The Chief Information Security Officer and CSO roles have evolved in recent years from a relatively narrow focus as "guardians of the data" to members of the C-suite who are expected to speak the language of business, participate in strategic planning and be perceived as business enablers rather than impediments. As such the CISO interview has evolved as well. [Also read: Chief Information Security Officer salary, job description and reporting line]
But how exactly has this requirement changed interviewing for the CISO or CSO role?
Almost a decade ago, one of CIO UK's sister titles in the US - CSO - spoke with several security executives about some of the most challenging questions they faced in a job interview - and while we have since updated and expanded on those the 2006 Top 10 security interview questions were as follows: [Also read: CIO interview questions - 49 tough interview questions for Chief Information Officers]
- What is your vision for our security organisation?
- How will you fit in with our corporate culture?
- Do you work well with others?
- What do you think about security convergence and its effect on our company?
- How do you sell security to other executives?
- How do you sell security to the company at large?
- Why are you leaving your current job?
- Are you willing to be accountable for security?
- Are you a risk-taker?
- What does this role mean to you?
A 2013 revisit of the question included the generic and incredibly trite - Why do you want this job, how do you collaborate and what questions do you have for me? - along with two worthy additions:
- How will you earn and keep your seat at the table with other senior executives?
- What are ways you've prioritised and shepherded information security projects through your previous organisation?
2015 Chief Information Security Officer interview questions
Two years on, CSO author Taylor Armending has come with a new set of questions relevant for 2015. Here are the new questions that a CISO canditate can expect:
- How will you confront the breach reality?
- How will you work with our CEO and board of directors?
- Have you, or would you ever consider, hiring an individual who has been known to be a hacker? If no, why, and if yes what would the benefits to our organisation be?
- How will you work with the business relative to new initiatives and new technology?
- How have you worked with and interacted with executive and business stakeholders to make security a strategic priority that translated to business value?
- How will you ensure that no one person in the organisation can take down a production environment?
- How do you keep up with the latest security issues and methods?
- Are you ready to be our cyber security spokesperson internally and externally?
Finally, it is not just an interview, but interviews, according to Eric Cowperthwaite, vice president of Advanced Security and Strategy at Core Security, who was previously CSO of a major healthcare organisation in the US.
"There are a dozen or so," Cowperthwaite said, which are likely to include, "recruiters, hiring executive, peers, direct reports and line of business executives.
"In most cases, candidates' knowledge of security is taken for granted, so their ability to fit the culture and lead the business are going to be the critical areas."
2016 Chief Information Security Officer interview questions
Chief Technology Officer at security vendor Trend Micro, Raimund Genes, added his thoughts also, believing that it is the CISO's responsibility to influence vendors by not accepting design flaws which undermine security and thus proactively shaping the market:
- How will you use your buying power to force vendors to deliver more secure systems or software?
Chief Security Officer at Code42 Rick Orloff, also the Chief Privacy Offcier and a Vice President at the organisation, also offered his thoughts on questions for CISOs covering business strategy and stakeholder management. The former eBay CISO and Apple Senior Director of Information Security posed the following for CISOs in 2016:
- How do you balance the need for technical security solutions with the potential friction it can create in the business?
- How do you align the business with the need for security solutions?
- What is your approach to stakeholder management?
- How do you know if your security strategy and solutions are failing?
- How will you know if we have a breach or data leak?
- What is the process you will use to determine an overarching strategy and budgetary requirements?
- How can you help our business grow?
Chris Hodson, EMEA CISO at Zscaler, suggested that in a job interview prospective CSOs and Chief Information Security Officers needed to be asked questions covering the Internet of Things, board engagement, security as a business enabler, and building a security culture:
- What specific threats do you see the Internet of Things bringing to our organisation?
- Do you agree with the rhetoric of "if not, when" when dealing with a data breach? Is defence futile?
- Is cloud computing a security risk?
- Do we need to amend our traditional security architectures to deal with cloud and mobility?
- People say that "security has to be a business enabler". What does this mean and how to we achieve this?
- Cyber security is littered with technical jargon and esotericism - how do we convey risks to our boards who are not necessarily security experts?
- Are security and privacy different? How, and which is more important?
- How do we educate our users?
- Has the erosion of trust on the internet impacted our means of employing security awareness?
- Is best-of-breed important?
- Can you explain to me what hyper-convergence is in terms a CEO would understand?
- Is the aforementioned a security blessing or a curse?