OT Security Analyst

Ryan Mahoney

Why this role is hard · Ryan Mahoney

Hiring at this level falls apart when candidates mistake busywork for good judgment. During interviews, ask them to walk through an actual vulnerability scan from last quarter. The right person will explain why they delayed a critical patch to keep a legacy controller running, and they will push back on engineering schedules while clearly laying out the risk. We need operators who can watch for threats but also know when to step back so they do not cause unnecessary outages. Most applicants lean heavily one way, but you should look for the few who balance both.

Core Evaluation

Critical questions for this role

The competency and attitude questions below are where the hiring decision is made. They run in the live interview rounds and are calibrated to the level selected above.

17 Competency Questions

1 of 17

  1. Discipline

    OT Security Architecture & Data Protection

  2. Job requirement

    Data Pipeline Security & Encryption

    Implements and troubleshoots cryptographic protocols for secure data exchange between field devices and central servers.

  3. Expected at Mid

    While not the primary daily focus, mid analysts must independently troubleshoot and implement encryption to secure transit telemetry flows and support compliance requirements.

Interview round: Hiring Manager Technical Deep Dive

Recall a project where you secured data transmissions between remote field sensors and central monitoring servers.

Positive indicators

  • Chooses encryption methods suited to device constraints
  • Implements structured certificate and key management
  • Validates encryption without degrading telemetry performance
  • Documents configurations and maintains troubleshooting records

Negative indicators

  • Forces heavy encryption on constrained legacy devices
  • Neglects certificate rotation or key management planning
  • Ignores latency or performance impacts on telemetry
  • Lacks documentation or change tracking

14 Attitude Questions

1 of 14

Active Listening

The deliberate cognitive and behavioral practice of fully attending to, comprehending, and accurately reflecting the explicit and implicit information shared by cross-functional stakeholders. It involves suspending premature judgment, decoding operational and safety constraints, and systematically integrating diverse perspectives to design adaptive, context-aware security controls and risk mitigation strategies.

Interview round: Recruiter Screen

What steps would you take when an IT security team and a signaling operations supervisor present conflicting requirements for a network segmentation project?

Positive indicators

  • Probes for root causes of conflicting requirements
  • Maps requirements to operational impact and compliance
  • Creates a joint validation process for the design
  • Ensures both parties sign off before implementation

Negative indicators

  • Defers to one side without analysis
  • Imposes a compromise that violates safety or compliance
  • Fails to document the resolution process
  • Escalates immediately without attempting alignment

Supporting Evaluation

How candidates earn the selection conversation

The goal is to reduce effort for everyone by collecting more useful signal before adding more interviews. Lightweight application prompts and structured screens help the panel focus live time on the candidates most likely to succeed.

Stage 1 · Application

Filter at the door

Runs the moment a candidate hits Submit. Disqualifying answers end the application; everything else is captured for review.

Knock-out Questions

1 of 2

Application Screen: Knock-out

Do you currently hold an active, recognized OT/ICS cybersecurity certification (e.g., GICSP, GRID, or equivalent)?

Yes
Qualifies
No
Auto-decline

Video-Response Questions

1 of 3

Application Screen: Video Response

Describe how you would communicate the immediate need to isolate a compromised transit vehicle communication module from the central fleet network to non-technical operations managers who are concerned about service delays. What specific steps do you take to ensure they understand the urgency without causing panic?

Candidate experience

REC
0:42 / 2:00
1Record
2Review
3Submit

Response time

2 min

Format

Recorded video

Stage 2 · Resume Screening

Read the resume against fixed criteria

Reviewers score every application that clears the door against the same criteria. Stronger reviews advance to live interviews; weaker ones are archived without further screening.

