are we public?” (disclosure obligations), “Do we have a deadline from the attacker?” (decision tempo), “What does the company sell?” (what availability is worth). Ten questions is stalling dressed as diligence.
Name assumptions and proceed. “I’ll assume we’re a public SaaS company with a security team of fifteen; flag me if that’s wrong.” This is the practiced move for incomplete information: convert unknowns into stated assumptions and keep moving.
Give the panel decision points. The strongest candidates hand the panel choices the way they would hand an executive team choices: “There’s a fork here: we can prioritize forensic completeness or speed of recovery. I’d choose recovery for this business, but here’s the cost.” You are demonstrating the exact skill the job requires, live.
The Tabletop Is Also Your Window Into Them
Everything in the room is data flowing both directions. The scenario a company chooses is rarely random: it is usually the thing they are afraid of. A budget-cut scenario often means a cut is coming or recently happened. An M&A scenario means the corp dev pipeline is active. A ransomware scenario with suspiciously specific details means the wound is real and possibly recent.
Watch the panel’s reactions as closely as they watch yours. If the CFO flinches when you mention the cost of an IR retainer, you have learned something about how funding conversations will go. If nobody in the room can answer your clarifying question about where crown-jewel data lives, you have learned the current program’s maturity regardless of what the job description claimed. If the general counsel dominates the breach scenario, expect a reporting structure and a culture where legal drives incident response.
Ask one deliberate probe near the end: “Is this scenario close to something you’ve dealt with?” The answer (and the glances exchanged before the answer) will tell you more about the actual job than the entire rest of the loop. First-time candidates especially should weigh this signal seriously; the first-time CISO guide covers why walking into a still-smoking crater with no executive air cover is the most common way a first CISO tenure ends early.
Preparing Without Over-Rehearsing
You cannot script these sessions, and an over-rehearsed candidate is easy to spot because they answer the scenario they prepared instead of the one they were given. What you can do:
- Drill the openings. The first ninety seconds of each of the three scenarios above can be genuinely practiced: command structure for the breach, cut logic for the budget, the pre-close/post-close split for M&A. Rehearse the frame, improvise the content.
- Run one real tabletop before the loop. If your current role allows it, facilitate an internal exercise in the next month. Nothing prepares you like having been the person injecting curveballs; you will recognize every panel move because you have made them yourself.
- Prepare your assumptions kit. Know in advance the two or three questions you would ask in each scenario and the default assumptions you will state if the panel declines to answer.
- Connect it to your onboarding story. Panels increasingly end scenarios with “so if we hire you, what happens in your first quarter?” Your scenario answer and your 90-day plan should sound like the same person wrote them, and the interactive 90-day plan builder is the fastest way to get that story tight.
- Study worked examples. Full walkthroughs of all three scenarios (with sample injections and scored strong-versus-weak responses) are in the templates pack, and reading a complete arc once is worth more than ten generic articles.
The candidates who win these sessions are not the ones with the deepest technical answers. They are the ones who make the panel feel, for forty-five minutes, what it would be like to have them in the seat when something is actually on fire. Structure, calm, explicit tradeoffs, and a visible line between what you decide and what you escalate. That is the whole exam. Run the room accordingly.