At Blue Team Alpha, we firmly believe in the importance of a Chief Information Security Officer (CISO) for both large and small companies. As cybersecurity attacks continue to rise, the C-Suite demands a role fully dedicated to protecting enterprise networks, applications, and data. It’s the only way to properly defend against an attack. So, it’s no surprise to us that CISO jobs are on the rise. In fact, one forecast predicts that 100 percent of large corporations will have a CISO or equivalent position in place in 2021.
Finding a qualified CISO can be quite challenging. Skilled individuals who can develop and maintain a comprehensive cybersecurity program for your organization demand a hefty salary, with the average pay ranging from $175,000 to $275,000 per year. Retention of a good CISO isn’t easy either, with the average tenure typically falling between 18 and 26 months.
A highly competitive market for CISO jobs makes it easy for qualified candidates to move around and demand even higher salaries. Other CISOs are moving over to the cybersecurity space, working directly for cybersecurity vendors. This is not a bad thing, however, as it opens the door for organizations to benefit from highly qualified CISOs through a virtual CISO (vCISO) service. When you opt for a vCISO, your organization gets access to all of the knowledge of a highly trained and skilled CISO at a fraction of the cost—without sacrificing the quality of your cybersecurity strategy.
You can read more about vCISO responsibilities, the benefits of leveraging this type of service, and how to determine if you need one in a previous blog we published.
Our focus today is to help guide you through the vCISO hiring process to make sure you select the best candidate for your vCISO job. With that in mind, we have compiled a list of the ten most important questions to ask vCISO candidates. The focus of these questions is to ensure you hire someone who can work well with the C-Suite, is more than just a typical security analyst, and has the ability to take a strategic approach to a cybersecurity program.
10 questions to ask every virtual CISO candidate
1. How comfortable are you speaking to and working closely with people at the C-Suite level?
This question points to the importance of good communication skills for a vCISO. The typical IT team member and security analyst prefers to work alone. Their main interaction is with a computer, and they excel at configuring and implementing systems and troubleshooting technical problems. Of course, a vCISO must have a strong background in technical and security issues, applications, and systems. But he or she also has to be able to communicate quite well with the board level.
After a strategic plan for a cybersecurity strategy has been developed, the vCISO must be able to present a compelling case for the strategy to the C-Suite in order to gain buy-in (and funding) for it. Someone who prefers to sit behind a computer screen will not do well in this aspect of the vCISO role—and without executive support, your cybersecurity program won’t get very far. The need for communication will continue, as your security strategy will change over time, requiring constant interaction with the C-Suite to keep them updated on progress and making sure they understand the value of the cybersecurity program.
2. Where do you think you fall on the “restriction” scale? In other words, how “locked down” should the network be?
When asking this question, what you’re looking out for is what we like to call the “abominable no-man syndrome.” Security teams have a reputation of saying “no” to a lot of requests, simply because they place a high value on keeping the network as safe and secure as possible. While this is important, extreme naysayers who are too restrictive will prevent the company from operating effectively. Nobody wins with this approach, as the company won’t be able to thrive, and after a while there won’t be anything left to secure. Make sure your vCISO isn’t a roadblock. You need someone who will, instead, serve as a true business partner, weighing decisions from both a security and business perspective.
3. How do you address the balance between business risk and security controls?
If a vCISO candidate is truly a business partner rather than a roadblock, he or she will be able to answer this question appropriately. Security controls are a necessary aspect of a successful organization, but they also place restrictions on people and actions. Each restriction comes with an opportunity cost. Your vCISO must be able to balance the risk associated with allowing certain actions or access points with the cost of blocking or preventing them. When done properly, this will create an optimal balance between security initiatives and day-to-day operations.
4. What is your experience operating a security operations center?
A security operations center (SOC) is responsible for monitoring your organization’s security status. The SOC team is usually comprised of managers, security analysts, and engineers who focus on detecting, analyzing, and responding to potential security threats. There is a lot that goes into managing a SOC, making it very different from just managing a team of analysts. A SOC requires a 24/7, eyes-on-glass mentality in order to be able to detect anomalous behavior immediately and respond swiftly. Does your candidate have real-world experience managing a SOC? If so, how many years did he or she operate one and how well did it perform?
