Tuesday, 27 January 2026
Customer-Focused Scenario Questions with Answers + Incident
Client Communication Plan
This pack includes scenario-based interview questions and
high-impact sample answers for a Program Manager leading customer-focused
security engagements, plus a practical incident client communication plan with
an example email/playbook you can reuse.
Customer-Focused Scenario Q&A
Scenario 1: Scope
creep vs. relationship—client requests additional pen testing mid-sprint
without timeline change.
Sample answer: Acknowledge
value; present three options with impacts: (1) substitute equal-effort scope
(no timeline change), (2) change order with cost/timeline, (3) Phase-2 roadmap.
Summarize in a one-page decision brief and secure sponsor sign-off. Result:
mini-SOW approved; baseline protected; CSAT improved.
Scenario 2: Amber
takeover—CPI 0.89, SPI 0.92; team fatigue; exec anxiety.
Sample answer: 48-hour
stabilization: freeze non-critical change; variance analysis; re-baseline
critical path; set WIP limits. Publish dated get-well actions (role mix,
re-sequencing, quality gates); move to weekly steering with trendlines. Target
CPI/SPI ≥0.98 in two sprints and track visibly.
Scenario 3:
Expectation reset—exec assumes features not baselined.
Sample answer: Bring
SOW, RAID, decision log. Offer good/better/best options with
cost/schedule/risk; document in Steering minutes and update the baseline.
Result: phased approach approved; avoided slip; preserved margin.
Scenario 4: Vendor
delay threatens UAT/cutover.
Sample answer: Introduce
stubs/mocks to continue downstream tests; negotiate interim vendor drop for
high-risk flows; add quality gates and rollback criteria. Communicate revised
critical path and hold a checkpoint demo to maintain confidence.
Scenario 5: Sponsor
churn mid-engagement.
Sample answer: Stakeholder
re-map → re-charter session in one week; deliver 2-page program brief (goals,
milestones, risks, decisions); commit a quick-win deliverable. Momentum and
funding continuity maintained.
Scenario 6:
Production incident overlaps go-live week.
Sample answer: Divide
& shield: spin up an incident strike team with exit criteria while a core
delivery cell continues planned work. Re-baseline micro-milestones for 72
hours; publish an incident timeline and root cause plan. Result: restore
service fast and meet revised milestone.
Scenario 7: Privacy
constraints block realistic test data for DAST/integration.
Sample answer: Stand
up masking/anonymization or synthetic data; obtain written exceptions for
residual risks; maintain an evidence matrix. Proceed with compliant testing;
pass audit without findings.
Scenario 8: Rate-card
pressure vs. delivery quality.
Sample answer: Optimize
mix: keep seniors on critical path; shift non-critical work to lower-cost
regions; automate repeatables. Share a risked cost-of-poor-quality model.
Achieve modest discount without degrading critical quality gates.
Scenario 9: Multi-geo
handoff failures cause rework.
Sample answer: Implement
follow-the-sun handoffs with demo-based acceptance; maintain a daily handoff
doc (owner, decisions, open risks); rotate a handoff steward. Rework drops
within two sprints.
Scenario 10: Change
freeze conflicts with cutover window.
Sample answer: Two-step
cutover: pre-stage non-disruptive changes; minimal-risk switch in an approved
micro-window; use feature flags + extended parallel run; define rollback
criteria. No SLA breach; continuity preserved.
Scenario 11: Budget
overrun signal—EAC +7%, CPI 0.93.
Sample answer: Same-day
variance analysis (role mix, rework hotspots); reduce WIP; tighten definition
of done; protect testing time; adjust staffing. Trend CPI toward 0.99 across
three sprints; finish within ±2% of budget.
Scenario 12:
Conflicting directives (Security VP vs. Product VP).
Sample answer: Facilitate
decision with trade-off table (security, time-to-market, customer impact).
Propose phased controls with compensating measures and documented risk
acceptance. Meet market window while improving posture incrementally.
Incident Client Communication Plan (Playbook + Example)
Purpose: Provide a clear, repeatable way to communicate with
clients during incidents while maintaining trust, controlling risk, and meeting
contractual obligations.
