2nd Interview for CISO role

Hi all! As the title says, I have a 2nd interview with a great company for their CISO role. To give some background, my first interview with the hiring manager went extremely well. I knew before I left that a second interview was going to happen.

Anyway, on to my question, my second interview is with the Director of IT. The hiring manager will not be present as they will be on vacation. Also, the Director of IT has just recently been hired within the past month. I already know, from the hiring manager, that the CISO will not be a technical role. Therefore, I'm having trouble trying to figure out how this interview could go. Why would a potential CISO be interviewed by a new IT Director? Could this interview just to be sure that I would be a good fit with a colleague? Or will the IT Director actually ask technical questions?

What do you think? Any advice is appreciated.

Thanks!

Find more posts tagged with

Comments

UnixGuy

I don't have experience with this, so I'm just gonna wish you a good luck.

If you share with us how you managed to go for such a position and what's your work history, a lot of us here would benefit from your experience

Danielm7

We just hired a new CISO, it was a newly created role for us. In our case, the IT director is below the CISO so he wasn't part of the interview process. The interviews were with HR, then the C levels of all the different businesses. He's more technical than all the people interviewing him so they worked more on planning, future vision / big picture sort of stuff. As with every company, the process is going to be different, they might ask technical questions or they might not. Are they not involving the CEO/CIO/etc in the interview process or is that a later stage? It seems like it would be odd to ask deeply technical questions unless it's a 50 person business and they're just giving titles that don't really match up with responsibility.

ITSec14

It was probably arranged so you can see how well you can work together. My company interviewed a few people for a CISO role and they had interviews with HR, the CIO, Directors of Software Development and Network Architecture, plus a few of us on the security team. The Director of IT can and probably will go into some technical questions as well. A CISO will be working with people on all levels of an organization, so they have to be able to communicate on all levels. Is the hiring manager a CIO or COO?

Best of luck!

gespenstern

CISO should report to either CEO or even better the board of directors or shared.

CISO is a shadow of this role if they report to CIO/IT director.

There's an inherent conflict of interests in this chain as CIO/IT director's main goal is availability, but introducing/hardening security controls has chances to break availability or make services less available.

The company that doesn't understand that is doomed to get breached eventually.

ITSec14

gespenstern wrote: »

CISO should report to either CEO or even better the board of directors or shared.

CISO is a shadow of this role if they report to CIO/IT director.

There's an inherent conflict of interests in this chain as CIO/IT director's main goal is availability, but introducing/hardening security controls has chances to break availability or make services less available.

The company that doesn't understand that is doomed to get breached eventually.

I'm kind of confused by this...security's job is to ensure Confidentiality, Integrity AND availability. How would this break availability? You don't just implement security controls without evaluating it's affect on the business. This is why change management exists. Security's job is to reduce risk to an acceptable level as determined by company leadership.

I mean, I know that a CISO typically reports to CEO and/or the board. I just don't understand the conflict itself I guess since security is supposed to be "everyone's job" these days.

Just a padawan trying to learn from someone more experienced than I

Moldygr33nb3an

ITSec14 wrote: »

I'm kind of confused by this...security's job is to ensure Confidentiality, Integrity AND availability. How would this break availability? You don't just implement security controls without evaluating it's affect on the business. This is why change management exists. Security's job is to reduce risk to an acceptable level as determined by company leadership.I mean, I know that a CISO typically reports to CEO and/or the board. I just don't understand the conflict itself I guess since security is supposed to be "everyone's job" these days. Just a padawan trying to learn from someone more experienced than I

The IT Director is trying to roll out a new piece of software by the announced deadline. The CISO is demanding the software go through a stringent code review prior to release. The conflict of interest is presented because the IT Director would rather put the software out on the deadline to create revenue and take a reactive approach if any problems should arise, while the CISO is wanting to take a proactive approach, thus affecting availability of the software to the client(s)/customer(s).Happens all the time. "Profiteers" don't like security personnel. It inhibits work-flow to a degree.

jam022316

ITSec14 wrote: »

I'm kind of confused by this...security's job is to ensure Confidentiality, Integrity AND availability. How would this break availability? You don't just implement security controls without evaluating it's affect on the business. This is why change management exists. Security's job is to reduce risk to an acceptable level as determined by company leadership.

I mean, I know that a CISO typically reports to CEO and/or the board. I just don't understand the conflict itself I guess since security is supposed to be "everyone's job" these days.