5. What experience do you have with investigation and forensics techniques?
A qualified security risk analyst can detect a cybersecurity threat and suggest an appropriate course of action. But a vCISO needs to be able to do more than that. A vCISO has to answer the question of “How did this happen?” This requires specific investigative and forensic skills that a risk analyst doesn’t have. Investigation also demands patience. Ask your vCISO candidates to describe the type of experience they have in determining the cause of past cybersecurity incidents. What is their track record for identifying the cause, and what steps did they take to prevent a similar attack from happening again?
6. What experience do you have in building a comprehensive security architecture?
The focus here should be on the word “comprehensive.” If a candidate only talks about instituting a firewall and antivirus software, then a red flag should go up. These items are an important part of a security architecture, but there is so much more that is required to properly protect an organization. An experienced candidate will be able to speak about the importance of evaluating the requirements of end users and the location of data (among other factors) in developing an appropriate security architecture with the proper security controls overlayed in order to support everyone within the organization.
7. How do you maintain knowledge of developing security threats?
A vCISO can’t fight blind, and a stagnant cybersecurity program is bound for failure. The cybersecurity threat landscape changes on a daily (and sometimes hourly) basis. Your vCISO needs to be aware of new threats as soon as they are identified. Ongoing education of the evolving threat landscape is a prerequisite for success, so it’s important to ask candidates how they stay up to date on threat actors every day and what types of resources they leverage to learn about new trends in cybersecurity strategies and programs. You can even ask candidates about some of the more recent steps they have taken at former companies to adapt the cybersecurity program to new threat vectors.
8. How much experience do you have securing cloud infrastructure and SaaS applications?
As more organizations move their security systems to the cloud, we cannot underestimate the importance of hiring a vCISO that has deep experience in securing cloud infrastructure and Software as a Service (SaaS) applications. The traditional on-premise security system model is very different from the cloud approach. Organizations are moving to the cloud because it is very powerful. It can be extremely secure, but only if it is properly configured. If it isn’t, then you risk exposing the entire company (and all of your customers’ data) to attack. Your vCISO cannot rely on the cloud provider to secure your system and its data, so you need to make sure that anyone you consider to fill this role fully understands that they are responsible for making sure the system is configured properly and the data is secure.
9. What kind of experience do you have establishing policy, mapping security controls, and demonstrating program effectiveness?
One of the vCISO’s responsibilities is to establish a comprehensive cybersecurity policy. This typically involves following one or a number of cybersecurity frameworks. A framework is a set of security controls or rules that outline best practices to follow in order to effectively manage an organization’s cybersecurity risk.
A framework allows the vCISO to create a well-rounded program and to continually improve it over time. It also enables the vCISO to demonstrate the effectiveness of the program to the C-Suite, customers, and partners—which is critical to gaining and maintaining support from executives and earning the trust of your customers and partners. Ask candidates if they have experience implementing cybersecurity frameworks. If they don’t (or don’t think they are necessary), then any strategy they have put into place is probably lacking.
We also suggest asking candidates about the approach they take towards documenting the cybersecurity strategy. In our experience, what gets documented, gets done. A vCISO needs to put all policies and programs in writing, so they can share it with the relevant parties. Proper documentation also enables the vCISO to carry out a risk-informed strategy, in which potential threats and risks are identified and play a role in shaping how the security strategy changes and evolves over time.
10. How do you stay up to date on cyber / privacy legislation and how comfortable are you partnering with legal counsel?
As a result of the increase in cyber attacks over the years, security and legal have become close working partners. Your vCISO needs to be able to work well with legal counsel. He or she needs to know when to get legal involved and what legal counsel needs should an incident occur. For example, there are rules pertaining to what information can be written down and notification requirements in the event of a breach (for customers, vendors, and regulators). How well-versed is the candidate in these requirements?
Make sure your vCISO has knowledge of the legislation and regulations regarding cybersecurity. Are they prepared to work closely with legal counsel on all pertinent matters? If your company must comply with specific regulations such as HIPAA or SOC, be sure to ask specific questions about the candidate’s level of knowledge and experience with these requirements.
At the end of a long day of interviews, the key point to remember is that even the most qualified security analyst doesn’t check off all of the vCISO boxes. You need a strategic business partner: Someone who has the deep cybersecurity experience and skills of an analyst, but also has a strategic mind that can plot a proper cybersecurity path for your organization. He or she will have to earn the trust of top-level executives, balance risk and opportunities, and keep a keen eye on developing threats. This position is not easy to fill, but if you ask the right questions, you will be able to identify the top candidate for the job and have the peace of mind that your company’s security is in good hands.