The Chief Information Security Officer and CSO roles have evolved in recent years from a relatively narrow focus as "guardians of the data" to members of the C suite who are expected to speak the language of business, participate in strategic planning and be perceived as business enablers rather than impediments. As such the CISO interview has evolved as well.
But how exactly has this requirement changed interviewing for the CISO or CSO role?
Almost a decade ago, one of CIO UK's sister titles in the US - CSO - spoke with several security executives about some of the most challenging questions they faced in a job interview.
The 2006 Top 10 security interview questions were as below:
- What is your vision for our security organisation?
- How will you fit in with our corporate culture?
- Do you work well with others?
- What do you think about security convergence and its effect on our company?
- How do you sell security to other executives?
- How do you sell security to the company at large?
- Why are you leaving your current job?
- Are you willing to be accountable for security?
- Are you a risk-taker?
- What does this role mean to you?
A 2013 revisit of the question included the generic and incredibly trite - Why do you want this job, how do you collaborate and what questions do you have for me? - along with two worthy additions:
- How will you earn and keep your seat at the table with other senior executives?
- What are ways you've prioritised and shepherded information security projects through your previous organisation?
Two years on, CSO author Taylor Armending has come with a new set of questions relevant for 2015. Here are the new questions that a CISO canditate can expect:
- How will you confront the breach reality?
- How will you work with our CEO and board of directors?
- Have you, or would you ever consider, hiring an individual who has been known to be a hacker? If no, why, and if yes what would the benefits to our organisation be?
- How will you work with the business relative to new initiatives and new technology?
- How have you worked with and interacted with executive and business stakeholders to make security a strategic priority that translated to business value?
- How will you ensure that no one person in the organisation can take down a production environment?
- How do you keep up with the latest security issues and methods?
- Are you ready to be our cyber security spokesperson internally and externally?
Finally, it is not just an interview, but interviews, according to Eric Cowperthwaite, vice president of Advanced Security and Strategy at Core Security, who was previously CSO of a major healthcare organisation in the US.
"There are a dozen or so," Cowperthwaite said, which are likely to include, "recruiters, hiring executive, peers, direct reports and line of business executives.
"In most cases, candidates' knowledge of security is taken for granted, so their ability to fit the culture and lead the business are going to be the critical areas."
This story, "Mobile security: iOS vs. Android vs. BlackBerry vs. Windows Phone" was originally published by CIO.