Just a padawan trying to learn from someone more experienced than I

In my experience he's right. My old CIO was so focused on operations and easiness for the end user that security was always an uphill battle. Security director would say "we need pre boot authentication", CIO would say no, users won't like having to put a password in when they first boot up. "We need to put in MFA", no that's too painful on our users. It can very quickly in the right environment become a vast conflict of interest where the CISO is just to appease a board, but if they don't have enough authority, they are worthless in their position.

ITSec14

Why not just train the developers on how to write secure code? That would be the true proactive approach.

But like I said, security's job is to reduce risk, not eliminate it. If a company is willing to accept that risk, then security has done it's job and the fault lies on senior management if a breach occurs. Isn't that the language of the CISSP exam? We're more of an "adviser" than a fixer.

infosec123

ITSec14 wrote: »

I'm kind of confused by this...security's job is to ensure Confidentiality, Integrity AND availability. How would this break availability?

Let me give you a simpler example. Say you have a mission critical application from a vendor that is no longer in business. This mission critical application is exposed to the public internet, needs as close to 100% uptime as possible, and has a number of known vulnerabilities that hackers could easily exploit. Because the vendor is no longer in business, you cannot fix these vulnerabilities. Also, migrating to a competitor's solution is cost prohibitive/ will cause significant downtime. The security part of you says holy crap take that offline right now, IT (and the rest of the business) says not gonna happen, we are just going to deal with it. One thing I can tell you is security is definitely not everyone's job these days. Even for those that do subscribe by that, they usually have no training and dont know what they dont know. Just be prepared to walk into a good size company and get handed an excel spreadsheet with all the admin usernames and passwords on it, happened to me many times.

infosec123

ITSec14 wrote: »

Why not just train the developers on how to write secure code? That would be the true proactive approach.

Much easier said than done. You have to remember developers have different skill set levels, plus are always constantly job hopping since they are in demand. Then you get the companies that offshore their software development, whooo boy..

ITSec14 wrote: »

If a company is willing to accept that risk, then security has done it's job and the fault lies on senior management if a breach occurs. Isn't that the language of the CISSP exam? We're more of an "adviser" than a fixer.

That is the language in the exam, doesnt mean its true in real life. Plus, you will be surprised at the number of companies that have any form of GRC program, let alone a proper GRC program.

ITSec14

infosec123 wrote: »

Much easier said than done. You have to remember developers have different skill set levels, plus are always constantly job hopping since they are in demand. Then you get the companies that offshore their software development, whooo boy..

That is the language in the exam, doesnt mean its true in real life. Plus, you will be surprised at the number of companies that have any form of GRC program, let alone a proper GRC program.

Thanks for the input! In my short time in security, I've found that it's a constant battle to get changes approved to enhance security. Either because of lack of management buy in or it would affect business functions. I'm sure every company is different in how they approach this stuff.

t93cobra

UnixGuy wrote: »

I don't have experience with this, so I'm just gonna wish you a good luck.

If you share with us how you managed to go for such a position and what's your work history, a lot of us here would benefit from your experience

The company recruiter actually found me and asked if I would be interested. I have almost 15 years experience in IS and am looking for this as my next career step.

t93cobra

I would be reporting to the Chief Risk Officer (CRO), whom reports directly to the CEO. In my job search, I'm avoiding the positions where IS reports to IT as I've seen the conflict firsthand. IT wants to support the business as efficiently as possible and roll out new software, etc. but they tend to overlook the security aspects in favor of this. Efficiency is good, but you need to make sure the product is secure. Otherwise, you'll have a lot more work to do later on.

Since the IT Director is new, they may not have a full grasp of all the systems in place. Therefore, I'm having some troubles coming up with questions for them in my interview. What would be some great questions for a potential CISO to ask the IT Director in an interview?

infosec123

Ask him, in his view, what roles does information security play with his department.

infosec123

ITSec14 wrote: »

Thanks for the input! In my short time in security, I've found that it's a constant battle to get changes approved to enhance security. Either because of lack of management buy in or it would affect business functions. I'm sure every company is different in how they approach this stuff.

Companies are different, but you eventually realize the struggle you face now is relatively common through many companies. Keep this in mind, being a good CISO or security person in general requires you to be a good sales person, because you are basically selling the threats and vulnerabilities you face to management in order to get approval/funding/whathaveyou. Brush up on those interpersonal skills, those will take you a heck of a lot father in the long run than any of those certs you plan on getting...

infosec123

Also, keep your personal appearance in mind. You can be the smartest person in the world, but keeping yourself clean shaven and wearing a suit will sadly get your farther in life than being smart.