• **Classification & Severity**: Define SEV levels
(e.g., SEV1—customer impact/critical outage; SEV2—degraded). Tie to response
SLAs and comms cadence.
• **Roles & RACI**: Incident Commander (internal), Comms
Lead, Technical Lead(s), Client Exec Sponsor, Stakeholder list and escalation
path.
• **Channels & Cadence**: Agreed primary channel (email
+ Teams/Zoom bridge). Cadence examples: SEV1—every 60 mins until stable;
SEV2—every 2–4 hours.
• **Message Structure**:
- Summary (what/when/who)
- Client impact & scope
- Current status & actions taken
- Next steps & ETA
- Client actions requested
- Next update time
- Ticket/incident IDs
• **Evidence & Audit**: Maintain timeline of events,
decisions, artifacts. Store in the incident record for postmortem and
compliance.
• **Post‑Incident**: Within 3–5 business days deliver RCA
with corrective/preventive actions, owner, and dates. Track to closure in the
program RAID log.
Example: Initial SEV1 Client Email (T+30 minutes)
Subject: SEV1 Incident – [Service/Project Name] – Impact and
Immediate Actions
Hi [Client Sponsor/Stakeholders],
We are investigating a SEV1 incident affecting [scope/users/region]. The issue
began at [time zone + timestamp]. Current client impact: [describe symptoms].
Actions taken so far: [bullet list].
Next steps in progress: [bullet list with owners].
**Requested client actions (if any):** [access approvals, change window,
contact].
**Next update:** [e.g., hourly at :15 past the hour] or sooner if material
change.
Incident ID: [ID] | Bridge: [link/number] | Primary POC: [Name, mobile]
Thank you,
[Your Name], Incident Commander
[Company]
Example: Stabilized Update (T+2 hours)
Subject: Update – SEV1 Incident – [Service/Project Name] –
Contained, Monitoring
Hi [Client Sponsor/Stakeholders],
Status: Contained. Service has been restored as of [timestamp]; we are
monitoring closely.
Root cause (preliminary): [brief].
Mitigations in place: [controls/workarounds].
Next actions: [validation, additional fixes, data integrity checks].
**Client actions:** [any validations or confirmations needed].
**Next update:** [e.g., in 2 hours] unless status changes.
Regards,
[Your Name]
Example: Post‑Incident RCA Summary (3–5 business days)
Subject: Post‑Incident Review – [Incident ID] – Root Cause
& Preventive Actions
Hi [Client Sponsor/Stakeholders],
Thank you for your partnership during the recent incident. Attached is the RCA.
**Incident summary:** [what/when/impact].
**Confirmed root cause:** [technical/process].
**Corrective actions (completed):** [bullets with owners/dates].
**Preventive actions (planned):** [bullets with owners/ETAs].
**Evidence:** [logs, change records, test results location].
Please let us know if you’d like a readout; we can schedule a 30‑minute
walkthrough.
Regards,
[Your Name]
Program Manager Interview Q&A (Client-Facing,
Cross-Practice, PMO Leadership)
This document contains targeted interview questions with
high-impact sample answers tailored to a Program Manager role leading
cross-capability, client-facing security engagements. It includes the original
set of questions shared earlier, plus additional scenario-based questions and
budget/estimation questions. Answers follow concise, outcome-focused guidance
(often STAR-style).
Customer Leadership & Relationship Management
Q1. You’re the single
point of contact for a complex, multi-practice engagement. How do you build
trust with the customer while protecting your company’s interests?
Answer: Establish
a joint delivery charter in week 1 (scope, RACI, decision forums, escalation
paths, quality metrics). Run bi-weekly exec checkpoints with a one-page
narrative: status, risks, financials, and next 2–3 decisions. When scope creep
emerges, present options (baseline vs. change order vs. phased roadmap) with
effort/timeline impacts. Result: reduced unplanned scope by 38%, CSAT 4.8/5,
margin within ±1.5% of plan.
Q2. A client raises
concerns about delays and escalating costs. What do you do within 24–48 hours?
Answer: Run a
variance huddle: analyze schedule slippage, earned value, and utilization.