Resume Review Criteria

8 criteria
Evidence of tuning intrusion detection rules for vehicle networks, monitoring CAN bus/V2X gateways, and identifying unauthorized diagnostic access or message spoofing.
Evidence of verifying cryptographic signatures for OTA firmware pipelines, validating code integrity for vehicle control modules, and coordinating vendor maintenance windows.
Evidence of auditing IT-OT network segmentation using protocol analyzers, enforcing least-privilege access, and approving low-risk compensating controls for legacy systems.
Evidence of drafting cross-functional incident response playbooks, updating operational runbooks after tabletop exercises, and building automated validation pipelines.

Is the resume complete, well-organized, and free from formatting, spelling, and grammar mistakes?

Does the cover letter or personal statement convey clear relevance and familiarity with the job?

Does the resume show relevant prior work experience?

Does the resume indicate required academic credentials, relevant certifications, or necessary training?

Stage 3 · During Interviews

Where the hire is decided

Interview rounds use the competency and attitude questions outlined above, then add tests, work simulations, and presentations that reveal deeper evidence about how the candidate thinks and works.

Presentation Prompt

Walk us through your approach to prioritizing a backlog of newly disclosed vulnerabilities across multiple OT control zones with overlapping maintenance windows. Discuss how you would balance vendor patching requirements against operational uptime constraints and design low-risk compensating controls.

Format

approach-walkthrough · 20 min · ~2 hr prep

Audience

Mid-level security manager and OT operations coordinator

What to prepare

  • A short outline or 3-5 slides detailing your prioritization framework, risk assessment criteria, and example compensating controls
  • Slides are optional; a structured verbal walkthrough is acceptable

Deliverables

  • A 20-minute verbal walkthrough with optional visual aids explaining your prioritization logic, tradeoff analysis, and mitigation strategy

Ground rules

  • Focus on your reasoning process, past methodologies, and decision frameworks
  • You may reference public CVEs or hypothetical vendor constraints
  • Do not share confidential internal vulnerability data or proprietary network maps

Scoring anchors

Exceeds
Integrates threat intelligence with operational realities, designs elegant compensating controls that preserve uptime, and anticipates downstream impacts across overlapping maintenance cycles.
Meets
Applies standard risk frameworks, balances patching schedules with operational windows, proposes viable compensating controls, and communicates tradeoffs clearly.
Below
Ignores operational constraints, relies solely on automated scoring, proposes unrealistic mitigation timelines, or suggests controls that introduce unacceptable latency.

Response time

20 min

Positive indicators

  • Clearly defines risk scoring methodology balancing exploitability, asset criticality, and operational impact
  • Proposes practical compensating controls that maintain system availability during patching delays
  • Actively weighs vendor patching timelines against rigid maintenance windows
  • Demonstrates adaptive problem-solving for legacy protocol constraints

Negative indicators

  • Prioritizes patches purely by automated CVSS score without considering OT operational context
  • Suggests disruptive fixes without operational fallback or failover considerations
  • Fails to account for legacy system limitations or vendor coordination requirements
  • Overlooks the impact of compensating controls on network latency or stability

Work Simulation Scenario

Scenario. A critical vulnerability has been disclosed for the CAN bus gateways used across your transit fleet. The vendor recommends an immediate firmware patch, but applying it requires a 4-hour maintenance window that conflicts with a major city-wide transit event. You must facilitate a tradeoff discussion to decide on the remediation path.

Problem to solve. Lead a cross-functional discussion to balance patch urgency, operational availability, and compensating controls, ultimately deciding on a phased rollout or alternative mitigation strategy.

Format

cross-functional-decision · 35 min · ~2 hr prep

Success criteria

  • Facilitate a structured tradeoff analysis weighing security risk against service disruption.
  • Propose and evaluate low-risk compensating controls that maintain availability.
  • Drive the group to a consensus decision with clear ownership and rollback criteria.

What to review beforehand

  • Review the vulnerability severity score and vendor patch notes.
  • Familiarize yourself with the transit event schedule and maintenance window constraints.

Ground rules

  • You are facilitating the decision, not dictating it. Each stakeholder has competing priorities.
  • Focus on uncovering constraints, evaluating tradeoffs, and securing a committed action plan.

