Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

From the CIO: Why You Didn't Get the CISO Job

The previous Undercover columnist lamented the state of security hiring. Here's a response from the other side of the desk.

By

February 23, 2010CSO

Dear Anonymous,

It was fascinating to read your thoughts about our recent conversation in CSO (see The Many Challenges of Finding Work as a CISO/CSO"). And when I say "fascinating," I mean in the sense of watching Nascar: a lot of predictable left turns and some really embarrassing, squirm-inducing shots of the fans.

I do like you, I think you're a nice guy, and so I wanted to give you some feedback about the interview process and what you're going to need to change to be successful.

I don't think you're going to enjoy reading this. But maybe some of those hours that you're spending maintaining that "vast database" of yours could be better spent understanding why we hired someone who understands they're an engineer.

Also see How to Answer 10 Tough Job Interview Questions


But before I get into that: There is no small talk in interviews. Do you get drunk at interview dinners, too? You blew it in the first two phone screens; I'm going to tell you how, and I'm going to use your words and explain what I thought when I read them.

Quote: "Is it the misconception that companies don't really know or understand the enormous value that the CISO/CSO can bring to the table?"

It's not our job to understand that; it's your job to demonstrate it. To demonstrate it, to make it real every single day. CSOs keep talking about value, but let me clue you in on something: The economy is in a recession. What brings value is sales and cost reductions. Sales come from marketing and new products. Those boost the top line. Cost reductions—things like firing a CSO—help the bottom line.

Oh, sure, we might have a few more hackers get through, but everyone has hackers. All my friends with CSOs reporting to them are infested with viruses, spam and hackers, and they lose laptops, too. So show me this "enormous value" in the first five lines of your resume. For example: "I saved my last employer 30 percent in fraud executed against our website, delivering the project under budget and on schedule."

Stop hyperventilating. You want executive rewards? Deliver executive value.

Next quote: "This characteristic pattern [placing a CSO job on hold] is directly responsible for the myriad security breaches happening at many organizations."

Really? Directly responsible? Let me tell you how we use the words "directly responsible" in business. We mean causative or we mean it happened on your watch.

RESOURCE CENTER