Present a get-well plan with three streams: (1) schedule recovery (re-sequence,
parallelize), (2) cost controls (role swaps, timeboxing), (3) risk hedges
(quality gates). Commit to visible wins in 2 sprints and formalize a revised
baseline through change control.
Delivery Governance, Risk & Issues
Q1. How do you manage
delivery risk end-to-end across multiple projects in a program?
Answer: Maintain
a program risk register aggregated from project logs with owners, due dates,
leading indicators, and pre-agreed triggers (e.g., burn variance >10%,
milestone slip >5 days). Review weekly via a Program Control Board and
escalate only risks crossing thresholds—cutting surprise escalations by
>50%.
Q2. Give an example
of turning around at-risk projects across practices and geos.
Answer: Seven-workstream
security engagement slipped 4 weeks. Executed a critical path reset: clarified
dependencies, swapped scarce SME for regional senior, introduced checkpoint
demos. Recovered 3.5 weeks; delivered contractual milestones; NPS improved from
+12 to +43.
Planning, Scheduling & Controls
Q1. How do you build
a strategic delivery plan and keep it evergreen?
Answer: Start
with WBS and dependency map, align to a milestone plan with deliverables,
owners, and acceptance criteria. Use rolling-wave planning for 2–3 sprints,
maintain a 90-day look-ahead for capacity, and track with earned value
(CPI/SPI).
Q2. How do you
prevent hidden dependencies from derailing timelines?
Answer: Run a
dependency discovery workshop at kickoff with architecture, practice leads, and
client SMEs. Tag each dependency by type, lead time, and impact; insert buffer
tasks where uncertainty is high. Manage with a dependency heatmap to prevent
70–80% of avoidable slips.
Resource Management & Utilization
Q1. How do you ensure
each delivery resource maintains a minimum of 40 billable hours per week
without burnout?
Answer: Maintain
a 12-week resource forecast; align backlog to capacity. For under-utilization
risk, front-load prep work or rotate to adjacent workstreams. Track load via
timesheet analytics and prevent >110% sustained load. Achieve ≥95%
utilization and <5% overtime.
Q2. Two critical
engineers are over-allocated across three projects. What’s your move?
Answer: Re-balance
with skills-adjacent swaps; pair seniors with mids for repeatable tasks;
negotiate time-boxed windows with other PMs. Publish a resource Gantt for
transparency and daily coordination.
Budgeting, Forecasting & Commercials
Q1. How do you manage
budget, UoM forecasting, and margin?
Answer: Build the
financial model around UoM drivers (hours, fixed deliverables, T&M tasks);
track burn vs. earned and forecast EAC weekly. Protect margin with scope
hygiene, role right-sizing, and defect prevention via quality gates. Example:
$4.2M program on time with +2.3% margin over plan.
Q2. The client
requests additional analysis outside SOW. How do you respond?
Answer: Acknowledge
value and present options: (1) substitute equal-effort item, (2) add via change
order with cost/timeline impacts, or (3) defer to a phase-2 roadmap. Document
the decision and update the baseline.
PMO Excellence, Reporting & Mentoring
Q1. How do you
deliver consistent project status across multiple efforts to PMO and practice
leadership?
Answer: Standardize
on a one-page status: RAG by scope/schedule/cost/quality, top 5 risks/issues,
decision log, and forecast. Use common KPIs—CPI/SPI, risk exposure,
utilization, SLA adherence, deliverable acceptance—so leaders can compare
across the portfolio.
Q2. How have you
mentored other PMs on complex cross-practice engagements?
Answer: Run
playbook sessions on change control, risk triggers, and financial hygiene; pair
on a live engagement for two sprints; host monthly guilds to review edge cases.
Reduced new PM ramp time from 12 to 8 weeks.
Cyber/InfoSec Engagement Nuance
Q1. Security programs
often hinge on environment readiness. How do you de-risk that?
Answer: Create a
readiness track with explicit exit criteria (access, data, change windows). If
gaps exist, run a pre-engagement readiness sprint with the customer. Protected
a recent assessment timeline by 3 weeks.
Q2. How do you handle
parallel delivery across advisory, engineering, and managed services?