Roles in scenario

Fleet Operations Manager (cross_functional_partner, played by cross_functional)

Motivation. Maintain 100% fleet availability during the city event to avoid public backlash and revenue loss.

Constraints

  • Cannot authorize any unplanned downtime exceeding 1 hour during the event window.
  • Drivers are already scheduled for mandatory training during off-peak hours.

Tensions to introduce

  • Push back on the 4-hour window, suggesting a 1-hour maximum.
  • Highlight that manual overrides are currently in place for older vehicles, complicating patch deployment.
  • Demand a guarantee that the patch won't introduce latency in real-time dispatch.

In-character guidance

  • Focus heavily on passenger impact, scheduling logistics, and public perception.
  • Be open to compensating controls if they demonstrably protect availability.

Do not

  • Do not concede to the patch timeline without a viable alternative.
  • Do not become hostile or dismissive of security concerns; remain professionally firm on operational limits.
  • Do not solve the technical implementation details; defer to the candidate's facilitation.

Vendor Technical Lead (external_partner, played by cross_functional)

Motivation. Ensure the patch is applied correctly and completely to avoid liability and maintain SLA compliance.

Constraints

  • Patch requires a full reboot sequence that cannot be interrupted.
  • Cannot provide remote rollback support outside business hours.

Tensions to introduce

  • Warn that delaying the patch increases exploitability and may void support guarantees.
  • State that the patch has been tested in lab environments but not on the exact legacy hardware mix.
  • Request a dedicated maintenance window within 72 hours.

In-character guidance

  • Emphasize technical risk, validation steps, and contractual obligations.
  • Provide honest answers about patch testing and rollback limitations when asked.

Do not

  • Do not volunteer unrequested technical workarounds.
  • Do not pressure the candidate into a decision; present facts and constraints clearly.
  • Do not overpromise on patch stability or rollback capabilities.

IT Security Peer (peer, played by peer)

Motivation. Reduce the OT attack surface immediately while ensuring compliance with internal vulnerability management SLAs.

Constraints

  • Must report mitigation status to the CISO within 48 hours.
  • Cannot approve exceptions without documented compensating controls.

Tensions to introduce

  • Suggest network-level segmentation or IDS rule tuning as a temporary compensating control.
  • Highlight that a similar vulnerability was exploited in a peer transit agency last month.
  • Push for a phased rollout starting with non-critical routes.

In-character guidance

  • Focus on risk reduction metrics, compliance reporting, and security architecture tradeoffs.
  • Act as a collaborative sounding board for the candidate's proposed mitigations.

Do not

  • Do not take over the facilitation or dictate the final decision.
  • Do not withhold information about threat intelligence when asked directly.
  • Do not escalate hostility or dismiss operational constraints.

Scoring anchors

Exceeds
Masterfully balances competing priorities, engineers a phased compensating control strategy with clear rollback triggers, and secures explicit cross-functional commitment.
Meets
Facilitates a structured tradeoff discussion, identifies viable compensating controls, and drives the group to a documented, actionable decision.
Below
Fails to manage stakeholder tensions, proposes unrealistic mitigations, or concludes without clear ownership, rollback plans, or risk acceptance documentation.

Response time

35 min

Positive indicators

  • Structures the discussion to explicitly map security risks against operational constraints.
  • Proposes realistic, low-risk compensating controls that address the vulnerability without disrupting service.
  • Drives consensus by acknowledging competing incentives and defining clear success/failure metrics.
  • Establishes explicit rollback criteria and ownership for the chosen remediation path.

Negative indicators

  • Allows one stakeholder to dominate the conversation without surfacing tradeoffs.
  • Proposes compensating controls that are technically unfeasible or introduce new latency risks.
  • Fails to define clear rollback criteria or ownership, leaving the decision ambiguous.
  • Ignores vendor SLA constraints or operational scheduling realities during the tradeoff analysis.

Progression Framework

This table shows how competencies evolve across experience levels. Each cell shows competency at that level.

