No two CISOs have the same background, but successful ones have similar skills.
Having recruited information security professionals for the past 10 years, I am asked one question more frequently than any other: "How do you become a chief information security officer?" Unfortunately, it's the most difficult question to answer.
If you asked 100 CISOs how they landed their jobs, you would probably find 100 different paths to the top. A few common traits might emerge--for instance, few CISOs have come into their roles by exclusively working in information security. Most have backgrounds in general information technology, physical security, finance, legal, marketing and even human resources.
While many security pros have been practicing information security for a long time, we tend to forget that the industry has only developed over the past 10 years--a relatively short time compared to other corporate disciplines like finance and sales. In each of these other professions, the career map is set; virtually all CFOs and vice presidents of sales have met certain career prerequisites. In our industry, we have not had the time to develop these requirements. Corporations view information security in many different ways; therefore their leadership requirements vary according to specific needs.
How to Answer the Tough Questions
Your heart is pounding as the interviewer pelts you with questions and hypothetical conundrums. We asked security pros what was the best and toughest interview question they've ever answered.
Read on to prepare yourself before your next big interview.
What accomplishments are you most proud of, both in business and personally, and why?
Suzanne Hall, director of IT operations for AARP, suggests that all interviewees be ready. "Sometimes people just aren't prepared when you ask this question, which surprises me," she says.
How well do you think you'll fit in with this company?
James Christiansen, CISO of Experian, warns not to let a question of culture knock you sideways. He says that the toughest question is one where "the answer to the question is directly related to the culture of the company, which you don't yet know."
Please give an example of a project that did not go as well as expected.
Says LJ Johnson, CISO of Nike, "People think it's a trick question when they're asked about failures, but what you want to know is what they learned from the experience."
Will you be willing to travel?
"Who wants to be away from the family?" says Don Ainslie, global security officer for Deloitte & Touche. "[Travel] is a balancing act I struggle with." Know the answer before you go in to help make the decision easier.
Why do you want to work for this company?
Rebecca Norlander, general manager of Microsoft's Security Technology Unit, recalls the epiphany she had when asked this question: "I realized that, actually, I didn't.... Start by being true to yourself. Don't compromise your own moral compass--you have to live with yourself your whole life."
Why are you the best person for the job?
"There are many qualified and great people that come to the table for roles in security and business at large," says Adrienne L. Hall, senior director of Microsoft's Trustworthy Computing. "You need to be clear on what you bring to the position that no one else does."
How can you help this organization?
Debby Fry Wilson, director of security engineering and communications for Microsoft's Security Technology Unit, suggests that you do your homework. "A candidate who is well prepared and genuinely seems to understand the challenges of my organization and can articulate how he or she will help advance our strategy is ideal."
--Compiled By Amber Plante from interviews by Michael S. Mimoso, Marcia Savage & Anne Saita
In my experience, I have collected some of the requirements that are associated with all senior information security positions:
Vision: When a company is looking for an information security leader, often it will be for the first time: Management wants someone who can lay out the corporate blueprint for all its future security plans. Having a clear plan on the role the information security team should play as it relates to the core business practices of the company is key. In most cases, companies will search for someone who has successfully implemented a vision at another company, or who has witnessed the successful implementation of a security program in a company within the same industry.
Range of information security knowledge: It may sound obvious, but companies look to their information security leader for the answers to all of their information security-related problems. Regardless of whether the issues are technical, personnel, procedural or regulatory, the CISO is expected to address all of these angles. Businesses want people who have developed an excellent foundation within the information security industry and who have illustrated the ability to solve information security-related problems. In addition, when organizations are hiring a CISO, they are traditionally searching for someone who can address the current issues facing the organization and see future ones before they cause problems.
Communication: Communication is not only the hardest skill to measure, but also the most critical to have. CISOs serve many different constituencies within an organization, and they are asked to communicate at different levels and to people with different degrees of technical skill; they have to effectively express ideas up and down the management chain. Successful CISOs are those who've earned the respect of the people leading the technical functions and can translate the advantages of security controls to business unit leaders.
During the interview process, it is common for a potential CISO to be interviewed by a number of people representing different functions within the organization. In these meetings, it is essential that the candidate develop a consensus and establish a good feeling of collaboration. If this interaction is successful, it will serve as a solid predictor of the CISO's ability to understand the complex needs of all constituents.
Execution and leadership: When talking about vision, being able to develop an effective information security plan is only half the battle. CISOs are expected to map out their plan and then execute against it; they are required to understand how to prepare a budget, build an effective staff, make technology selections, report to executive management and solve problems.
Companies expect their leaders to lead. An effective CISO will understand how to get the most out of his dedicated and shared resources. The company will look for the CISO to forge partnerships with peers from other business units, and inspire them to accept--and hopefully embrace--information security. Ideally, the CISO conveys the sense that he is enabling business functions, not restricting them.
Passion: This is another seemingly obvious point, but it is the great differentiator. As a newer discipline, information security isn't always accepted by its peers within the corporate infrastructure. Having a passionate leader often helps alleviate this problem. It's been said many times: Information security is a profession where no one recognizes when you are doing your job well, but everyone notices when you are not.
The CISO carries the biggest bull's-eye, and failure can lead to extreme public embarrassment for both himself and the organization as a whole.
CISOs who can convey passion and conviction on a daily basis are effective in developing the long-term respect necessary to implement their strategies throughout the company. It is this cross-functional support that will often lead to a more security-conscious organization. These organizations are traditionally the ones that stay out of the headlines.
When we ask information security professionals to list their career goals, becoming a CISO is always high on the list. With the awareness that our industry has received and with increased support from executive management, more information security leadership positions will be created.
And, the number of qualified information security professionals is growing, and competition for these highly sought-after positions will continue to increase. It's more important than ever for CISO candidates to develop the skills listed above--and others--in order to ultimately land and succeed at the job.