Answer: Define
practice-specific sub-plans and a program-level integration plan with shared
milestones (control validation → runbook handoff → steady-state).
Cross-practice standups focus on handoffs and dependencies, reducing rework by
~30%.
Communication & Stakeholder Alignment
Q1. Describe your
communication plan for an executive, multi-stakeholder audience.
Answer: Tiered
comms: (1) Exec steering (bi-weekly) for outcomes, risks, decisions; (2)
Program control (weekly) for schedule/financials/dependencies; (3) Workstream
(2–3x weekly) for tasks/blockers/demos—all anchored to the engagement delivery
plan.
Q2. How do you
resolve conflict between a technical lead and the client product owner?
Answer: Private
fact-finding to separate interests from positions; propose criteria-based
options (performance v. time-to-market); facilitate a time-boxed tradeoff
decision in steering. Maintains momentum and shared ownership.
Quality Metrics & Continuous Improvement
Q1. What quality
metrics do you track and why?
Answer: Deliverable
acceptance rate, defect density, first-pass yield, rework hours, change
velocity, and CSAT/NPS. These predict schedule and cost risks earlier than
status alone and tie directly to scope stability.
Q2. How do you
operationalize lessons learned?
Answer: Run
retros at each phase gate; codify 3–5 improvements; update PMO
playbook/templates; apply on the next engagement—closing the feedback loop.
Business Development & Opportunity Sensing
Q1. How do you
contribute to business development while delivering?
Answer: Capture
adjacent needs during delivery (e.g., hardening, managed detection, cloud
posture). Share a value brief with account leadership and schedule a roadmap
session with client consent. Sourced $1.1M in follow-on work across three
accounts.
Q2. Give an example
of expanding scope without damaging timelines.
Answer: Client
requested API security testing mid-program. Phased in discovery in parallel,
scheduled testing during a buffer window, introduced a mini-SOW. Delivered
add-on with no base timeline impact; TCV increased by 18%.
Travel, Coordination & Remote-First
Q1. With up to 25%
travel, which meetings require on-site presence?
Answer: Prioritize
kickoff, key demos, executive decisions, and recovery workshops—events with
high alignment or change impact. Keep other ceremonies virtual with crisp
artifacts.
Scenario Case (Composite)
Q1. Your engagement
is amber: CPI=0.88, SPI=0.92, two SMEs at risk, and the client wants extra
assessment outside scope. What do you do?
Answer: Stabilize
within 48 hours: resource swap, re-sequence tasks, freeze non-critical changes.
Reset EAC; stop rework leakage. Convert extra assessment into change order or
phase-2. Move to weekly exec steering for 4 weeks with risk and burndown.
Target CPI/SPI ≥0.98 within two sprints.
Additional Scenario-Based Questions
Q1. Mid-phase, a
critical third-party vendor slips by three weeks, blocking your critical path.
What is your recovery plan?
Answer: Run a
dependency/crash analysis to re-sequence tasks; create a bypass plan (mock
interfaces, stubs) to keep integration testing moving; negotiate an interim
drop from the vendor for highest-risk artifacts; and establish a penalty/credit
via contract if applicable. Communicate the revised critical path and protect
downstream milestones with added quality gates.
Q2. A senior
architect resigns mid-program. How do you maintain momentum and knowledge
continuity?
Answer: Trigger
the succession plan: activate the documented RACI backup, accelerate a
knowledge-transfer sprint with recorded walkthroughs and architecture decision
records (ADRs), and split responsibilities between an interim lead and a
hands-on SME. Reconfirm design authorities in steering to avoid decision
latency.
Q3. A production
incident overlaps with a major delivery milestone. The client wants all hands
on the incident. Next steps?
Answer: Divide
and shield: form an incident strike team with clear exit criteria while
preserving a small core on delivery to avoid a total stall. Re-baseline the
week’s plan, communicate a 72-hour adjusted milestone, and publish a
transparent incident timeline and root-cause plan to restore confidence.
Q4. Regulatory
auditors raise a finding that affects your in-scope deliverables. How do you
adapt?
