By: Shelby Welty
February 4, 2021
Unpacking the Interview: CISO
By: Shelby Welty
February 4, 2021
The Chief Information Security Officer (CISO) role is ever-changing. As noted by Tech Republic, 62% percent of companies now employ CISOs. Security Boulevard reports that these infosec professionals are now being tapped for both the hard skills of their security expertise and the soft skills required to effectively create and communicate business-driven cybersecurity strategies across front-line staff members C-suites alike.
As a result, companies are willing to pay well for the right combination of skills and certifications — many CISOs now earn annual salaries between $150,000 and $200,000. WAnd while there's still some confusion around exactly what CISOs are responsible for and where they fit in the C-suite framework, organizations can't ignore the growing need for infosec expertise in creating agile and adaptive IT security environments.
For experienced IT pros looking to move from familiar security roles to a CISO career; however, landing the job is about more than resumes brimming with qualifications and glowing security skills assessments. There's also a need to impress prospective colleagues and security staffers during the interview. Here's what to expect.
Calling All CISOs
Despite the increasing demand for CISO expertise, many companies don't consider the security experts part of their core C-suite cadre. However, this attitude changes as attack vectors evolve, and security strategies become inextricably linked to line-of-business outcomes. Consider the development of a robust infosec response framework. C-suites have historically viewed the spending necessary to support this initiative as a necessary cost with minimal return. Improved data capture and reporting makes it clear that accurate and agile security environments can help companies reduce downtime, minimize revenue loss, and improve corporate reputation.
As a result, the CISO career path is undergoing a similar transformation to ensure new hires have a combination of skills, experience, and strategic ability to align protective, privacy, and profit-driven priorities.
Question 1: What are the risks and rewards of cloud computing?
CISO interviews typically start with the basics, including reviewing current skill sets and qualifications and questions like the one above that ask candidates to assess the potential benefits and drawbacks of a common IT solution.
Cloud computing offers a solid jumping-off point for CISO interview discussions thanks to its corporate ubiquity and the sheer variety of options now available. While there's no "right" answer for CISOs, it's worth mentioning that cloud security has evolved significantly over the past few years as providers look to limit the risk of customer loss. As a result, many cloud offerings now have security controls on par (or better than) on-site corporate networks. CISOs should also note that cloud security is best assessed on a case-by-case basis that accounts for workload use, data protection expectations, and overall costs.
Question 2: List some of the most important KPIs for measuring infosec effectiveness
Measuring security effectiveness is a critical task for CISOs. WAnd while specific metrics will differ across companies and IT deployments, two factors are fundamental: Performance and recovery.
From recovery time objectives (RTOs) and recovery point objectives (RPOs) to metrics around total downtime or specific performance issues experienced by front-line staff, expect this question as a way to assess "big picture" security thinking that combines incident data with end-user experience to deliver a cohesive, security-first culture.
Question 3: What is hyperconvergence? How does it factor into infosec strategy?
CISOs effectively bridge front-line IT staff and company C-suites, making communication a fundamental function of the position and requiring CISOs to speak two different languages — one technical and one tactical. The first allows them to effectively communicate with IT staff and ensure they have the information they need to take specific security action; the second allows CISOs to reframe this data as actionable insight for other corporate leaders.
In practice, this requires the ability to translate technical terms and concepts into plain-language counterparts for C-suite teams. Consider the example above, which asks a prospective candidate to explain hyperconvergence and its infosec strategy role. In IT environments, hyperconverged platforms pair advanced hypervisors with commercial off-the-shelf (COTS) servers to create multiple resource nodes that can be clustered for improved performance.
The problem? While straightforward for tech-savvy staff, this explanation isn't effective for C-suite teams. Instead, CISOs need to communicate hyperconverged functions as line-of-business benefits: The ability to select and scale specific technologies on-demand offers the potential to reduce overspend without sacrificing security.
Navigating the New C-Suite
With remote work now the new normal for many businesses, C-suites must face reality — and risk — of long-term out-of-office operations.
As a result, skilled CISOs are more important than ever and are an increasingly critical component of the corporate C-suite strategy. For prospective CISOs looking to boost their career prospects as global IT environments evolve, substantive in-situ experience combined with in-demand certifications such as CISM or CRISC is just the beginning. CISOs must showcase hard- and soft-skill mastery across initial interview questions, in-depth assessment challenges, and technical communications translation to secure their spot as infosec leaders in evolving organizations.