This is the second of two posts about interviews (the first post is here). In this one I’ll focus on interviewing candidates and the main attributes to look for when selecting potential security leaders - at any level. Both posts are general tips rather than very specific points about interviewing for particular skills or roles. For the tips for deep technical interviews, coding skills tests and other types of assessments then take a look at the myriad of great articles already out there.
Assuming a candidate has passed those necessary skills tests you need to assess the intrinsic aptitudes and attitudes that are essential for great security leaders. I’ve found these 10 are the most important. You will all likely have strong views on what your versions of these are, some of which I might have not thought to include. This is a long list of possible questions. Naturally, you will need to choose where to focus and which subset of questions to actually use in an interview or other selection process.
1.Curiosity
Much of risk management, including cybersecurity, is about seeing around corners. Asking what comes after what comes next, what are those second order effects and will they be a risk to manage or an opportunity to seize? Curiosity might well be the biggest marker for security leadership talent - if only because it triggers or amplifies everything else.
Questions to ask / attributes to look for:
Run through the challenges of the role and wider organization and invite questions. Assess whether the candidate looks at the root cause of the root cause. For example, “We're currently focused on increasing the percentage of our code base that is subject to code security analysis, any advice?” The depth to which the candidate seeks to probe is a good marker.
Assess, in turn, whether the candidate asks good questions that evidence either natural curiosity or the commitment of having researched your organization well.
Ask questions that assess whether they know topics deeper than a mere surface level which, again, is a signal that they have the curiosity to find out how things work more deeply. For example, “Why is network and memory bandwidth also important in AI training in addition to pure processing power?”, “How hard will PQC adoption be?”, “Is ‘secure by design’ practical to mandate or even regulate in commercial software?”, “Are SBOMs enough to mitigate software lifecycle risk?”
Examine if the candidate is involved in any professional bodies, industry associations or research work that would not only indicate a professional curiosity but also a regular exposure to more advanced topics than they may typically encounter in their current role.
Look to see if the candidate has a variety of experience from different industries, geographies, technologies, and roles. In my experience, while not all people who check these boxes have high curiosity, there’s usually a strong correlation.
2.Influence
Even if you work in an organization that is intrinsically determined to do security well there will still be some trade-offs. That’s life when you’re dealing with competing demands and finite resources. Influencing outcomes is, therefore, another main success attribute for the security leader.
Questions to ask / attributes to look for:
Ask the candidate to explain the extent to which their “role power” (i.e. a current or prior position of authority) has been the source of their influence? By the way, don’t believe it if they say it hasn’t been a factor. That just means they don’t understand the extent that it has or they’re not being honest. We all get a degree of influence through role power.
So, ask the candidate to discuss how they influence directly or build networks of influence over time. The key thing you are looking for is whether this person can only get by on role power alone vs. other forms of influence. Some of the red flags, for me, are people who think the CISO role should only ever report to the CEO irrespective of the organization type. This means they purely think in terms of role power being the only means to get things done. To be fair, in the organizations they’ve worked, that might be true, but there are many organizations for which role power to get influence is temporarily useful at best. There’s only so much political capital even the CEO or Board is willing to spend if the security leader can’t get things done on their own.
Look for what roles the candidate thinks are their most important internal relationships. Use this as a means of assessing how they think about building the relationships that drive influence. Discover, similarly, who their broader network of external stakeholders and partners are and what those relationships are like, including how the candidate has nurtured both sets. External stakeholders and partners might include auditors, regulators, key suppliers and trade associations.
Have the candidate describe a plan of action to advocate for significant change or investment - have them give examples of success, failure and consequent course correction. Most resources (in the security team and beyond) are accumulated incrementally not in large bursts, so ask how they think about managing and redirecting that as priorities change.
Finally, have the candidate explain what they’d do in their first 90 days in the role and then the next 180 days. Here you are looking for evidence that they’d think about influence building (vs. going to the Board on Day 5 and asking to be made dictator for life with an infinite budget). The key reason for the 90 day vs. 180 day discussion point is to see if they understand that the conventional wisdom of getting a lot done in 90 days is not usually that useful. Aside from some massively obvious quick wins, we’re all pretty dangerous in the first 90 days until you’ve learnt the environment.