Answer: Run an
impact assessment: map the finding to in-scope controls/deliverables, estimate
remediation effort, and propose either a change order or reprioritization. Add
targeted compliance checkpoints and evidence collection to the plan to avoid
late-cycle surprises.
Q5. The client
refuses a necessary change order despite clear scope growth. What’s your
approach?
Answer: Present
decision scenarios with quantified impacts: (A) proceed without change—list
risks and de-scope items; (B) approve change—timeline/cost; (C) split into
phase-2. Escalate to the steering committee with a recommendation and document
the final decision to protect both relationship and delivery integrity.
Q6. You discover test
data privacy constraints that block realistic DAST or integration testing. What
do you do?
Answer: Stand up
a data-masking/anonymization pipeline or synthetic data generation aligned to
privacy rules, secure a written exception for any residual risks, and time-box
the setup to avoid derailing the schedule. Update test evidence mapping for
auditability.
Q7. Multi-geo teams
are missing handoffs, causing rework. How do you fix it?
Answer: Introduce
follow-the-sun handoff rituals with a shared daily handoff doc (owner,
decisions, open risks), require demo-based acceptance at handoff, and rotate a
handoff steward role weekly. Rework typically drops within two sprints.
Q8. Your customer
success sponsor leaves the client organization. How do you de-risk sponsor
churn?
Answer: Map
stakeholders, identify a new sponsor, and schedule a recharter session to
reconfirm outcomes, metrics, and decision rights. Provide a 2-page program
brief and quick wins plan within one week to maintain momentum.
Q9. A blackout period
and change freeze collide with your planned cutover. What’s your plan?
Answer: Propose a
two-step cutover: pre-stage non-disruptive changes before the freeze and
execute the minimal-risk switch during an approved window. If needed, deploy a
feature toggle strategy and extend parallel run to de-risk the transition.
Q10. Third-party
integration fails security validation late in the cycle. How do you proceed?
Answer: Isolate
the integration behind a proxy/WAF, negotiate a temporary restricted scope, and
schedule remediation in a controlled sandbox. Update risk register and secure
steering approval for a staged go-live while maintaining compliance.
Budgeting & Estimation Questions
Q1. How do you
produce an initial ROM (Rough Order of Magnitude) estimate for a cross-practice
engagement?
Answer: Use
top-down analogs from similar programs, apply complexity multipliers
(integration count, data volumes, regulatory scope), and add contingency based
on uncertainty (typically 25–50% for ROM). Validate via bottom-up sampling on
the riskiest workstreams before publishing.
Q2. Describe your
bottom-up estimation approach for a fixed-price bid.
Answer: Decompose
to WBS work packages with clear acceptance criteria; estimate effort using
three-point estimates (optimistic/most-likely/pessimistic), factor productivity
by role, and include non-project time (ceremonies, KT, buffer). Convert to cost
using blended rates and add management reserve aligned to risk exposure.
Q3. How do you manage
EAC (Estimate at Completion) and ETC (Estimate to Complete) mid-program?
Answer: Update
EAC weekly using actuals + ETC from workstream leads; reconcile with earned
value (CPI/SPI). If CPI<0.95 or SPI<0.95, trigger a variance analysis and
a corrective action plan with dated owners and financial impacts.
Q4. What’s your
strategy for contingency and management reserve?
Answer: Contingency
covers known-unknowns at the work package level; management reserve protects
the overall program against unknown-unknowns. I size contingency from risk
exposure (probability × impact) and release it only through change control.
Q5. How do you
forecast UoM (unit-of-measure) consumption and control burn?
Answer: Model
demand drivers (environments, data size, test cycles), translate to hours or
deliverables, and set guardrails per role. Run weekly variance checks and
adjust staffing or scope to keep burn within ±10% of plan.
Q6. When do you
choose T&M vs fixed-price vs milestone-based pricing?
Answer: T&M
for high-uncertainty discovery, fixed-price for well-defined deliverables with
low volatility, milestone-based for outcome checkpoints in complex
integrations. Often a hybrid model balances client predictability and delivery
flexibility.
Q7. How do you handle
rate-card pressure without compromising delivery quality?
