As part of my advisory work, I often help companies find and/or interview security leaders. While I'm a huge fan of screening quizzes, I realized that I should go a step further and help firms understand what I'm trying to detect or avoid during the interview process. In the process of discussing this with some peers, the Bad CISO Archetypes list was born. Look out for these when you are hiring - but more importantly steer your career to avoid becoming one!
You don’t want someone who thinks the world is on fire. We all know “staying cool under pressure” is important but to translate that into brass tacks, it’s about looking to see if your candidate embellishes and exaggerates incidents. You might detect this via a question such as: “Give me an example of a high-pressure security situation you’ve been in where time was of the essence.” What you are looking for here is recognition of rushing being dangerous, that you may need to make decisions with only 80% of the data, but not just 20%. You want someone who knows that all problems are distillable and comprehensible with the right people in the room, and not someone who panics. I’d be looking for someone to explain the situation they used as an example in good technical detail. Not just that “IT did some magic” or “the bad guys just went away.” I’d want to hear some quick stop-gaps s/he implemented to buy time and prudent sustainable longer-term solutions.
You desperately need decisiveness - especially on an aggressive growth trajectory. You want someone who is respectful and wise enough to spend some months learning the ropes and touch points, but they need to know that their success is measured by what their hirers no longer need to deal with. Avoiding the wrong risks makes for a good CISO, but taking the right risks makes for a great one (substitute CEO or any title for CISO, truth be told). This can manifest in an interview as “It’s easy to say no all the time. Give an example of a recent situation where you sympathized with the business case and found a middle ground or mitigating controls to enable something that sounded dangerous at first.”
Always be on the lookout for anything that was anyone else’s fault. You can lead the witness a bit here with something like “Give me an example of a time where a co-worker or superior held you back”. You have to be careful not to make a strong candidate think YOU are a finger-point if you take that tack of course... but the best answer to that one is “The way I see it, I’m responsible for security and if someone else is tactically blocking, it is my failure for not establishing the trust and rapport needed to win them over.”
Facts matter! Beware fake chops. If someone doesn’t feel qualified to discuss assembly coding, that’s fine. But if they are going to play the game, they better know what they are talking about. If they know their limitations and surround themselves with strong expertise that is great, but you don’t want someone to hoard knowledge and not be able to deliver or execute. I’d key off the resume and ask specific tech questions on areas they dare list. I like open ended questions that encourage conversation. For example if they assert awareness of IP routing, firewalls, web stacks etc, I’d draw up a little diagram of a web visitor, home router, internet, datacenter, load balancer, app servers etc, and ask some open ended questions like (pointing to client) “This guy has a MAC address, right? In what scenario would the app server be able to see that MAC address during normal application usage?”
You need someone with enough common sense and experience to call some shots without ringing the lawyers every 5 minutes. You don’t want someone whose default answer to everything is “oh we have to see what the lawyers think”. Likewise, you don’t want anyone “waiving the reg(ulator) flag”, which is a plague. If you court someone from a regulated industry, you can filter these out with questions like “Give an example of a draconian or otherwise unreasonable regulation that cause you and your org to do something wasteful or even harmful”. The best candidate/s will see it as their job to translate silliness into effective security measures through building a relationship with regulators and explaining important effective controls as responsive to a regulation. Weak candidates will show blind acceptance of inane regulator interpretations though things like “yeah we weren’t allowed to print” or worse “we knew we weren’t allowed to text each other but everyone did it anyway”. At the same time you don’t want someone who is condescending, so you want more of a “these regulatory examiners were good communicators and smart people, but they had more of a law background so I had to spend a lot of time getting them up to speed on technology”. Showing respect for different types of people will go miles. A leading question for this area can be “Security groups can work with some challenging users; do you feel the eye-rolling and woeful tales of unintelligent users are accurate?”
Find out if your candidate sat near their reports before, versus hiding in a secret office on another floor. Look for preoccupation with perks and special treatment. A good screen is “what are the keys to recruiting and retaining talent in cyber?; give an example of someone you hired that really thrived and how your relationship with them evolved over the time you worked together”. Look for signs of team-building, mutual respect, and camaraderie.