Doing your diligence- CISO edition

Depending on your source, CISO turnover runs somewhere between 24 months and 4 years. Whatever it is, it’s high.

The reasons for job departure are quite common: burnout, feeling hamstrung by lack of resources, and misalignment with other departments (often IT). Sometimes the grass is just greener on the other side of the fence.

No company is perfect. But certain environments are a better fit for certain people. It’s okay for things not to be perfect (after all, if they were, we wouldn’t have jobs). But it’s not okay to be surprised by knowable things when you start a new job.

Oftentimes, this can simply be chalked up to a lack of diligence. We’ve written previously about the importance of asking questions and doing diligence upfront- in a general sense. Today we’ll focus on the questions at a potential CISO can ask specifically to judge whether an environment is a good fit.

Here’s what to do:

• Don’t be shy about asking questions- your diligence on the company is at least as important as their diligence on you
• Choose a few questions to ask to multiple people, to check for consistency (e.g. descriptions of culture)
• Talk to a couple of recent departures- find them on Linkedin
• Check out recent security department job postings to get a sense of needs, quality of JDs, breadth of expectations, competitiveness of pay
• Get data from friendly recruiters on compensation to ensure that the offer is in line with market
• Consult with an attorney on your employment offer and support your negotiation

What to ask about/ understand:

Think of this as a question bank; certain topics will be appropriate earlier in the process, others later; but you won’t likely get the chance to ask everything)

1) Fundamentals

• Budget, and recent budget growth
• Team size and turnover
• Contractor usage and any key external partners/ MSSPs
• Reporting structure
• Department structure
• Tech environment and scale (e.g. # endpoints, servers, cloud environments)
• Core infrastructure migration plans
• Work and location requirements (in person, hybrid, etc)
• Relevant compliance requirements

2) Current program/ maturity

• Is there a top-down perspective from the board or management on target risk posture? If so, what does that look like?
• How often is security on the board agenda? What have those discussions looked like in the past?
• Is there a security framework in place (e.g. NIST)? What has recent performance been? What are the biggest gaps?
• What is the performance against compliance requirements? Where are the biggest gaps?
• What is the magnitude of the vulnerability backlog and patch management approach (frequency, prioritization, etc)?
• Has cyber insurance been a challenge? If so, why?
• What have the recent security program priorities been?
• How has the security program been measured to do date? What is going well? What is not?
• How would you describe the level of security awareness across the company? (check by key departments- development, executive)

What is the status of:

• IAM program (technologies employed, PAM, RBAC/ABAC/PBAC)
• Pen tests (frequency, severity of findings, whether they have been addressed)
• Asset visibility (what is used, presence and quality of CMDB)
• SOC (insource/ outsource, degree of coverage, ability to rapidly contain and remediate, etc)
• Resilience (DR/ BC in place? Degree of coverage? Time to recover?)
• Data (Understanding of what the most important data is, where it is, ability to discover it/ classify it)
• IR (Is a playbook in place? Is a firm on retainer?)

3) Culture

• Company- What makes the culture of the company unique? What isn’t great about company culture?
• Team- is there an established culture in the security team? How is it different from the rest of the company?
• What are the qualities of leaders that tend to be successful in this company?
• How does decision making tend to work around here?
• Is there an established pattern for reporting out on the security program to leadership and the board? Who’s there?
• What did the previous CISO do well? What did he/she not do well? Why did that person leave?
• What would I be surprised by? What have you been surprised by (if they are a more recent hire)?
• What is security’s relationship with other key departments (e.g. dev, IT, legal, etc)? What is security’s ‘brand’ within the company?
• When big projects fail around here, what tends to be the cause?
• When people don’t work out, what are the common problems/ patterns?
• Can you talk me through a couple of prior security incidents- what happened, lessons learned?

4) Mandate and resources

• 2 years from now we look back and it’s all been successful. How would you define success?
• What do you think needs to change most to get there? Do you have a sense of investment readiness?
• Does the relationship between security and the business need to change, in your opinion? If so, how?
• What is the company’s philosophy on pay, and competitiveness of pay on the security team?
• How does the company handle program/ project management? Where do those resources sit?
• What is the process for requesting new resources? The budgeting cycle? Ability to accommodate out of budget cycle resource requests?

In all of the above, here’s what you are looking for:

• What is known and what is unknown
• Consistency of answers from various people
• Transparency, willingness to acknowledge the challenges and flaws
• Expectations proportionate to resources
• Fit between your unique strengths and the company needs

Many thanks to David Casey for being a thought partner with me on this one. Happy hunting, all.