Interviewing for a CSO Job: In the Hot Seat

One man's adventure into the interviewing process for a CSO position.

The call came in early one morning and made it through my usually protective security screen in part because of her particularly pleasant first-name request to speak with me. Without much of an intro, the caller got right to the point. "Would you be interested in the CSO job of the millennium?" she inquired.

After establishing that this wasn't some nutcase, but instead a headhunter familiar to those in our trade, I decided to play. "Tell me more," I answered.

So she laid it out as if she were offering me a winning lotto ticket. "With your credentials, you'd be a leading contender right out of the gate," she cooed. "It's for a company with a new CEO and CFO and a reinvigorated board concerned about integrity, data security, contingency planning. They recently had a very mean workplace violence incident," she said.

I started thinking about the security-related news over the recent past to try and home in on the company. No feedback from the fog.

"So these people are serious about a really senior guy, but do they know what a CSO title is all about?" I wondered aloud.

"I've teed up the CSO bit with them, and it absolutely flies," she told me. "They're eager to make a statement about security in its broadest context. Are you interested?"

"If you've vetted this job and think they're serious, then sure," I told her. "But keep it totally confidential. I'm very satisfied here."

"I'll get back to you," is how she left it.

I didn't hear a thing for a few months. Then another call came early one morning. "Sorry I was silent but, to your point, I wanted to confirm they're serious about this job," she said. "I've put yours and a few other CVs before their selection committee."

Oh great, a selection committee, I muttered to myself. But I was more controlled in my response. "And the answer is...?"

"You're in the catbird seat!" she said as though announcing an Academy Award nomination for best supporting actor. Hmmm. Let's hope not. "They want to see you ASAP."

I knew I'd have to put this to the wife who agreed to move here on my pledge to sink an anchor into the ground. Getting the Whys and WhereforesMy wife was predictably unenthusiastic. "You're going where to do what?" she said without a hint of a smile. But the kids thought the new company was in an "awesome" area, and my own pathetic look must have led her to relent. "Go get this out of your system. But no promises!"

So I started doing some homework over the next several days, which revealed some interesting facts. First, the workplace violence incident had caused some focus on security. But from the business press, it looked as if a couple of the newer audit committee members had read the Sarbanes-Oxley tea leaves and wanted to play hardball. Other sources told me that the CEO and the executive vice president of administrative services wanted a higher-profile security exec to pull a more integrated program together. Or is it to take the heat? Note to self: Better make sure it's the former.

When I arrive at the appointed hour and place, I'm immediately impressed with the initial approach. No star chamber, no apparent chairman. Just a comfortable room with everyone at one table. It's clear that everyone has been well briefed on my background and experience. A good sign, I hope.

I learn that the committee is composed of the head auditor, the chief legal counsel, the senior vice president of HR, the CIO and the executive vice president of administrative services. These are my primary stakeholders, so I Do Not Pass Go if I blow it here.

CIO: "You don't have a technical background, but you have information security in your current job. How do you do so without that experience?"

Me: "My employers expect me to be on top of the full range of risks in my playing field. They have given me the scope of risk oversight because we have discussed the linkages between the threats that confront global business today. That scope has come with an understanding that we need to have an information risk management capability with a team equal in strength to the risk we face in this area of business, which is significant. Our CISO has a clientele that wouldn't give him the time of day without total confidence in his competence. We are partners with the business and our CIO. I'm the orchestra leader. He's the principal soloist."CIO: "Would you propose that we have information security under you here?"Me: "Not at this point, or maybe not at all. It's far too early to say what model I'd propose here. A lot depends on what works in your culture, how service units can most effectively serve and lead here."Auditor: "Assuming you know about Sarbanes-Oxley, what role do you think security should play in our controlsif any?"Me: "Frankly, most organizations haven't taken enough time to think through a control model to create the most appropriate mix of players given the risk environment. I'm bullish on security being an equal partner in the governance team. Security is a lead player in addressing reputational risk with background vetting, third-party due diligence, internal investigations and vulnerability analysis. While not as headlined as audit, I think these are core processes in the evolving Sarbanes environment, which is about doing the right thing by our shareholders."CFO: "We're in the process of identifying every dollar that contributes to or detracts from our being more efficient and productive than our competitors. Security represents a relatively large cost center here, and still there's a sense that we should be doing more. How would you propose to be a leader in cost management and containment?"Me: "I would get a fresh assessment of the risks facing this company on a global basis and demonstrate to you that we have unmet priorities to address them. It's incumbent upon the CSO to show that the company has a higher likelihood set of threats for which it is unprepared and find the most cost-effective solutions he can, reduce costs if possible and then convince you that the new expense is worth it."CFO: "What if we shoot it down anyway?" Me: "Hey, security is just one horse at the trough. My responsibility would be to make you aware of the risks and to propose solutions. You could always decide to accept the risk."HR: "We've had some issues with our security folks giving off a Big Brother sense to our employees. It doesn't sit well in our culture and seriously impacts your department's credibility. What would you do to restore confidence in security here?"Me: "Well, given that dark assessment, I would make that a very serious first priority because everything else I'd likely want to do here will depend on bottom-up confidence in our functions. So I would meet with employees at all levels to find out how they're feeling about our services, what we do well and not so well. I believe in being a very close business partner with human resources and legal, so I would really suss out their perceptions of our strengths and weaknesses. And I'd be looking at our team's competencies for things such as relationship management and influence. The bottom line is: If you're right, then this is a serious challenge. And I can't be a success if we can't turn this around."Chief Legal Counsel: "I was interested in your response about reputational risk. As I recall, you mentioned background investigations. But we don't do them here, and I'd be curious why you think we should."Me: "Let's start with the recent workplace violence case. Your local newspaper uncovered the information that the guy you fired for assaulting his supervisor had a long record of assaults, domestic violence, firings and substance abuse. That was easily and legally obtainable preemployment information, and you didn't even ask your job applicants for information that could be verified for such purposes. At my last two employers, one in five of all applicants had some material discrepancies in their personal history statements. In other words, they lied. Should you hire liars coming through the door? How would that look on the upper-right-hand corner of The Wall Street Journal? I'm an unabashed fan of background investigationsat the very least, for everyone in a 'risky' job. We can discuss that definition if you like."HR: "I've got to wonder if we aren't better off not knowing what we don't really need to know."Me: "The thing you've got to consider, with all the ethics issues before the public and regulators these days, is if the bar is being raised by your board and shareholders. Should you know about the integrity of your key people? Would there have been a different result if you had had a criminal history on this violent employee?"

The human resources guy's body language speaks volumes. I sense I've peeled off a scab and started the bleeding anew. "This smacks of the goon squad approach I spoke of earlier," he says. "Rather than addressing the culture and crisis in confidence, you'd propose we crank the hostility up a notch or two?"EVP (while checking his watch and waving off the HR guy): "Uh, how would you propose to add value to this organization?"Me: "This recruitment process tells me that you're thinking seriously about security's place in the health of this company. You are raising the bar. I will add value when I measurably help this team address where that bar needs to be to proactively manage the risks we know and those we have yet to identify."

It's clear we're done at this point. And as I'm saying my good-byes, I notice that the HR leader has already ducked out. I play it all back on the way home and decide I've either blown it big time or, if not, I will have to get ready for some fireworks if I take the position.

I can't wait to get home and convince the wife that this would be a good thing to do.

To be continued.


Copyright © 2004 IDG Communications, Inc.

The 10 most powerful cybersecurity companies