How to ace the CISO interview – be ready for the tough questions

Training and experience are mandatory just to be considered for top security jobs. But they aren’t enough.

Getting a top job in information security has never been as simple as just having the required training and experience. Yes, those are mandatory, but the modern hiring process also includes personality evaluations to determine the so-called “XQ” – whether a candidate would be a good “fit” for a position – background checks and yes, the personal interview.

It is generally the final stop before either a job offer, or a perfunctory “thanks-for-your-interest” dismissal.

And as the roles of the CISO and CSO have evolved in recent years from a relatively narrow focus as “guardians of the data” to members of the C suite who are expected to speak the language of business, participate in strategic planning and be perceived as business enablers rather than impediments, the interview has evolved as well.

That means it is crucial to be prepared. And being prepared 10 years ago is not necessarily the same as being prepared today.

It was almost a decade ago, in 2006, that CSO spoke with several security executives about some of the most challenging questions they faced in a job interview.

At the time, these made the Top 10:

  • What is your vision for our security organization?
  • How will you fit in with our corporate culture?
  • Do you work well with others?
  • What do you think about security convergence and its effect on our company?
  • How do you sell security to other executives?
  • How do you sell security to the company at large?
  • Why are you leaving your current job?
  • Are you willing to be accountable for security?
  • Are you a risk-taker?
  • What does this role mean to you?

We revisited the topic in 2013, and while a number of the questions remained, since they are relatively timeless, there were some new ones, and some updated versions of the older ones.

Eric Cowperthwaite, vice president, Advanced Security and Strategy at Core Security, who was then CSO of a major healthcare organization, had a somewhat different take on how well one works with others and fits into a corporate culture.

In this case it was about how well a candidate would work with specific “others” – the ones at his organization. And the candidate was required to “answer” the question through a meeting with the team he would be leading, before getting to an interview with Cowperthwaite.

"It doesn't matter how much I like you or how impressed I am by your skills. Show up and rub the team the wrong way, that's the end of the line,” he said at the time.

He also screened candidates with questions like, “Why do you want this job?” and “What questions do you have for me?” to get a sense of whether they were committed to the mission of the organization, or more focused on pay, benefits and checking off a box on their resumes.

Daniel Kennedy, Research Director for Information Security and Networking at TheInfoPro, a division of 451 Research, rephrased “How do you sell security to other executives?” as “How will you earn and keep your seat at the table with other senior executives?” a tacit acknowledgment that the CISO is now expected to be an active member of the C suite without overwhelming other executives with high-tech jargon.

He also wanted evidence of a successful track record, by asking, “What are ways you've prioritized and shepherded information security projects through your previous organization?”

So, are things different today? Perhaps not radically so, but as the position has evolved, so have the questions. Here are several that a CISO candidate can expect:

How will you confront the breach reality?

Cowperthwaite, in an interview this past week, said he wouldn’t change much about his questions from the past, but said given the reality that, “any and all organizations are likely to have been breached in some fashion, or be breached in the near future, I would want to spend some time talking with the candidate about how to deal with that.

“I’m not sure what the question looks like, though,” he said.

How will you work with our CEO and board of directors?

Rob Clyde, international vice president of ISACA (formerly the Information Systems Audit and Control Association) and managing director of Clyde Consulting LLC, said this question reflects the “elevation” of CISOs. The position, he said, “now often reports directly to the CEO or even in some cases to the board of directors,” rather than being one level removed by reporting to the CIO or another, more senior, executive.

And candidates need to be able to do more than scare top executives. They should be able to discuss things like incident response with, “clear, practical, recommended actions,” he said.

Cowperthwaite agreed, noting that questions about functioning in the C suite, an executive track record and corporate culture are more important, and sophisticated, than ever.

”It is really crucial that candidates for CISO today be able to explain how they will become part of the company leadership,” he said. “Just as important, they are going to have to make clear that they are capable of interacting with the CEO and the board of directors.”

A track record means a history of executive experience: “They need to be prepared to lead a department, manage budgets, hire and fire, set strategy – all the things any other executive does,” he said.

Have you, or would you ever consider, hiring an individual who has been known to be a hacker? If no, why, and if yes what would the benefits to our organization be?

This, of course, presumes that a candidate has demonstrated a move from the black-hat to the white-hat side of the hacking world.

How will you work with the business relative to new initiatives and new technology?

This falls under “enabling, rather than inhibiting, the business.” As Clyde put it, the CISO specifically and the IT department in general, tend to be viewed as, “the group that says ‘no,’ blocking or making it difficult to innovate, implement new technology or adopt new ways of doing business.”

Obviously, it is the CISO’s job to point out risks and to eliminate vulnerabilities. But superior candidates, Clyde said, “will explain and give examples of how they were able to figure out secure ways to enable new methods of doing business that improved the competitive posture of the organization.”

How have you worked with and interacted with executive and business stakeholders to make security a strategic priority that translated to business value?

Pamela Fusco, an adviser to the Information Systems Security Association, said this question illustrates the evolution of the CISO role from a focus on technology to, “more of a, ‘how do you integrate technology and engineering teams? How do you go about engaging and gaining support from corporate business stakeholders and leaders?’”

How will you ensure that no one person in the organization can take down a production environment?

Given virtualization, cloud and software defined data centers, “individual administrators now have more power than ever, including the ability to copy, move or delete thousands of virtual machines in moments,” Clyde said.

So CISO candidates need to be able to explain how they can use, “secondary approvals, workflows, audit logs, and other controls to ensure that a single individual can’t put the entire production environment at risk,” he said.

How do you keep up with the latest security issues and methods?

Candidates should be able to comment on their recent reading, networking, and their membership in professional associations and forums, “to maintain their edge,” Clyde said, noting that one credential he would look for is ISACA’s Certified Information Security Manager (CISM). In other words, evolution must be ongoing.

Fusco said a good security professional will seek out “affiliations and consortiums” to keep current.

Are you ready to be our cyber security spokesperson internally and externally?

Superior candidates should be prepared to be one of the public faces of the company. It will help, Clyde said, if they can demonstrate, “how they have used their public speaking and public relations abilities to improve the perception of their organization’s information security posture and capabilities.”

Finally, it is not just an interview, but interviews. “There are a dozen or so,” Cowperthwaite said, which are likely to include, “recruiters, hiring executive, peers, direct reports and line of business executives.

“In most cases, candidates’ knowledge of security is taken for granted, so their ability to fit the culture and lead the business are going to be the critical areas,” he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags security trainingCISO interviewtough questionstrainingCSO Australia

More about AdvancedCSOISACA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place