Answer: Optimize
the mix (senior-to-mid ratio), automate repeatable tasks, and move non-critical
tasks to lower-cost regions. Protect quality by keeping critical path roles
senior and enforcing quality gates to avoid expensive rework.
Q8. Explain how you
use Earned Value (CPI/SPI) to steer decisions.
Answer: CPI<1
indicates cost overrun; SPI<1 indicates schedule slippage. I use thresholds
to trigger actions—e.g., CPI<0.95 prompts scope/role review, SPI<0.95
prompts re-sequencing or added capacity—and I show trendlines to leadership for
transparency.
Program Manager Interview Q&A – Comprehensive
(Behavioral, Scenario-Based, and “Bit-of-Code” Questions)
This interview pack is tailored to the attached Program
Manager JD for a customer-facing, cross-capability security services role
(Optiv context). It covers critical and likely questions across behavioral,
delivery, risk, budget & estimation, PMO leadership, security nuances, and
light code scenarios that a PM should reason about. Answers use concise,
outcome-oriented guidance (often STAR-style).
Role Understanding (JD-Aligned)
Behavioral Questions (STAR Answers)
Scenario-Based: Delivery, Risk & Governance
Budgeting, Estimation & Commercials
PMO Excellence, Reporting & Mentoring
Security Program Management (Multi-Practice)
Communication & Customer Leadership
“Bit-of-Code” Scenarios for a Program Manager
Groovy snippet:
stage('Security Gate') { steps { sh 'snyk test --severity-threshold=high'; sh
'zap-cli quick-scan --self-contained https://staging.example.com' } }
admission:
require:
signed_artifact: true
no_critical_open: true
sbom_present: true
block_if:
exploitable_high: true
What’s wrong?
securityContext:
runAsUser: 0
allowPrivilegeEscalation: true
What do you flag?
Lightning Round
x
Q1. What are the
three most important accountabilities for this Program Manager role?
Answer: (1) End-to-end delivery governance across multi-practice
engagements (scope, schedule, cost, quality). (2) Proactive risk/issue
management with clear triggers, escalations, and recovery plans to ensure
uninterrupted progress. (3) Customer
leadership as single point of contact, aligning outcomes with commercial
commitments while protecting margins and scope.
Q2. How do you
translate customer objectives into an executable delivery plan?
Answer: Facilitate
a charter/Kickoff to capture business outcomes and constraints, decompose into
a WBS with acceptance criteria, map dependencies and decision forums, and
publish a milestone plan with quality gates (definition of done, evidence). Tie
to a reporting cadence so stakeholders see progress and risks early.
Q1. Tell me about a
time you recovered a slipping program without damaging the client relationship.
Answer: S: A
6-workstream cyber program slipped 3 weeks due to vendor delays. T: Recover
schedule and protect trust. A: Re-sequenced critical path, introduced interim
vendor drops, created an exec-visible get-well plan; ran twice-weekly
checkpoints. R: Recovered 2.5 weeks, delivered all milestones; CSAT rose from
4.2→4.7; margin held within ±2%.
Q2. Describe a
conflict between a technical lead and product owner and how you resolved it.
Answer: S: Lead
insisted on refactoring; PO prioritized time-to-market. T: Align on an
objective choice. A: Facilitated options with quantified tradeoffs, proposed
feature toggles and partial refactor. R: Shipped on time with risk isolated;
completed refactor in the next sprint; kept velocity and quality stable.
Q3. When did you say
‘no’ to scope creep and still keep the client happy?
Answer: S: Client
wanted additional analytics mid-sprint. T: Avoid timeline and margin erosion.
A: Offered three options—substitute scope, change order, or phase-2—plus a
quick demo prototype. R: Client approved a mini-SOW; delivered with no baseline
slip; TCV up 12%.
Q4. Give an example
of mentoring PMs to handle cross-practice engagements.
Answer: S/T: PMs
struggled with consistent status and change control. A: Rolled out a one-page
status template, variance triggers, and a CO checklist; paired for two sprints.
R: Ramp time dropped 33%; escalations reduced by half over two quarters.
Q5. Tell me about a
data-driven decision you made under time pressure.