3.Moral Courage and Calmness
Most executive roles in any field require some occasional vigorous debate. Most risk or Professional Engineering (capitalization deliberate) roles at any level require some “standing of ground” on matters of policy, standards, accepted practice, risk appetite or other conditions. Doing this in a calm and methodical way and telling truth to power is vital.
Questions to ask / attributes to look for:
Ask what are examples where the candidate has held their position on vital matters against a ground-swell of different opinion?
Ask for, and discuss, some examples of where they felt uncomfortable in a situation and how they’ve, over their career, got comfortable with being uncomfortable.
Ask for examples of how they deal with conflict and subsequently repair relationships and what this has taught them about relationship building to reduce the need for overt conflict when having difficult conversations.
Have the candidate take you through examples of what they’ve learnt in crisis or incident management situations and what they’ve learnt from others. No-one, repeat no-one, has managed all their crises, incidents and other events in a perfect way. There’s learning in all of them and if the candidate can’t be honest about what they’ve learnt along the way then they’ve not really done the things. For example, one of my failings in incident management early in my career was being too passive in managing executive and Board participation in crisis management calls. They would join the calls randomly and ask for updates, slowing the process down and putting things back. I initially tolerated this. What I learnt to do and then did rigorously over time was have separate incident “rooms” for exec and Board comms vs. the operations of the call and for joint calls have a “waiting room” where people could join and a designated comms person would bring them up to speed before joining the main call.
Further discuss with the candidate times when they disagreed with a decision that ultimately was reasonable, how did they still commit and execute or develop an alternative path? How did they determine what was reasonable (even if they disagreed) vs. what might be something they decided to stand their ground on. Assess how they develop protocols, governance apparatus and other techniques to make this less of a personal stand and more of a formal risk management approach.
4.Persistence
Every experienced security leader will tell you the secret to most of their success is never giving up. Yes, a lot of great work is a first-shot pitch to get something done, but most is incremental over multi-quarters (or years) of effort. What people might not say during that awesome RSA or BlackHat presentation, of how great their new security posture has become, is how much relentless grind they had to put in to get there.
Questions to ask / attributes to look for:
Ask, what are the best examples where they decided something needed to be done and relentlessly pushed for that? Did they change their tactics along the way?
Inquire how they have maintained personal morale and that of their team in the face of the need to be persistent over long periods.
See if the candidate has moved roles very quickly e.g. <12 months and ask what that says about them or their organization in relation to not being persistent. I’m not judging here, there might be very good reasons for going early, but in many cases some failures would have been successes with some more persistence. Here, you’re looking for the grit needed for the role.
What techniques has the candidate used to seize opportunities? Some good examples here are when people maintain a portfolio of “shovel-ready” projects to get going on in the event of a crisis-driven (hopefully external to the organization) opportunity to clinch the commitment. Over many years some of the best things some of my teams got done were triggered this way. Never let a crisis (ideally someone else’s crisis) go to waste.
Finally, ask the candidate, who in their organization or elsewhere do they look up to or see as emblematic of showing long term persistence in driving transformational change?
5.Collaboration
No security team can do anything alone. All security improvement requires collaboration with other teams to get to the right outcome. Indeed, optimal security is about deeply integrating security into the fabric of the organization’s infrastructure, processes and teams to achieve ambient control. This collaboration is not some abstract concept - collaboration is about how people work with each other. And, it’s not just confined within the organization. Increasingly good security is collaborating upstream to customers and partners and downstream with suppliers and beyond.
Questions to ask / attributes to look for:
Everyone will say they’re highly collaborative and good to work with. So you have to assess how they collaborate to really gauge this. For example, ask what specific techniques and processes do they use to build and sustain high quality collaboration between teams - is this interpersonal relationships between leaders only, more formal constructs like risk councils, more stand-up oriented meetings of regular risk discussions, internal provision of tools etc.
