NEWS:
Menlo Security announces strategic partnership with Google
These are heady times for Chief Information Security Officers (CISOs), the hottest ticket in security careers today. Security leaders became the darlings of the pandemic, helping companies pivot — securely — to remote work, as well as grabbing the ear of top management and the board, thus earning them a seat at the table.
With so many vying for their services, CISO candidates could seemingly dispense with job interviews altogether — in person or online — and just waltz into their next positions.
But not so fast. Security positions at the CISO level are still competitive. And candidates want the right job in a landscape that, along with expectations, has changed dramatically in just two short years. A lot of the change, of course, began before the pandemic. The scope of the CISO job expanded immensely in 2018 and 2019, and a lot of that was driven by the adoption of the cloud as a standard architecture, by delivery mechanisms in larger companies with technical debt or infrastructure in need of upgrades, and by the growth of smaller, cloud-native companies.
CISOs now face nuances around governance and really understanding how to run a full-cycle governance program, whether in financial services, healthcare, industrial, or other sectors. And the size of the security team has grown. Large financial institutions were once the outliers with their 1,000-person security teams, but now it’s becoming much more common for a security organization within a company to include hundreds of workers. On top of that, teams have become more diverse, with a lot more program management in the mix and a shift in the level of communication needed between security and the rest of the organization, from top to bottom. The reason for this shift is because security touches everything — and everyone wants a CISO to stay on top of it. Cybersecurity Ventures predicted in 2017 that all Fortune 500 and Global 1000 companies would have a CISO by 2021, a prediction that has born out.
With so many “shiny objects” in the form of available CISO positions, and so many fellow CISOs vying to grab them, here are seven steps a CISO-in-waiting — or a current CISO looking for a new opportunity — can take to better prepare for a CISO interview and ensure that they not only land a job, but find the right fit in the right organization.
Security is hardly cookie cutter and CISOs should not show up at an interview ready to flash their talents without understanding the organization, what it wants from the position, and what is driving the company’s security strategy. They shouldn’t rely on a superficial Google search — or a cursory check on LinkedIn — to become familiar with a company’s security objectives and its security structure. Those who do won’t be able to address specific pain points and articulate an understanding that will advance a candidate to the next stage.
Since a lot can be determined about how a position may play out if the job candidate knows what drives a company’s security, a prospective CISO should find out whether the company recently suffered a high-profile attack a la Equifax. Or if the company has trouble tracking down a vulnerability, such as an instance of Log4Shell affecting Log4j. Or perhaps the pain points are more subtle, like when an organization falls under heavy regulatory scrutiny domestically or abroad and needs help navigating the different regulations and laws around data privacy and security. Still, even the best-prepared candidate may have to quickly figure out what problem a company really has, because they’re going to hear multiple different versions of it from different people during the interview process.
The human connection comes first. But just because pandemic interviews — particularly those via Zoom and Microsoft Teams calls — can seem more familiar and people are way more understanding about hearing children or pets in the background, candidates should resist the temptation to share too many personal stories during an interview. And CISO prospects should avoid letting the conversation stray too far from security topics.
But it is important to establish some sort of human connection. Zoom interviews do offer a huge advantage — there are fewer work distractions because both interviewer and interviewee are isolated and on center stage. Perhaps relate how a personal experience turned into a professional lesson learned.
The interview process can be long, drawn out, and sometimes intrusive. Candidates shouldn’t assume they understand the process based on past interviews.
It’s an easier, more effective process if CISO candidates know what to expect. Knowing how many people they will meet with and what their positions are is crucial. Do candidates need special tools or technology, or will they be formally quizzed on security issues? Understanding what the company’s interview process is can help the candidate meet an organization’s goals, reduce frustration, and even foreshadow whether an interview will be successful. Be sure to ask questions to get the answers you need to successfully prepare. Which leads to the next point…
Even confident CISOs can get it wrong, assuming they know everything or perhaps taking a one-size-fits-all approach to interviewing. Avoid coming across as a know-it-all or, just as bad, a bored interviewee.
Ask what the job includes beyond the official description, what day-to-day responsibilities include, what an average day (if there is such a thing) looks like, what kind of resources the company puts toward security, and whether security has top-down support. Ask away. Organizations like inquisitive candidates — curiosity shows interest in the position and the company.
All CISOs do a little of everything and many have talents across the security spectrum. But companies that expect a CISO to excel in everything may have unrealistic expectations and likely don’t know what they want, as well as have trouble prioritizing. It could be, too, that by seeking a jack-of-all-trades, they are not putting enough resources into security, expecting one person to wear many hats instead of building a strong, diverse team. Candidates that present themselves as a multifunctional Swiss Army knife often fail to showcase their strengths and set unrealistic expectations themselves.
Instead, highlight an amazing skill set in one or more areas of security and express a willingness and capability to grow in other important areas. CISO candidates should come with examples of how their particular skills won the day in a previous job and emphasize steps they’ve taken to grow and expand their talents and skills.
Most organizations, whether they know it or not, are not just looking for technical chops but also want CISOs with soft skills. Avoid reciting and relying on technical skills, and don’t use body language that may indicate inaccessibility.
CISOs who are exceptional at communicating tend to do better during the interview process. Come to an interview armed with specific examples of a recent challenge that required managing up, such as managing risk mitigation with a board-level discussion that required not just technical terminology but language around business risk, and being able to get that point across. Leading candidates know how to speak in all those tongues to succeed.
Don’t think that having skills and all the right answers is all that’s needed to nail an interview.
Many organizations believe in a presentation-style interviewing format, where a candidate is presented with a real-life scenario and an exercise or problem to solve — like a take-home assignment.
Come prepared to go over a solution with a subset of interviewers from different parts of the organization, each listening for a different thing. It’s typically “ten ears and one mouth,” followed by a Q&A. It will show the company how a CISO candidate unpacks a problem and peels away the onion, and the candidate sees how it would be to work with the organization’s security team. It’s valuable on both sides.
Going forward, CISOs will need to bend, flex, and really step up. They have the opportunity to enjoy incredible success, but they also need to grow pretty fast. Whatever organization they join, there won’t be much of a honeymoon period for them.
Recruiters spend a lot of time preparing both CISOs and companies so that the interview process is more successful and less painful for all involved — making a match more likely. But the burden of proof rests largely on the candidate. And there is one final piece of advice that CISO candidates should take to the interview: Know when to walk away.
Not every job — no matter how attractive the salary, benefits, or brand — is a good fit. In a world of shiny objects, there’s plenty of opportunity to grab the right one.
This article was written by Michael Piacente, managing partner and co-founder of Hitch Partners, a retained executive search firm concentrated on partnering with high growth technology companies on all things Information Security, Business Technology, Engineering & Product related hires. Michael will be diving into this topic with Menlo CISO Devin Ertel during an upcoming live discussion.
