A CISO Hiring Guide for Interviewing Job Candidates

By Editorial Team | August 02, 2019

Dichotomy of Good and Bad Interviews

All of us have been through job interviews, both good and bad. Some were positive experiences where the interviewer had prepared intelligent questions based on our background and experience. Additionally, the entire experience was well-coordinated to ensure interviews got a good sense of you as a candidate, while also providing you with valuable insights into company culture and the immediate team on which you would be working. A well-executed interview can leave a candidate feeling that they connected with an organization that clearly has its act together, which is a terrific outcome, even if someone else gets the offer. You may have even applied for another position at the same company afterwards.

But in other instances, we’ve gone to other interviews where it became quickly obvious that the interviewer hadn’t reviewed our resume or background and had put little thought into the questions to ask—awkward, irrelevant questions strung together in no logical order with intermittent attempts to trip you up. You left the interview thinking, “if this is any reflection on what it is like to work here, then I have no interest.” When asked by peers, friends, and family about the company, you warn them to stay away.

Almost 60% of jobseekers say they’ve had poor candidate experiences. 72% of them share that experience on an employer review site, social media channel, or with a friend or colleague.

Great Interviews: Not an Art but Preparation

Skillful interviewing, however, is not an art, but the result of weighing what an organization seeks in a candidate and giving them the opportunity to present themselves at their best. When done right, interviewing reveals both positive reasons for making an offer to a candidate, as well as solid grounds for the candidate to accept it.

65% of candidates note that a bad interview experience causes them to lose interest in a job opportunity.

Recruiting and hiring top-quality cybersecurity talent is difficult enough in a job market with low unemployment and an acute cybersecurity skills shortage that is estimated to hit 1.8 million by 2022. Without the right interview approach in place, you could be driving these candidates away rather than assuring them that your organization is a great place to work. An excellent starting point is the fourth installment in a six-part CISO Hiring Guide series on how CISOs and their HR recruiting counterparts can craft an interview process and interview questions that enable them to determine which candidates are the best fits—from experience, qualifications, and cultural fit—while providing them with a great interview experience (“Interviewing as a Two-Way Communication Process”).

Doubt the importance of the interview experience? 83% of jobseekers indicate a negative interview experience can change their mind about a company they previously liked. On the flip side, 87% say a positive interview experience can change their mind about a company they didn’t like beforehand.

Choosing an Interview Model

Interviews are a two-way communications process. For CISOs and their hiring leaders, interviews provide you with a chance to learn more about the candidate—his or her background, skills, ambitions, working style, and demeanor. For candidates, it is an opportunity for them to evaluate prospective employers—determine if the CISO or hiring manager is someone she or he can work for and understand the vision of the organization in general and the cybersecurity organization specifically.

Using one interview model can be stifling, particularly if the candidate is being interviewed by multiple team members. Over the years, multiple interview formats have emerged. There are seven different interview formats that are practiced widely in the business world today: nondirective, structured, behavioral, situational, panel, online, and videoconference. For an overview of each one, when to use them, as well as their pluses and minuses, download a copy of the CISO Hiring Guide.

From Shortlist to Finalists

The interview process recommended in the CISO Hiring Guide takes place in two phases. In Phase I, a shortlist of 6 to 10 candidates is reduced to two or three finalists. During Phase II, the organization selects a successful candidate from the finalists.

In both phases, the CISO—or hiring manager within the security organization—acts as the executive sponsor of interview process, working with their HR department to determine who should interview a candidate, preparing interviewers to meet candidates, coordinating interview scheduling and logistics, and keeping the interview process within prevailing laws, regulations, and organizational policies.

In Phase I, candidates should meet with the CISO and/or the hiring manager on the cybersecurity team and a selection of director-and-above figures at the organization that either have a demonstrated business interest in what the new hire will be doing for the organization and/or will directly interface with the hire. To prepare interviewers, the CISO/hiring manager and HR recruiting team should put together a briefing guide on each interviewee that includes the candidate’s resume, indicative work samples, news clippings, and social media posts, a copy of the job description, and a few notes on what the hiring manager believes to be important for candidate success in the new role. The briefing guide should include suggested interview questions depending on the interview format.

In Phase II, the final candidates will meet again with the CISO/hiring manager—and CISO if the candidate didn’t meet with her or him in Phase I—plus a senior leader at the organization. Ideally, for candidates reporting directly to the CISO, then the candidate should meet with the role to whom the CISO reports—CIO, CEO, COO, et al. The skip-level interview is to endorse or veto candidates, while the working-level colleagues provide feedback on the candidate’s cultural compatibility and capacity for earning co-worker respect. The hiring manager remains responsible for the hire/don’t hire decision, but carefully takes advice and feedback from other interviewers into account (including the CISO if they report to her or him). The HR recruiting representative is tasked to ensure fairness and alignment with organizational policies in the context of the overall recruitment action.

Role responsibilities top the list of what matters the most to candidates, with how they fit within the larger team and the company’s mission and vision statement as runner ups.

What Questions to Ask

While interviews still need to touch some obvious bases, such as why the candidate is in the job market and what they think they can bring to the role, the real objective is to draw the candidate out to tell a positive, evidenced story about why they are the best choice for the position. Under ideal circumstances, the candidate begins to forget they are engaged in a job interview at all, expanding on what differentiates them as a candidate, their strengths, weaknesses, and how they map to the tasks foreseen in the new role. Generally, questions and conversation topics fall into five areas (the final two being applicable to only senior roles):

1. General/Professional Experience. Questions almost everyone should expect in a job interview. What they’ve done in previous roles. Why they are seeking a new one. Where they see themselves in three to five years.

2. IT Policies and Procedures. The conversational focus narrows down to the practicalities of lowering security risks, supporting high-value initiatives, measuring progress toward goals, achieving best possible results in the face of budget, staffing, institutional, technological, and other constraints.

3. Communications and Interpersonal Interactions. This covers cybersecurity in the context of organization missions, working relationships within the organization, and building a reputation as a trusted source of security expertise.

4. Policy and Management Vision (only for director and above).This area targets strategy and management approaches and how the candidate would configure her or his first 30, 60, and 90 days on the job. Includes how they will reach across functions to foster and build collaborative relationships and measure the business results of cybersecurity efforts.

5. Public-Facing Activities (only for director and above).While these questions pertain more toward senior leaders who may need to interact with media, analysts, politicians, and community leaders, often in emergency/breach situations, this is also a good way to prospect for emerging leaders. Sometimes, the best response from candidates is that are smart enough to remain invisible to the outside world and do their best to add value doing their best within their roles.

Don’t forget to follow up with candidates in a timely manner and to keep them apprised of the process and timeline. And for those who aren’t selected for Phase II of the interview cycle or aren’t extended an offer, make sure to provide them with feedback on how they performed (36% are very vested in how well they did).

Concluding Thoughts

While cybersecurity professionals remain in short supply, the field tends to attract innovative, best-and-brightest professionals. When done right, the interview process ceases to be an exclusionary process but rather an exercise in seeing where and how far candidates can run in making positive contributions to your organization’s business value. Interviewing is also a two-way communications process. The more you put into the process in identifying the best candidate, the more likely they will welcome an offer from your organization and generate value for years to come.