One big test of collaboration is how much the security team is invested in the success of the organization overall and, therefore, in the success of other teams that contribute to that. So, ask questions about how the candidate in their prior roles has positioned their team to do this. What tools, services or other approaches worked or didn’t work?
Similarly, collaboration is not just leader to leader it’s team to team, so ask about how they put in place the means to ensure their team at all levels behaves collaboratively. Ask, where did this break down (because it always does) and what did they do to address that?
Effective cross-organization collaboration is often heavily influenced by culture and structure. For example, how promotions and performance evaluations work affect how well teams collaborate. If the incentives for intra-team work exceed inter-team work then collaboration will be harmed. It takes some leadership acumen to see this, even more so to deal with it. Ask how the candidate has observed this and what did they do about it? It’s ok for them to admit they’ve failed (having tried). Many of us have and continue to tilt at the various windmills of our HR and corporate policies, financial management and cross-project cost allocations and other myriad of entrenched structural issues. Some we win, some we lose, most we work around. That’s ok. You need to see if the candidate knows how to deal with this at the scale of your organization.
A big part of collaboration is with customers, vendors and other external partners. So explicitly focus on that. I’ve often found asking around the vendor community what people think of a certain candidate is useful. If they have a track record of being a bit of a bully with vendors or difficult to deal with in industry groups, or entirely self-serving in other forums then that’s likely their true nature despite the impression they may try to build to the contrary.
6.Critical and Logical Thinking
Security is a complex topic. Clear thinking is vital - to cut through the interdependencies, priorities, and paths to implement controls, in conjunction with other projects and requirements. Finding evidence of a candidate's ability to think logically, express themselves clearly and prioritize the most important or highest leverage controls is crucial. Make sure candidates understand the difference between the tactical and the strategic and to let neither overwhelm the other.
Questions to ask / attributes to look for:
Assess the candidates ability to understand 80/20 opportunities. Ask for examples where they’ve been able to cut through a set of risks and see which controls offer the highest leverage.
Press the candidate on the different ways they can identify system-wide leverage points - is it what can have the biggest deployment spread first, the approach that wins the most “hearts and minds”, or that which pays down the most specific risk for the most critical assets? Each can have different rationales to prioritize in different contexts.
Seek evidence, by example, of situations where the candidate has taken a complex situation and broken it down into components that are more easily tackled, supported and explained.
In conjunction with assessing communication skills, also look for how wide ranging risk programs are communicated simply and clearly - recognizing that some complex subjects shouldn’t be dumbed down - but can still be made accessible even to non-technical audiences.
Give the candidate a few specific examples of your current or past challenges and ask them how they would tackle it? As part of doing this look for their ability to think about all sides of the problem as opposed to just linearly charging at it. For example, a good one to ask is about how to tackle supply chain risk assessments. If their only answer is to find all vendors, assess them all, rank their criticality and then work like crazy to get them to remediate issues then that might be a red flag compared to a candidate who also enumerates other possibilities like reducing the number of vendors, desensitizing their access/data so they are less critical through to providing them with solutions to more easily address control deficiencies.
7.Broad Technical Understanding
Security leaders need to understand technology. That’s it. Yes, security leaders need to understand their business and be a solid commercially minded executive or mission leader but, the last time I checked, our world is digitized and controls (at least the good ones) are inherently digital. Now, it’s not necessary for a CISO or other security leader to have absolutely current engineering skills such that they can personally implement or configure something, but being able to converse with and influence other technical leaders and staff is important.
Questions to ask / attributes to look for:
The simplest question might be the obvious, and linked to your other assessment of their degree of curiosity about the world. Ask how they keep up to date, what they read, do they tinker with stuff at home, and when some new technology emerges how do they determine what to think about it and how do they at least get some passing familiarity with it.
Assess how the candidate understands the inter-linkages between different technologies, architectural patterns and trends. Have them describe for their current organization what some current trade-offs are between old and new approaches and why the new approach has more utility.