Answer: S: Budget
overrun warning (CPI 0.91). A: Same-day variance analysis identified rework
hotspots; swapped roles, tightened quality gates. R: CPI improved to 0.99 in 3
sprints; avoided a $180k overrun.
Q6. How do you
maintain team morale during intense delivery windows?
Answer: Use
transparent plans, focused WIP limits, celebrate incremental wins, rotate
on-call duty, and protect critical path roles from meeting drag. Monitor
burnout risk via timesheets and pulse checks; balance loads proactively.
Q1. Mid-phase, a
third-party dependency slips three weeks and blocks integration. Next steps?
Answer: Crash
analyze the schedule, parallelize unaffected streams, create stubs/mocks to
continue integration tests, negotiate an interim drop with the vendor, and
adjust the plan with new quality gates. Communicate revised critical path and
recovery curve in a focused steering deck.
Q2. You inherit an
amber program: CPI=0.88, SPI=0.93, two key SMEs overbooked. What’s your 72-hour
plan?
Answer: Day 1:
freeze non-critical change, re-baseline critical path, secure temporary SME
backfills. Day 2: publish get-well plan with dated owners; adjust staffing
model; restore WIP limits. Day 3: lock a change order for scope variances; move
to weekly exec steering; target CPI/SPI ≥0.98 in two sprints.
Q3. A change freeze
collides with cutover dates. How do you avoid a slip?
Answer: Pre-stage
non-disruptive changes, use feature flags, extend parallel run, and request a
micro-window under risk acceptance if needed. Align rollback criteria and smoke
tests to keep risk tolerable.
Q4. Client sponsor
leaves mid-engagement. How do you keep momentum?
Answer: Run a
rapid stakeholder re-map, schedule a re-charter to reconfirm outcomes/metrics,
deliver a 2-page program brief and quick wins within a week, and re-affirm
decision rights to avoid latency.
Q5. Audit finding
late in cycle affects deliverables. What do you do?
Answer: Impact
assess to requirements and evidence, propose re-prioritization or change order,
add compliance checkpoints to the plan, and create an audit evidence matrix to
accelerate closure.
Q1. How do you create
a ROM estimate for a cross-capability program?
Answer: Top-down
analogs + complexity multipliers (integration count, data volumes, regulatory
scope) + 25–50% contingency based on uncertainty. Validate with bottom-up
sampling on the riskiest streams before publishing.
Q2. Walk me through
bottom-up estimation for a fixed-price bid.
Answer: Decompose
to WBS with acceptance criteria; use three-point estimates per package; include
ceremonies, KT, buffers; convert hours→cost via blended rates; add management
reserve linked to risk exposure; test price sensitivity.
Q3. How do you steer
with Earned Value?
Answer: Track
CPI/SPI weekly; thresholds (e.g., 0.95) trigger variance analysis. For CPI
issues: role mix and rework hotspots. For SPI: re-sequencing, fast-tracking, or
added capacity. Show trendlines to leadership and customer.
Q4. How do you
forecast UoM consumption and control burn?
Answer: Model
demand drivers (environments, test cycles, data size), translate to
hours/deliverables, set guardrails per role, and run weekly variances; use
staffing swaps or scope tradeoffs to keep burn within ±10%.
Q5. T&M vs.
fixed-price vs. milestone-based—when and why?
Answer: T&M
for discovery/high uncertainty; fixed-price for well-defined deliverables;
milestone-based for outcome checkpoints across complex integrations. Hybrid
models often balance predictability and flexibility.
Q1. How do you
provide consistent status across multiple efforts?
Answer: Use a
one-page status: RAG by scope/schedule/cost/quality, top 5 risks/issues,
decisions, and forecast (CPI/SPI). Maintain a single source of truth and
cadence (steering weekly/bi-weekly).
Q2. How do you mentor
PMs to improve risk and change control?
Answer: Run
playbook workshops on risk triggers and change-order hygiene; pair on a live
program for two sprints; review quarterly portfolio metrics; celebrate early
risk discovery.
Q1. How do you keep
security programs on schedule given environment readiness constraints?
Answer: Introduce
an environment readiness track with exit criteria (access, data, credentials,
windows). Time-box readiness sprints; no-go if critical criteria unmet; keep
stakeholders aware via a readiness dashboard.
