What questions your new CISO will not want to answer at interview?

How to interview your CISO

There is increased scrutiny by the Board and Management of business risks and potential impact of Cyber Security on operations. As the person who is responsible for hiring the new CISO, what are the key criteria that you ‘must’ have for the candidate?

In the marketplace there is an overall shortage of experienced CSO’s, I’ve been asked to refer candidates and it is always a struggle. My bet is that it is likely that you won’t have a large pool to choose from.

How then will you select your new CISO and what questions would you want that person to just nail? Here are ten questions that I would ask.

Question 1 – As a CISO what keeps you awake at night?

This is a really interesting insight into the person that who is going to be at the helm. While you want this person to be calm in a crisis, it will also be necessary that the CISO is a little paranoid and doesn’t sleep well.

I’d be concerned if a CISO told me that they slept well as they had done everything already to prepare the organization. What I would like to hear is that we will have these measures in-place for threat intelligence, to systems monitoring and alerts. This would include social media monitoring and that we are looking for patterns that occur in the enterprise and not yet within the silos of the individual tools.

What I really want to hear is that we have a clear framework and know what we are the dots we are trying to see, then what happens when we think that we have spotted such phenomenon?

Question 2 – How do you know select your team and partners?

This is clearly a role where you want a leader that has clarity around what capabilities his team is great at and where he chooses to outsource and partner externally.

In the interview I would be looking to hear a really clear message around the roles of key reports and how he would manage them. The whole idea of ‘trust but verify’ is really critical in a CISO and this also applies to any outsourced service that is acquired.

The key question I would be asking is how does he know what ‘good’ looks like – what are the key attributes and why?

Question 3 – Are you confident that you know all the latest vulnerabilities and industry knowledge?

A trick question in my mind, and I would be a little nervous of a CISO that is over confident or under confident. I’d like to hear about how they stay up to date with various sources and what their personal radar and network provides to them in terms of intel.

Being able to tap into a powerful and trusted network is really critical, as you ‘can’t know what you don’t know’ and that is where the external ecosystem has to provide you that support.

You really want a CISO that doesn’t suffer from ‘Failure to see’.

Question 4 - How do you know which White Hat Hackers you can trust?

I’m not sure that there is a correct answer for the question. But you want to hear what is a considered response and without any hint of recklessness.

This is all about personal judgment as well as ensuring that there is sufficient due diligence that the CISO has used in the past. The CISO, should talk about counter measures that ensure any commissioned white hat hacking is contained and monitored.

As a follow-on question, I would ask the CISO around how does he \ she balance continuity of reusing the same resource with the potential that familiarity breeds comfort.

You would want your CISO to be both corporate and a bit on the edge. That means he \ she needs to understand the ‘dark’ side and what is happening there but just prefer to live in the ‘light’.

Question 5 - Tell me what is your average day?

Read more: Security Watch: LogRhythm Appoints Cyber Security Veteran James Carder as CISO

As a CISO there are many facets of the role from daily operational risk management to strategic projects that have potential security implications. There would be an expectation that the CISO is able to divide and segment his activities between Run and Change the Business tasks.

I really want to know what makes this person tick. What drives and motivates this person to get out of bed and make a difference. It would be really insightful to hear how well this is balanced and when tradeoffs are required what does the CISO do?

Question 6 – What would you Cyber Security Strategy look like?

A really tricky question as this is really critical. What I would want is to hear a longer term vision of how vulnerabilities will be managed with a strong bias to action for higher risk items.

It is really important to hear a story around how Cyber Security will be addressed across People, Process and Technology. I would be very worried if the CISO just talked about new tech as the answer to the strategy question.

How the CISO plans to engage the business and ensure that the function is proactive and not just reactive is also critical.

Question 7 – How do you know that we are not already been compromised?

The glass half empty or half full question – it never pays to be too optimistic or pessimistic in the role as a CISO. To possess a degree of skepticism and not be defensive is going to be a winner in my view.

While you always want a degree of confidence this has to be tempered with caveats of where we need to take further action. To me the ideal answer will be a mix of caution and with a clear understanding of what we are doing to check our own data and the intelligence applied to looking for those patterns that may provide clues to something not being right.

Question 8 – Have you tried already to test our Cyber Security defences?

This is somewhat of a ‘loaded’ ethical question, you do want a CISO that is ‘hands on’ and has the capability to understand a hacker and hacking culture. It would depend upon how the question is actually answered.

If a CISO told me that they had a quick scan of the perimeter to understand what he \ she could learn as part of the due diligence then that would be a great conversation starter and I’d expect that they would have a few insights that required further investigation and probing.

That would be a healthy response and acceptable in my view.

Question 9 – How do you manage interactions with the teams that are doing digital innovation ?

As the CISO, they are going to be the villain in the relationship with the Digital team who are hell bent on testing their proof of concept as a Minimum Viable Product. Invariably this usually means taking short cuts and sticking to a hard schedule.

I’d want my CISO to be clear that they will be personally ensuring that the organisation manages risks sensibly and that he \she will take a strong ongoing monitoring role for each of these projects. That means having coffees with the innovation teams during the early stages so that risks are understood early and that the CISO doesn’t become the person that stopped the project just before it is due to be piloted.

Question 10 – When Sh*$T happens, how will you keep me informed?

This is where you want the maturity, clear level headed and understanding of the business impact to be front and foremost. I would be looking to hear about how they manage communications in a crisis and what mechanisms are used. In particular, how this integrates with the Business Crisis management and with other parts of IT.

A person who over communicates during a crisis but also understands the importance of the brand, so that there the ‘spin’ is minimized and the attention is centred around ‘root cause’ analysis and not covering one’s backside.

I’d also look for leadership behavior examples of having the back of the team, so that they are not disturbed while the restoration and recovery efforts are being completed.

The Interview

When you do the interview, the other key question is who to bring into the panel? The Head of IT Infrastructure, Head of Digital Business would be two obvious candidates for me. But I’d also bring in the COO and have a really clear ‘voice of the business’, for me this is a great opportunity for the new CISO to get a balanced view of the impact and obligations of cyber security that apply to all components of the enterprise.

Good luck with the search. It is not going to be easy as you want that special combination of Leader, Technologist and Networker that is able to both ‘see’ and ‘act’. Give these questions a try and let me know, how you make out?

Join the CSO newsletter!

Error: Please check your email address.

Tags white hat hackersCyber Security StrategyCISOcareersCyber Security defencesinterviewHow tobusiness risksCSO AustraliaTraining IT ProfessionalsMarketplacecyber securitymanagement

More about CSOLeaderTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Gee

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts