How to ace the CISO interview – be ready for the tough questions

Getting a top job in information security has never been as simple as just having the required training and experience. Yes, those are mandatory, but the modern hiring process also includes personality evaluations to determine the so-called “XQ” – whether a candidate would be a good “fit” for a position – background checks and yes, the personal interview.

It is generally the final stop before either a job offer, or a perfunctory “thanks-for-your-interest” dismissal.

And as the roles of the CISO and CSO have evolved in recent years from a relatively narrow focus as “guardians of the data” to members of the C suite who are expected to speak the language of business, participate in strategic planning and be perceived as business enablers rather than impediments, the interview has evolved as well.

That means it is crucial to be prepared. And being prepared 10 years ago is not necessarily the same as being prepared today.

It was almost a decade ago, in 2006, that CSO spoke with several security executives about some of the most challenging questions they faced in a job interview.

At the time, these made the Top 10:

• What is your vision for our security organization?
• How will you fit in with our corporate culture?
• Do you work well with others?
• What do you think about security convergence and its effect on our company?
• How do you sell security to other executives?
• How do you sell security to the company at large?
• Why are you leaving your current job?
• Are you willing to be accountable for security?
• Are you a risk-taker?
• What does this role mean to you?

We revisited the topic in 2013, and while a number of the questions remained, since they are relatively timeless, there were some new ones, and some updated versions of the older ones.

Eric Cowperthwaite, vice president, Advanced Security and Strategy at Core Security, who was then CSO of a major healthcare organization, had a somewhat different take on how well one works with others and fits into a corporate culture.

In this case it was about how well a candidate would work with specific “others” – the ones at his organization. And the candidate was required to “answer” the question through a meeting with the team he would be leading, before getting to an interview with Cowperthwaite.

"It doesn't matter how much I like you or how impressed I am by your skills. Show up and rub the team the wrong way, that's the end of the line,” he said at the time.

He also screened candidates with questions like, “Why do you want this job?” and “What questions do you have for me?” to get a sense of whether they were committed to the mission of the organization, or more focused on pay, benefits and checking off a box on their resumes.

Daniel Kennedy, Research Director for Information Security and Networking at TheInfoPro, a division of 451 Research, rephrased “How do you sell security to other executives?” as “How will you earn and keep your seat at the table with other senior executives?” a tacit acknowledgment that the CISO is now expected to be an active member of the C suite without overwhelming other executives with high-tech jargon.

He also wanted evidence of a successful track record, by asking, “What are ways you've prioritized and shepherded information security projects through your previous organization?”

So, are things different today? Perhaps not radically so, but as the position has evolved, so have the questions. Here are several that a CISO candidate can expect:

How will you confront the breach reality?

Cowperthwaite, in an interview this past week, said he wouldn’t change much about his questions from the past, but said given the reality that, “any and all organizations are likely to have been breached in some fashion, or be breached in the near future, I would want to spend some time talking with the candidate about how to deal with that.

“I’m not sure what the question looks like, though,” he said.

How will you work with our CEO and board of directors?

Rob Clyde, international vice president of ISACA (formerly the Information Systems Audit and Control Association) and managing director of Clyde Consulting LLC, said this question reflects the “elevation” of CISOs. The position, he said, “now often reports directly to the CEO or even in some cases to the board of directors,” rather than being one level removed by reporting to the CIO or another, more senior, executive.

And candidates need to be able to do more than scare top executives. They should be able to discuss things like incident response with, “clear, practical, recommended actions,” he said.

Cowperthwaite agreed, noting that questions about functioning in the C suite, an executive track record and corporate culture are more important, and sophisticated, than ever.

”It is really crucial that candidates for CISO today be able to explain how they will become part of the company leadership,” he said. “Just as important, they are going to have to make clear that they are capable of interacting with the CEO and the board of directors.”

A track record means a history of executive experience: “They need to be prepared to lead a department, manage budgets, hire and fire, set strategy – all the things any other executive does,” he said.

Have you, or would you ever consider, hiring an individual who has been known to be a hacker? If no, why, and if yes what would the benefits to our organization be?

This, of course, presumes that a candidate has demonstrated a move from the black-hat to the white-hat side of the hacking world.

How will you work with the business relative to new initiatives and new technology?

This falls under “enabling, rather than inhibiting, the business.” As Clyde put it, the CISO specifically and the IT department in general, tend to be viewed as, “the group that says ‘no,’ blocking or making it difficult to innovate, implement new technology or adopt new ways of doing business.”

Obviously, it is the CISO’s job to point out risks and to eliminate vulnerabilities. But superior candidates, Clyde said, “will explain and give examples of how they were able to figure out secure ways to enable new methods of doing business that improved the competitive posture of the organization.”

How have you worked with and interacted with executive and business stakeholders to make security a strategic priority that translated to business value?

Pamela Fusco, an adviser to the Information Systems Security Association, said this question illustrates the evolution of the CISO role from a focus on technology to, “more of a, ‘how do you integrate technology and engineering teams? How do you go about engaging and gaining support from corporate business stakeholders and leaders?’”

How will you ensure that no one person in the organization can take down a production environment?

Given virtualization, cloud and software defined data centers, “individual administrators now have more power than ever, including the ability to copy, move or delete thousands of virtual machines in moments,” Clyde said.

So CISO candidates need to be able to explain how they can use, “secondary approvals, workflows, audit logs, and other controls to ensure that a single individual can’t put the entire production environment at risk,” he said.

How do you keep up with the latest security issues and methods?

Candidates should be able to comment on their recent reading, networking, and their membership in professional associations and forums, “to maintain their edge,” Clyde said, noting that one credential he would look for is ISACA’s Certified Information Security Manager (CISM). In other words, evolution must be ongoing.

Fusco said a good security professional will seek out “affiliations and consortiums” to keep current.

Are you ready to be our cyber security spokesperson internally and externally?

Superior candidates should be prepared to be one of the public faces of the company. It will help, Clyde said, if they can demonstrate, “how they have used their public speaking and public relations abilities to improve the perception of their organization’s information security posture and capabilities.”

Finally, it is not just an interview, but interviews. “There are a dozen or so,” Cowperthwaite said, which are likely to include, “recruiters, hiring executive, peers, direct reports and line of business executives.

“In most cases, candidates’ knowledge of security is taken for granted, so their ability to fit the culture and lead the business are going to be the critical areas,” he said.