ITSec14

infosec123 wrote: »

Companies are different, but you eventually realize the struggle you face now is relatively common through many companies. Keep this in mind, being a good CISO or security person in general requires you to be a good sales person, because you are basically selling the threats and vulnerabilities you face to management in order to get approval/funding/whathaveyou. Brush up on those interpersonal skills, those will take you a heck of a lot father in the long run than any of those certs you plan on getting...

I actually used to work as a bank manager so my interpersonal skills in that job have carried over pretty well to my career in IT. The certs I'm planning on getting are definitely to learn some things, but also to stay competitive in the job market. I think using every avenue I can to learn and grow will be important in my long term career.

ITSec14

t93cobra wrote: »

I would be reporting to the Chief Risk Officer (CRO), whom reports directly to the CEO. In my job search, I'm avoiding the positions where IS reports to IT as I've seen the conflict firsthand. IT wants to support the business as efficiently as possible and roll out new software, etc. but they tend to overlook the security aspects in favor of this. Efficiency is good, but you need to make sure the product is secure. Otherwise, you'll have a lot more work to do later on.

Since the IT Director is new, they may not have a full grasp of all the systems in place. Therefore, I'm having some troubles coming up with questions for them in my interview. What would be some great questions for a potential CISO to ask the IT Director in an interview?

I guess my situation is different, because our CIO is a HUGE proponent of security no matter what it takes. Every project/initiative in our quarterly meetings includes the security team in some way. It's actually working out pretty well and we have a healthy budget for the security team. Like I said before though, every company is different.

That's hard for me to answer since I've never worked in a management role in IT. If it were me, I would probably just keep it high level conversation. I tend to create questions in my mind as people interview me.

dhay13

What they are saying is right. IT's #1 priority is keeping everyone working where security strives for that but provisions have to be made to secure the network and often that can be counter-intuitive to production. This is where the conflict of interest comes into play. There has to be a balance that satisfies the business needs and often the two sides conflict.

As for secure coding, yeah... Kelly Handerhan asked in her CISSP videos, rhetorically of course, who has ever had a programming course that taught secure coding? Deadlines are made and must be met. Adding security delays the process. Ideally security would be built in but is usually duct taped on after the fact.

ITSec14

dhay13 wrote: »

What they are saying is right. IT's #1 priority is keeping everyone working where security strives for that but provisions have to be made to secure the network and often that can be counter-intuitive to production. This is where the conflict of interest comes into play. There has to be a balance that satisfies the business needs and often the two sides conflict.

As for secure coding, yeah... Kelly Handerhan asked in her CISSP videos, rhetorically of course, who has ever had a programming course that taught secure coding? Deadlines are made and must be met. Adding security delays the process. Ideally security would be built in but is usually duct taped on after the fact.

I guess I just have a different experience currently. When our CIO came in to the company, we were told that security will be key player in how we push forward. I mean, security can't always get its way (obviously), but where I'm at now there are a lot of proactive things being done which often does get in the way with production. I guess our management just doesn't want to take a chance on a breach by reducing our risk where we can, even if it delays projects. This probably varies based on type of industry too.

Btw, I've always been one to question why things are the way they are. I find it refreshing to challenge the status quo, no matter how much it might conflict with best practice.

t93cobra

Interview went very good. Thanks for your input everyone. The IT Director's last words were "looking forward to working with you." Let's hope he meant those words.

TeKniques

Congrats and best of luck! I was going to reply that most likely they wanted you to interview with the IT Director because you two would probably be working a lot with each other.

t93cobra

TeKniques wrote: »

Congrats and best of luck! I was going to reply that most likely they wanted you to interview with the IT Director because you two would probably be working a lot with each other.

My thoughts exactly. I have no doubt it was to see if we were a "fit" to work on projects together.

shimasensei

Best of luck! Thanks for the insight in the interview / hiring process for a C-level InfoSec position. I think a CISO role is a great career goal for many InfoSec professionals including myself. Just curious, is the company a SMB size or large corporate?

disip

Let us know how it goes!

t93cobra

shimasensei wrote: »

Best of luck! Thanks for the insight in the interview / hiring process for a C-level InfoSec position. I think a CISO role is a great career goal for many InfoSec professionals including myself. Just curious, is the company a SMB size or large corporate?

The company is privately owned. They have 1,000 employees and operate in 7 different states. They're expecting a lot of growth, 50% each year for the next 3 years. Not necessarily small, but definitely not a large corporation. I think this position will be great for me to start my CISO career.