2nd Interview for CISO role
t93cobra
Member Posts: 26 ■■■□□□□□□□
Hi all! As the title says, I have a 2nd interview with a great company for their CISO role. To give some background, my first interview with the hiring manager went extremely well. I knew before I left that a second interview was going to happen.
Anyway, on to my question, my second interview is with the Director of IT. The hiring manager will not be present as they will be on vacation. Also, the Director of IT has just recently been hired within the past month. I already know, from the hiring manager, that the CISO will not be a technical role. Therefore, I'm having trouble trying to figure out how this interview could go. Why would a potential CISO be interviewed by a new IT Director? Could this interview just to be sure that I would be a good fit with a colleague? Or will the IT Director actually ask technical questions?
What do you think? Any advice is appreciated.
Thanks!
Anyway, on to my question, my second interview is with the Director of IT. The hiring manager will not be present as they will be on vacation. Also, the Director of IT has just recently been hired within the past month. I already know, from the hiring manager, that the CISO will not be a technical role. Therefore, I'm having trouble trying to figure out how this interview could go. Why would a potential CISO be interviewed by a new IT Director? Could this interview just to be sure that I would be a good fit with a colleague? Or will the IT Director actually ask technical questions?
What do you think? Any advice is appreciated.
Thanks!
Comments
If you share with us how you managed to go for such a position and what's your work history, a lot of us here would benefit from your experience
Best of luck!
CISO is a shadow of this role if they report to CIO/IT director.
There's an inherent conflict of interests in this chain as CIO/IT director's main goal is availability, but introducing/hardening security controls has chances to break availability or make services less available.
The company that doesn't understand that is doomed to get breached eventually.
I'm kind of confused by this...security's job is to ensure Confidentiality, Integrity AND availability. How would this break availability? You don't just implement security controls without evaluating it's affect on the business. This is why change management exists. Security's job is to reduce risk to an acceptable level as determined by company leadership.
I mean, I know that a CISO typically reports to CEO and/or the board. I just don't understand the conflict itself I guess since security is supposed to be "everyone's job" these days.
Just a padawan trying to learn from someone more experienced than I
Next: CCNP (R&S and Sec)
Follow my OSCP Thread!
In my experience he's right. My old CIO was so focused on operations and easiness for the end user that security was always an uphill battle. Security director would say "we need pre boot authentication", CIO would say no, users won't like having to put a password in when they first boot up. "We need to put in MFA", no that's too painful on our users. It can very quickly in the right environment become a vast conflict of interest where the CISO is just to appease a board, but if they don't have enough authority, they are worthless in their position.
But like I said, security's job is to reduce risk, not eliminate it. If a company is willing to accept that risk, then security has done it's job and the fault lies on senior management if a breach occurs. Isn't that the language of the CISSP exam? We're more of an "adviser" than a fixer.
Let me give you a simpler example. Say you have a mission critical application from a vendor that is no longer in business. This mission critical application is exposed to the public internet, needs as close to 100% uptime as possible, and has a number of known vulnerabilities that hackers could easily exploit. Because the vendor is no longer in business, you cannot fix these vulnerabilities. Also, migrating to a competitor's solution is cost prohibitive/ will cause significant downtime. The security part of you says holy crap take that offline right now, IT (and the rest of the business) says not gonna happen, we are just going to deal with it. One thing I can tell you is security is definitely not everyone's job these days. Even for those that do subscribe by that, they usually have no training and dont know what they dont know. Just be prepared to walk into a good size company and get handed an excel spreadsheet with all the admin usernames and passwords on it, happened to me many times.
Much easier said than done. You have to remember developers have different skill set levels, plus are always constantly job hopping since they are in demand. Then you get the companies that offshore their software development, whooo boy..
That is the language in the exam, doesnt mean its true in real life. Plus, you will be surprised at the number of companies that have any form of GRC program, let alone a proper GRC program.
Thanks for the input! In my short time in security, I've found that it's a constant battle to get changes approved to enhance security. Either because of lack of management buy in or it would affect business functions. I'm sure every company is different in how they approach this stuff.
The company recruiter actually found me and asked if I would be interested. I have almost 15 years experience in IS and am looking for this as my next career step.
Since the IT Director is new, they may not have a full grasp of all the systems in place. Therefore, I'm having some troubles coming up with questions for them in my interview. What would be some great questions for a potential CISO to ask the IT Director in an interview?
Companies are different, but you eventually realize the struggle you face now is relatively common through many companies. Keep this in mind, being a good CISO or security person in general requires you to be a good sales person, because you are basically selling the threats and vulnerabilities you face to management in order to get approval/funding/whathaveyou. Brush up on those interpersonal skills, those will take you a heck of a lot father in the long run than any of those certs you plan on getting...
I actually used to work as a bank manager so my interpersonal skills in that job have carried over pretty well to my career in IT. The certs I'm planning on getting are definitely to learn some things, but also to stay competitive in the job market. I think using every avenue I can to learn and grow will be important in my long term career.
I guess my situation is different, because our CIO is a HUGE proponent of security no matter what it takes. Every project/initiative in our quarterly meetings includes the security team in some way. It's actually working out pretty well and we have a healthy budget for the security team. Like I said before though, every company is different.
That's hard for me to answer since I've never worked in a management role in IT. If it were me, I would probably just keep it high level conversation. I tend to create questions in my mind as people interview me.
As for secure coding, yeah... Kelly Handerhan asked in her CISSP videos, rhetorically of course, who has ever had a programming course that taught secure coding? Deadlines are made and must be met. Adding security delays the process. Ideally security would be built in but is usually duct taped on after the fact.
I guess I just have a different experience currently. When our CIO came in to the company, we were told that security will be key player in how we push forward. I mean, security can't always get its way (obviously), but where I'm at now there are a lot of proactive things being done which often does get in the way with production. I guess our management just doesn't want to take a chance on a breach by reducing our risk where we can, even if it delays projects. This probably varies based on type of industry too.
Btw, I've always been one to question why things are the way they are. I find it refreshing to challenge the status quo, no matter how much it might conflict with best practice.
My thoughts exactly. I have no doubt it was to see if we were a "fit" to work on projects together.
Future Plans: MSc + PMP, CCIE/NPx, GIAC...
The company is privately owned. They have 1,000 employees and operate in 7 different states. They're expecting a lot of growth, 50% each year for the next 3 years. Not necessarily small, but definitely not a large corporation. I think this position will be great for me to start my CISO career.