During the next couple of years, organizations will be scrambling to hire information security personnel. Some will even be looking for a chief information security officer (CISO).
After learning about the candidate selection process in several organizations and after listening to a few anecdotes from several major search organizations, I was puzzled to find out that hardly anyone was screening for ethics and integrity during the interview process. Yet, in my opinion, these are the most important character traits for a CISO to possess.
Here is a story to illustrate the point: An organization wanted to hire a CISO, and it gave its search firm a strict range for the salary. The search firm duly used the range to screen out potential applicants. Several highly qualified candidates honestly admitted the range was too low, and they chose not to interview for the position.
After several rounds of interviews and discussions with the remaining candidates, one emerged as the strongest and received an offer at the highest point on the salary range. The candidate balked, saying that it was lower than his current compensation; he suggested a number 10 percent higher than the offer. Since no other candidate was strong enough, the organization met the candidate’s demand. The candidate then turned around and used the offer to obtain a salary increase from his current organization, and he turned down the new organization.
Neither the search firm nor anyone in the organization looking for the CISO was happy about this outcome. And I found it interesting that, even after the salary range was increased, the search firm did not go back to all the highly qualified candidates who had been screened out previously to see if the new range delivered a possible applicant.
Nor did anyone involved acknowledge that the chosen candidate had been unethical for the following reasons:
- Though he knew he would not accept something within the advertised range, he told the search firm he was comfortable with the range and went through the interview process, thus misleading his potential employer.
- He failed to inform his current employer in good faith that he would like a raise. Instead, he used the new offer to obtain a raise, thus creating a hostage situation with his current employer -- hardly a recipe for maintaining trust in a highly sensitive position.
Events like this happen all the time, and there appears to be a cultural acceptance of negotiating the best offer you can. I agree with this in principle, but I think the manner in which this is done is very important. Subtle exchanges during the process reveal a lot about a candidate's character. This candidate may have ruined his future prospects with his current organization, as well. It may have opted to keep him for now, but it is quite possible that it will make contingency plans for his future departure. In my opinion, it would be negligent not to do so.
Organizations need to ensure that screening for ethics and integrity is a key component of the CISO hiring process. I would not dream of hiring a CISO with weak ethics, and I would have turned down this candidate the moment he asked for something above the strictly advertised range, which had already been discussed with him. In addition, if the range were increased, I would have asked the recruiting firm to include all the qualified candidates who had been screened out of the pool simply because of salary range.
To me, ethics and integrity are the most important character traits a CISO can have. A CISO is in a highly sensitive position, dealing with all the security issues of an organization; how can someone with questionable ethics be appropriate?
If my CISO has weak ethics and integrity, is my organization really going to be secure? What do you think of this issue?
— Mansur Hasib has served in CIO/CISO and other leadership roles in the public, private, and education sectors.