Questions To Expect When Hiring A Chief Information Security Officer

Questions To Expect When Hiring A Chief Information Security Officer

High-profile security breaches in recent years have motivated organisations around the world to beef up their IT security. A big part of that involves recruiting talent in this area and that has led to the rise of the chief information security officer (CISO). Problem is, there is a shortage of people who are skilled enough to fill the role so organisations are in fierce competition with each other to hire their own CISO.

Hiring people image on Shutterstock

When a company is interviewing CISO candidates, it’s just as much about selling the job to the interviewee as it is for the job applicant to impress the hiring managers. Kal Bittianda is a consultant at Egon Zehnder, the world’s largest privately-owned executive search and talent strategy company, and has a great deal of experience when it comes to hiring CISOs.

In a blog post on Security Roundtable, he listed down some questions CISO candidates are likely to ask when evaluating a job opportunity. His goal is to provide insight for companies looking to hire a CISO.

“Who is my sponsor and how much influence does he or she have?”

According to Bittianda, this is likely to be the first question on the minds of every potential CISO. While a CISO would have regular interactions with the rest of the executive-level team, there will still be many conversations that affect the information security function that he or she will not be looped into.

Having an effective supervisor who is able to advocate for resources and policy initiative as well as educate the board and CEO on IT security issues on the CISO’s behalf is crucial. The job applicant knows this. The CISO may also be required to take an unpopular position in order to bolster an organisation’s security credentials so having support in high places will help.

“How deep is the organization’s commitment to information security?”

What the candidate is trying to do here is get a sense of how much a company is willing to invest in information security and how committed the executive team is to keeping data and IT systems safe from threats.

Bittianda said:

For the CISO to be successful, he or she must be empowered to act and be armed with the necessary resources to deploy both in times of normalcy and crisis. Although the CISO expects organisations to have high standards, he or she will avoid enterprises who reflexively cycle through security teams.

“What key performance indicators will I be measured against?”

Organisations face waves of security threats every day and it’s impossible to be 100 per cent secure.

Bittianda warned:

[I]t is not realistic for a company to hold its CISO to a “one strike and you’re out” performance benchmark. The conversation about expectations is just as important as the ones about resources, reporting lines, and compensation.

[Via Security Roundtable]