OT Security Architecture & Data Protection

4 competencies

CompetencyJuniorMidSeniorPrincipal
Data Pipeline Security & Encryption

Monitors data flow logs and applies standard encryption configurations to transit data pipelines under guidance.

Implements and troubleshoots cryptographic protocols for secure data exchange between field devices and central servers.

Architects end-to-end encryption strategies and manages key lifecycle processes for critical transit data assets.

Establishes enterprise data governance frameworks, evaluates post-quantum cryptographic readiness, and aligns pipeline security with long-term transit digital strategies.

Embedded Systems & Firmware Security

Catalogs embedded device firmware versions and assists in applying vendor security patches under supervision.

Conducts firmware integrity checks and manages secure update processes for transit field devices.

Leads embedded threat modeling, establishes secure boot and cryptographic signing requirements for custom hardware.

Defines hardware security roadmaps, integrates secure element technologies, and establishes supply chain risk management for transit hardware vendors.

Network Architecture & Asset Hardening

Assists in mapping OT network segments and applies vendor-provided hardening guides to endpoints under supervision.

Independently configures network segmentation controls and maintains asset inventories, ensuring alignment with baseline security standards.

Designs resilient, zero-trust network architectures for critical transit OT zones and establishes organization-wide hardening baselines.

Defines enterprise OT network strategy, integrates emerging segmentation technologies, and drives architectural standards across multi-site transit operations.

SCADA/ICS Protocol Security & Segmentation

Assists in deploying protocol filters and monitors baseline ICS traffic for anomalies under senior oversight.

Configures deep packet inspection for industrial protocols and maintains segmentation boundaries between IT and OT networks.

Develops custom protocol security policies, leads risk assessments for legacy SCADA integrations, and designs defense-in-depth strategies.

Drives industry-wide ICS security standards adoption, architects resilient control network topologies, and mentors cross-functional teams on protocol hardening.

OT Security Operations & Compliance Management

4 competencies

CompetencyJuniorMidSeniorPrincipal
Continuous Monitoring & Incident Response

Monitors security dashboards, triages low-severity alerts, and follows documented runbooks for initial incident containment.

Investigates OT-specific alerts, correlates telemetry across IT/OT boundaries, and executes standardized incident response playbooks.

Develops and refines IR playbooks, leads complex incident investigations, and coordinates cross-functional response efforts during critical outages.

Designs enterprise OT SOC architectures, establishes threat hunting programs, and aligns incident response strategies with executive business continuity objectives.

Payment System & Fare Security

Assists in auditing fare terminal configurations and monitoring payment transaction logs for irregularities.

Implements security controls for fare validators and payment gateways, ensuring compliance with PCI-DSS and transit-specific standards.

Architects secure fare ecosystem integrations, leads fraud detection initiatives, and manages cryptographic key distribution for smart cards/tokens.

Defines strategic payment security roadmaps, evaluates emerging contactless and mobile payment technologies, and negotiates security requirements with third-party payment processors.

Regulatory Compliance & Audit Management

Gathers compliance evidence, documents security configurations, and assists in preparing for internal and external audits.

Conducts routine compliance assessments against regulatory frameworks, tracks remediation tasks, and maintains audit documentation.

Leads comprehensive compliance programs, interprets evolving OT regulations, and designs audit automation workflows for continuous compliance.

Engages with regulatory bodies, shapes industry compliance standards for transit OT, and aligns enterprise risk posture with strategic regulatory requirements.

Threat Intelligence & Vulnerability Management

Reviews vulnerability scan reports, tracks known OT CVEs, and assists in prioritizing patch deployments.

Conducts regular vulnerability assessments, correlates threat feeds with asset inventories, and recommends mitigation strategies.

Develops threat intelligence programs tailored to transit OT, leads red team/blue team exercises, and establishes risk-based vulnerability prioritization models.

Defines enterprise threat hunting strategies, integrates predictive threat modeling into architecture design, and represents the organization in industry threat sharing initiatives.