There is increased scrutiny by the Board and Management of business risks and potential impact of Cyber Security on operations. As the person who is responsible for hiring the new CISO, what are the key criteria that you ‘must’ have for the candidate?
In the marketplace there is an overall shortage of experienced CSO’s, I’ve been asked to refer candidates and it is always a struggle. My bet is that it is likely that you won’t have a large pool to choose from.
How then will you select your new CISO and what questions would you want that person to just nail? Here are ten questions that I would ask.
Question 1 – As a CISO what keeps you awake at night?
This is a really interesting insight into the person that who is going to be at the helm. While you want this person to be calm in a crisis, it will also be necessary that the CISO is a little paranoid and doesn’t sleep well.
I’d be concerned if a CISO told me that they slept well as they had done everything already to prepare the organization. What I would like to hear is that we will have these measures in-place for threat intelligence, to systems monitoring and alerts. This would include social media monitoring and that we are looking for patterns that occur in the enterprise and not yet within the silos of the individual tools.
What I really want to hear is that we have a clear framework and know what we are the dots we are trying to see, then what happens when we think that we have spotted such phenomenon?
Question 2 – How do you know select your team and partners?
This is clearly a role where you want a leader that has clarity around what capabilities his team is great at and where he chooses to outsource and partner externally.
In the interview I would be looking to hear a really clear message around the roles of key reports and how he would manage them. The whole idea of ‘trust but verify’ is really critical in a CISO and this also applies to any outsourced service that is acquired.
The key question I would be asking is how does he know what ‘good’ looks like – what are the key attributes and why?
Question 3 – Are you confident that you know all the latest vulnerabilities and industry knowledge?
A trick question in my mind, and I would be a little nervous of a CISO that is over confident or under confident. I’d like to hear about how they stay up to date with various sources and what their personal radar and network provides to them in terms of intel.
Being able to tap into a powerful and trusted network is really critical, as you ‘can’t know what you don’t know’ and that is where the external ecosystem has to provide you that support.
You really want a CISO that doesn’t suffer from ‘Failure to see’.
Question 4 - How do you know which White Hat Hackers you can trust?
I’m not sure that there is a correct answer for the question. But you want to hear what is a considered response and without any hint of recklessness.
This is all about personal judgment as well as ensuring that there is sufficient due diligence that the CISO has used in the past. The CISO, should talk about counter measures that ensure any commissioned white hat hacking is contained and monitored.
As a follow-on question, I would ask the CISO around how does he \ she balance continuity of reusing the same resource with the potential that familiarity breeds comfort.
You would want your CISO to be both corporate and a bit on the edge. That means he \ she needs to understand the ‘dark’ side and what is happening there but just prefer to live in the ‘light’.
Question 5 - Tell me what is your average day?
As a CISO there are many facets of the role from daily operational risk management to strategic projects that have potential security implications. There would be an expectation that the CISO is able to divide and segment his activities between Run and Change the Business tasks.
I really want to know what makes this person tick. What drives and motivates this person to get out of bed and make a difference. It would be really insightful to hear how well this is balanced and when tradeoffs are required what does the CISO do?
Question 6 – What would you Cyber Security Strategy look like?
A really tricky question as this is really critical. What I would want is to hear a longer term vision of how vulnerabilities will be managed with a strong bias to action for higher risk items.
It is really important to hear a story around how Cyber Security will be addressed across People, Process and Technology. I would be very worried if the CISO just talked about new tech as the answer to the strategy question.
How the CISO plans to engage the business and ensure that the function is proactive and not just reactive is also critical.
Question 7 – How do you know that we are not already been compromised?
The glass half empty or half full question – it never pays to be too optimistic or pessimistic in the role as a CISO. To possess a degree of skepticism and not be defensive is going to be a winner in my view.
While you always want a degree of confidence this has to be tempered with caveats of where we need to take further action. To me the ideal answer will be a mix of caution and with a clear understanding of what we are doing to check our own data and the intelligence applied to looking for those patterns that may provide clues to something not being right.
Question 8 – Have you tried already to test our Cyber Security defences?
Read more: Security Watch: LogRhythm Appoints Cyber Security Veteran James Carder as CISO
This is somewhat of a ‘loaded’ ethical question, you do want a CISO that is ‘hands on’ and has the capability to understand a hacker and hacking culture. It would depend upon how the question is actually answered.
If a CISO told me that they had a quick scan of the perimeter to understand what he \ she could learn as part of the due diligence then that would be a great conversation starter and I’d expect that they would have a few insights that required further investigation and probing.
That would be a healthy response and acceptable in my view.
Question 9 – How do you manage interactions with the teams that are doing digital innovation ?
As the CISO, they are going to be the villain in the relationship with the Digital team who are hell bent on testing their proof of concept as a Minimum Viable Product. Invariably this usually means taking short cuts and sticking to a hard schedule.
I’d want my CISO to be clear that they will be personally ensuring that the organisation manages risks sensibly and that he \she will take a strong ongoing monitoring role for each of these projects. That means having coffees with the innovation teams during the early stages so that risks are understood early and that the CISO doesn’t become the person that stopped the project just before it is due to be piloted.
Question 10 – When Sh*$T happens, how will you keep me informed?
This is where you want the maturity, clear level headed and understanding of the business impact to be front and foremost. I would be looking to hear about how they manage communications in a crisis and what mechanisms are used. In particular, how this integrates with the Business Crisis management and with other parts of IT.
A person who over communicates during a crisis but also understands the importance of the brand, so that there the ‘spin’ is minimized and the attention is centred around ‘root cause’ analysis and not covering one’s backside.
I’d also look for leadership behavior examples of having the back of the team, so that they are not disturbed while the restoration and recovery efforts are being completed.
The Interview
When you do the interview, the other key question is who to bring into the panel? The Head of IT Infrastructure, Head of Digital Business would be two obvious candidates for me. But I’d also bring in the COO and have a really clear ‘voice of the business’, for me this is a great opportunity for the new CISO to get a balanced view of the impact and obligations of cyber security that apply to all components of the enterprise.
Good luck with the search. It is not going to be easy as you want that special combination of Leader, Technologist and Networker that is able to both ‘see’ and ‘act’. Give these questions a try and let me know, how you make out?