When people go through the recruitment process for a new job, it’s common to forget it’s a two-way street. Not only is it an opportunity for a company to figure out whether they should hire a candidate, but it’s also a chance for the individual applying for the role to work out if the company is a good match for them.
In the case of the CISO, where job satisfaction is currently on a downward trend and more are looking to jump ship, it’s even more crucial now to know the right questions to ask before taking on a new job.
Recent research by the IANS Research and Artico Search indicated that three of four CISOs are ready for a job change. The State of the CISO 2023-2024 Report revealed that 75% of CISOs are open to a job change, an eight-point jump from the previous reporting period. The report, based on a survey of 663 CISOs and unstructured interviews with 100 more in a range of industries and company types across the US and Canada, also found that CISOs who said they were satisfied with their job and company dropped by 10 points, to 64% in the last 12 months. Growing anxiety over new and expanded demands for their jobs has many CISOs mulling over an employment change, according to the report.
4 questions CISOs should be asking
These are the top four questions CISOs must ask during the hiring process:
Why are enterprises hiring a CISO?
Does the company’s approach to cybersecurity match mine?
Who’s on the cybersecurity team?
Does the role really have C-level status?
Why are enterprises hiring a CISO?
One important question that Michael Page Australia regional director George Kauye believes CISOs should be asking is why a company is hiring a new CISO. Sometimes it’s because their previous CISO left or it’s more of a reactive hire because they’ve suffered a breach. Some have never had a CISO before. Kauye says a company’s response to this question can say a lot about a company’s maturity level and how it approaches cybersecurity.
“There’s a lot of more probing around what is the organization’s view on cybersecurity. Some business might be, ‘We believe in it and we’re excited to have you come in as our CISO and drive our cybersecurity agenda’,” Kauye tells CSO. “Other organizations have to be transparent [about cybersecurity] and are doing it because they have to, and if that’s the case, you could be walking into an organization going, ‘We’re not too sure why you’re here. We’ve been told we need to hire but not sure what your role is’ … and that can be quite a challenging environment to walk into.”
Cybersecurity expert Julie Chatman, whose CV includes McKinsey and Company, Deloitte, and GSK, also cautions CISOs to watch out for companies that are hiring to pay lip service to cybersecurity. According to research from ESG and the Information Systems Security Association (ISSA), 25% believe CISOs change jobs when their organization treat cybersecurity as regulatory compliance.
Chatman says it pays to do some digging around an organization’s history of cybersecurity and information security incidents and examine how they went about handling the situation. “You want to look at what they said in the news and you want to read between the lines,” she advises.
Does the company’s approach to cybersecurity match mine?
A CISO’s strategy and attitude to cybersecurity might be completely different to that of a company, and the interview process is where Kuaye believes is an opportunity to discover if there is a disconnect between ideologies and viewpoints on cybersecurity. He says understanding the differences can be a tell-tale sign of what potential challenges a CISO could face in a role.
It’s even more crucial now to be able to identify these ideological differences between a CISO and a company given new regulations making the gig of a CISO tougher.
For instance, Wall Street’s top regulator, the US Securities and Exchange Commission (SEC), voted on a new set of rules last year, which require companies to disclose the management’s role and expertise in assessing and managing material risks from cybersecurity threats if a cyber incident were to occur.
The impending NIS2 directive from the European Union would place additional cybersecurity requirements on businesses that include board of directors’ and executives’ responsibilities.
It’s a similar story in Australia where the chairman of the country’s corporate regulator, Australian Securities and Investments Commission, Joe Longo, previously stated he wants to hold cyber executives and boards accountable for not taking sufficient steps to protect customers and infrastructure from hackers if a company is compromised.
Bob Zukis, CEO and founder of Digital Directors Network, believes a good way to scope out a company’s stance and approach on cybersecurity is to look at the board and what their level of cyber expertise is like, including whether a cyber expert is on the board. “Does the board have cyber expertise? Who governs cybersecurity at the board level and is making sure [the CISO] is not being set up inadvertently or overtly to be the fall person. If you don’t have a board or a leadership team that has your back on these issues, then you’ll be going it alone,” he says, adding his advice would be to “run from a board that doesn’t have cyber expertise on it.”
Zukis believes that in some ways, companies these days have to sell themselves much harder to get a CISO through the door. “Good CISOs have more than their fair share of opportunities, and so I think the power in negotiation is on their side, given what’s at stake.”
For Chatman, identifying if a company’s approach to cybersecurity matches with a CISO is critical to long-term job satisfaction. “Does the mission excite you? Does it speak to you? It’s not about fluffy feelings; this is because the role can be incredibly challenging, and you have to feel like you’re contributing to something to keep going sometimes. That even applies to the most Machiavellian of us,” she says.
Who’s on the cybersecurity team?
In addition to seeking out answers about how the company approaches cybersecurity, CISOs should drill into asking questions about the team. “CISOs realize they can’t be an island and they can’t do it alone,” Zukis says. “They’ve got to look at the team and the systems that the company has. CISOs are becoming a lot more careful and a lot more thorough – they’re asking much more probing questions.”
Chatman agrees, saying understanding who makes up the cybersecurity team can help a CISO assess compatibility, how effective they can collaborate and communicate, what support and resources they have available to them if they were to accept the role, and to understand if there’s room for growth relative to the organization’s size and mission.
“You want to know what is the team’s level of maturity? What are the capabilities of the team? Is it a nice mix of people that are just starting out that you can groom and train, along with mid-level and seasoned people?” Chatman says. “Or is it all seasoned? Have the people been there too long? Because that causes brainwave atrophy…you don’t want all new people as well because everyone would be bumping into each other like a bunch of puppies chasing a ball.”
Does the role really have C-level status?
Despite an increased focus on cybersecurity globally, CISOs still struggle to hold a seat at the executive table. Data from ESG and ISSA highlight that 27% believe CISOs change jobs when they are not an active participant with executive management and the board.
Similarly, the State of the CISO report by IANS Research and Artico Search found that while CISOs have C-level responsibilities, they have trouble attaining that kind of recognition within their organizations. The research showed only 20% of all CISOs and 15% of public company CISOs are regarded as C-level executives, and just 50% engage with the board of directors quarterly.
“The CISO role is unique in that it has the word ‘chief’ in the title, yet in most organizations it’s not a true C-level role — it’s reporting to another C-level executive,” Chatman says. “It’s kind of like being the eldest child at the little kid’s table at Christmas dinner.”
Careers, CSO and CISO
Leave a Reply