By CIO Staff and Taylor Armerding, CSO
Oct. 25, 2016
The Chief Information Security Officer and CSO roles have evolved in recent years from a relatively narrow focus as "guardians of the data" to members of the C-suite who are expected to speak the language of business, participate in strategic planning and be perceived as business enablers rather than impediments. As such the CISO interview has evolved as well.
But how exactly has this requirement changed interviewing for the CISO or CSO role?
Almost a decade ago, one of CIO UK's sister titles in the US - CSO - spoke with several security executives about some of the most challenging questions they faced in a job interview - and while we have since updated and expanded on those the 2006 Top 10 security interview questions were as follows:
- What is your vision for our security organisation?
- How will you fit in with our corporate culture?
- Do you work well with others?
- What do you think about security convergence and its effect on our company?
- How do you sell security to other executives?
- How do you sell security to the company at large?
- Why are you leaving your current job?
- Are you willing to be accountable for security?
- Are you a risk-taker?
- What does this role mean to you?
A 2013 revisit of the question included the generic and incredibly trite - Why do you want this job, how do you collaborate and what questions do you have for me? - along with two worthy additions:
- How will you earn and keep your seat at the table with other senior executives?
- What are ways you've prioritised and shepherded information security projects through your previous organisation?
2015 Chief Information Security Officer interview questions
Two years on, CSO author Taylor Armending has come with a new set of questions relevant for 2015. Here are the new questions that a CISO canditate can expect:
- How will you confront the breach reality?
- How will you work with our CEO and board of directors?
- Have you, or would you ever consider, hiring an individual who has been known to be a hacker? If no, why, and if yes what would the benefits to our organisation be?
- How will you work with the business relative to new initiatives and new technology?
- How have you worked with and interacted with executive and business stakeholders to make security a strategic priority that translated to business value?
- How will you ensure that no one person in the organisation can take down a production environment?
- How do you keep up with the latest security issues and methods?
- Are you ready to be our cyber security spokesperson internally and externally?
Finally, it is not just an interview, but interviews, according to Eric Cowperthwaite, vice president of Advanced Security and Strategy at Core Security, who was previously CSO of a major healthcare organisation in the US.