Q2. You’re
coordinating advisory, engineering, and managed services—how do you reduce
rework?
Answer: Set
practice sub-plans and an integration plan with handoff milestones
(design→build→validate→runbook→steady-state). Require demo-based acceptance at
each handoff.
Q3. How do you handle
privacy constraints blocking realistic testing?
Answer: Stand up
masking/anonymization or synthetic-data pipelines, obtain written exceptions
for residual risks, and trace evidence for audits.
Q1. What is your
executive communication rhythm?
Answer: Tiered:
exec steering (bi-weekly) for outcomes/risks/decisions; program control
(weekly) for schedule/financials/dependencies; workstream standups (2–3×
weekly) for blockers/demos—all anchored to the delivery plan.
Q2. How do you handle
difficult news?
Answer: Lead with
facts and impact, present 2–3 remediation options with tradeoffs, recommend
one, and commit to near-term checkpoints to restore confidence.
Q1. Jenkinsfile stage
fails at the security gate. What’s your diagnosis and fix?
Answer: Diagnosis:
sequential commands with no explicit failure handling; missing auth/context for
DAST likely causing false results. Fix: add error handling and authenticated
scans; split gates per environment and enforce thresholds. Example: `snyk test
--severity-threshold=high || exit 1`; configure ZAP context with auth tokens;
fail build on confirmed exploitable findings.
Q2. Policy-as-code
snippet is blocking deploys unexpectedly (YAML).
Answer: Likely
default evaluation is AND across `require` plus `block_if`. If any scanner
flags exploitable_high (even false positives), deploys block. Add explicit
logic/thresholds (e.g., EPSS/KEV filters), and scope rules per environment so
non-prod uses warn-only.
Q3. You see this SQL:
SELECT * FROM orders WHERE customer_id = 'userInput'. Risk and mitigation?
Answer: SQL
Injection risk due to unparameterized input. Mitigation: parameterized
queries/prepared statements, server-side validation, SAST/DAST checks, and a
regression test.
Q4. Kubernetes
manifest shows:
Answer: Running
as root and privilege escalation allowed. Require non-root user, drop
capabilities, set read-only root FS, enforce via IaC scanning/admission
policies.
Q5. A GitHub Actions
secret was committed. Immediate plan?
Answer: Revoke/rotate
the secret, enable secret scanning & pre-receive hooks, purge history if
needed, open an incident ticket with evidence, and run a quick training.
Q6. Log snippet shows
repeated 401s post-deploy for user=svc-ci from a single IP. Next steps?
Answer: Verify
token scopes/expiry, check clock skew and audience claims, roll back if
necessary, and add synthetic checks to catch auth regressions in CI.
Q7. Terraform plan
shows drift: security group opens 0.0.0.0/0. Course of action?
Answer: Block
apply, find source of drift (out-of-band change), enforce IaC as source of
truth, and require risk review before any temporary broad exposure.
Q8. API SLA JSON: {
'latency_ms_p95': 300, 'error_rate_pct': 0.5 }. How to make it actionable?
Answer: Instrument
dashboards for p95 latency/error rate, set alert thresholds, add a pre-release
quality gate; failing thresholds trigger no-go or rollback.
Q9. DAST found XSS on
a support form. What’s the remediation plan?
Answer: Coordinate
dev fix (output encoding/input validation), add CSP headers, add a regression
test, retest with DAST, and communicate customer impact and ETA.
Q10. SBOM shows a
critical CVE in a transitive dependency. How do you drive resolution?
Answer: Prioritize
by exploitability (KEV/EPSS), open upgrade PRs, require signed SBOM at build,
and block prod deploys with unpatched criticals; provide ETA to stakeholders.
Q1. Single most
important habit to avoid surprises?
Answer: Weekly
risk review with triggers and owners; escalate early.
Q2. How do you
protect margin?
Answer: Scope
hygiene, right role mix, prevent rework with quality gates.
Q3. Best way to
handle multi-geo?
Answer: Follow-the-sun
handoffs with demo-based acceptance.
Subscribe to:
Comments (Atom)