Another good way to get at this is to ask some questions about how they think an IT architect reasons about data architecture, the degree of data and processing distribution, transaction management and performance, software design, the means of ensuring consistency between teams and so on. Then, naturally, ask how security might interfere or support such goals.
It’s useful to ask some actual technical questions that require thinking at some level of abstraction so you can assess their adaptability and see how deep they can go (with no problem if it’s not that deep, it just reveals the depth). For example, a good (if somewhat well trodden) question is to ask: “Explain as deep as you can go how a smart phone securely retrieves a web page.”
Finally, another useful test is to assess the candidate’s historical knowledge of security and the different generations of technical controls that have existed and continue to be refactored. This is another test of their curiosity but it can also reveal how much thought they put into the fact that most controls stay the same from a principle level - we just keep figuring out ways to (re-)implement them in new contexts.
8.Organization Specific Culture Assessment
You want some degree of cultural compatibility with your organization and perhaps also specifically for your particular team (although these should be very similar). At least you want to make sure there is no significant incompatibility. The level of compatibility is a function of the seniority of the position (i.e. how big the culture clash blast radius would be) and possibly the assessment of how adaptable the candidate is.
Questions to ask / attributes to look for:
You need to self assess what is your organization culture first and what are the most important parts of that. For example, if your culture prizes collaboration and teamwork then clearly look for evidence of that. If you’re a hard-charging take the hill at any costs organization then look for that. But, be honest about what that culture really is vs. what is written in the organization’s mission statement. Hopefully they align but, sadly, for many organization’s they don’t. It’s helpful here if your organization has a process to assess candidates against defined rubrics and have interviewers who specialize in those assessments. Trust the process.
Perhaps for certain roles you need a leader who will change the culture. Perhaps it’s to move security from a “department of no” to a supportive enabler. It might be to decentralize security to better equip engineering teams with more inherent security ability. Whatever the goal, ask the candidate to provide some examples, and ideally references, of when they’ve done this.
In many cases, either preserving or adapting cultures is about sensing what the culture is and what is needed at what time - and then when to get out of the way. Sometimes you want a leader who will come in and break things and put them back together in the right way. That leader might not then be the right person to sustain and fine tune the new structure. Again, by seeking examples from their past, test if they understand when and where to do this.
Look for what your non-negotiables are - not just for the organization overall but for you personally if the person you're interviewing will come and work for you. I think for most people assessing the degree to which the candidate can subjugate their ego is important. So, ask how they cope with perceived losses (do they chalk it up to experience or does it dent their self-perception), how do they give their team credit? If they have an external presence (conferences, blogs, etc.) then look at whether that is approached as self-brand building or genuine contribution. You can often clearly tell who the narcissists are. People often tell you in their public work who they really are - listen to it.
Finally, look for what the candidate's personal motivations are. What drives this particular candidate to do what they are doing or seeking to do? If they say it’s about making the world a better place then look for what evidence there is to corroborate that and what sacrifices they have made to achieve that.
9.Strategic Mindset
The more senior a leadership role is the more strategic their outlook needs to be. For sure, leaders need to be master tacticians and seize immediate opportunities - there’s nothing more annoying and risky for organizations than leaders who are always looking 3 years out when there are fires all around them today. But, yes, having a long term strategy (not necessarily a detailed long term plan) is important.
Questions to ask / attributes to look for:
Ask people what their vision of the future is. This is mainly to see how curious and thoughtful they are - but don’t dismiss them if their answer isn’t aligned with yours (unless it’s batshit crazy) as you, like all of us, are surely wrong in some respect when thinking about the future.
To that point, the real test is asking how they develop strategies, how they question assumptions and do scenario planning. What’s the process they use? How do they check it? How do they look for negative signals that would cause the current strategy to be questioned? How do they deal with the situation when reality goes against the strategic outlook? How do they know when to stay the course vs. course correct?
Look for examples of how and when they’ve operated under constraints. Strategy is easy if you assume no constraints. It’s constraints (business climate, macro economics, budget limitations, opportunity costs, regulatory headwinds) that provide a true test of strategic thinking.
Another, perhaps obvious, question is how do they develop and align their strategy to the overall business strategy. Ask have they ever encountered a situation where the business strategy is in conflict with the security strategy and how security (or even the business) was adjusted as a result. That point might go against the ethos that it’s security’s job to make it work no matter what. However, I’ve worked in and seen multiple organization’s where the security team have successfully convinced others that certain business strategies were not going to be viable - either because of intrinsic security issues or, more usually, that the cost of effective risk mitigation outweighed the profitability goals of that particular product. Now, the great strategic test, when this happens, is whether the security leader plots a course to reduce the limitations of the security risk mitigations such that in the medium term that business line can be full systems go.
Finally, ask the candidate to go deeper on the mega-trends in their world or business context and how they think it might apply to your organization. Here you are looking for evidence of deeper thinking of how security contributes or seeks opportunity from those macro conditions. For example, if an organization’s strategy is based on reducing marginal costs for certain product lines and that’s not part of the security team’s strategy then it’s inevitable security as a percentage of overall product cost will keep rising. If an organization’s strategy is based on cross-selling products and services and getting a flywheel going between business lines then it’s a problem if security hasn’t worked to make identification, authentication and authorization across those channels seamless. This isn’t just about not being an obstacle, it’s also about seeking opportunities. For example, if the organization or a business unit is modernizing its technology stack and the security team isn’t in there to embed security then there’s a lost opportunity. So, a candidate should be able to talk in-depth and passionately about how they’ve avoided being battered by macro headwinds and taken advantage of structural tailwinds in their environment.
10.Team Building
No matter how big the leadership role you need team builders. The team they will be leading, changing, growing but also the wider organizational team they are a part of. Leaders have got to love their teams and the apparatus of team building.
Questions to ask / attributes to look for:
How does the candidate build and motivate teams? Literally, what are the mechanics they use - what has worked and what has not. Team meetings, summits, 1-1’s, training, other structures. Great teams don’t arise from magical intuition, they come from doing stuff. What’s the stuff this leader has done and how do they know what and when to adapt to the situation and team they have.
How do they balance teams - the essence of most teams is that not all people are equivalently expert or skilled but rather the combination of all their abilities is more than the sum of its parts. I like to test people on how they approach balance, for example, the rule of thirds or other techniques. How do they manage to get all types of teams to work for the greater mission? Do they build diverse teams - not just for diversity’s sake (important though that is) but for the ultimate goal that diverse teams stop group-think, which is the mind-killer of risk programs.
Ask for examples of where they personally coach, mentor or otherwise lead by example. Look for examples of where they can discuss when and how they know when to step in vs. step back and let the team do its thing - perhaps with some faltering, but learning, steps.
Then, look for external evidence of what people from this person’s teams have gone on to do. I like the idea of a not just a CISO parent-index (how many people who were on this person’s team have gone on to become CISOs or other senior leaders in their own right) but also a grand-parent index of how many of those CISOs have, in turn, helped advance CISOs and other leaders. This final point is illustrative of the ability to coach and mentor security leaders who can in turn develop other leaders.
Finally, watch out for whether this person through prior roles always brings in their “buddies” or their own leadership team. This might be a controversial point as sometimes you want to hire someone who can bootstrap a whole org quickly but hiring a leader who is incapable of functioning without their trusted lieutenants runs the risk of creating a toxic leadership culture where the new leadership team has a culture distinct from the wider organization.
Bottom line: security leadership positions at all levels are some of the most challenging roles there are. Assess candidates thoroughly - not just by asking questions and looking for good answers but fundamentally looking at the thinking patterns and cultural outlook of the candidate. The most important thing though is to not just rely on the interview process itself but to look for evidence in what the person has done in the world, what they’ve written or said and the leaders they’ve ushered into the wider community. People often tell you exactly who they are. Look and listen.
コメント