During the next couple of years, organizations will be scrambling to hire information security personnel. Some will even be looking for a chief information security officer (CISO).
After learning about the candidate selection process in several organizations and after listening to a few anecdotes from several major search organizations, I was puzzled to find out that hardly anyone was screening for ethics and integrity during the interview process. Yet, in my opinion, these are the most important character traits for a CISO to possess.
Here is a story to illustrate the point: An organization wanted to hire a CISO, and it gave its search firm a strict range for the salary. The search firm duly used the range to screen out potential applicants. Several highly qualified candidates honestly admitted the range was too low, and they chose not to interview for the position.
After several rounds of interviews and discussions with the remaining candidates, one emerged as the strongest and received an offer at the highest point on the salary range. The candidate balked, saying that it was lower than his current compensation; he suggested a number 10 percent higher than the offer. Since no other candidate was strong enough, the organization met the candidate’s demand. The candidate then turned around and used the offer to obtain a salary increase from his current organization, and he turned down the new organization.
Neither the search firm nor anyone in the organization looking for the CISO was happy about this outcome. And I found it interesting that, even after the salary range was increased, the search firm did not go back to all the highly qualified candidates who had been screened out previously to see if the new range delivered a possible applicant.
Nor did anyone involved acknowledge that the chosen candidate had been unethical for the following reasons:
Though he knew he would not accept something within the advertised range, he told the search firm he was comfortable with the range and went through the interview process, thus misleading his potential employer.
He failed to inform his current employer in good faith that he would like a raise. Instead, he used the new offer to obtain a raise, thus creating a hostage situation with his current employer -- hardly a recipe for maintaining trust in a highly sensitive position.
Events like this happen all the time, and there appears to be a cultural acceptance of negotiating the best offer you can. I agree with this in principle, but I think the manner in which this is done is very important. Subtle exchanges during the process reveal a lot about a candidate's character. This candidate may have ruined his future prospects with his current organization, as well. It may have opted to keep him for now, but it is quite possible that it will make contingency plans for his future departure. In my opinion, it would be negligent not to do so.
Organizations need to ensure that screening for ethics and integrity is a key component of the CISO hiring process. I would not dream of hiring a CISO with weak ethics, and I would have turned down this candidate the moment he asked for something above the strictly advertised range, which had already been discussed with him. In addition, if the range were increased, I would have asked the recruiting firm to include all the qualified candidates who had been screened out of the pool simply because of salary range.
To me, ethics and integrity are the most important character traits a CISO can have. A CISO is in a highly sensitive position, dealing with all the security issues of an organization; how can someone with questionable ethics be appropriate?
If my CISO has weak ethics and integrity, is my organization really going to be secure? What do you think of this issue?
Well, it makes you wonder about the capabilities of the search firm and all of those doing the interviewing in the first place, if they determined that this person had the integrity for such a security positon, above all other applicantes, and couldn't tell that he was using them.
Mansur, I don't see what this candidate did as unethical, even though I myself would not do either tactic. Salary range in a job listing can legitimately be viewed by an applicant as an opening bid in negotiations. And a person has a right to bring competing offers back to a current employer.
@Mitch - for a range in an ad, I would agree with you but this was a specific screening question/criteria that the recruiter was using to forward candidates for interview. Not an easy determination -- and I do not expect everyone to agree with me. But the point was to raise awareness that screening for ethics is important in these sensitive roles.
And I have to agree -- I don't see that what the applicant did was unethical, either trying to negotiate a higher salary with the hiring firm, or with the existing firm. I agree he may have ended up burning his future with both companies, but a lot of people are schooled to do exactly those things when applying for a job.
And, he may have fully intended to take the job and it was only after his company found out he was leaving that they were *then* willing to pay the raise he'd already asked for and been denied.
At the simplest level look for direct and truthful responses to questions. At the complex level, you can administer tests that analyze ethics, perform background checks, verification etc.
Right, and Mansur, I'm just trying to provoke conversation.
Don't you think that if the candidate went through these stages and the company never felt that it was a possibility he would bail, maying they need a CISO even more than they thought they did before? I still say it says something about the company, too.
SLFISHER - I see it as you do - although not unethical (in my book anyway) I do see it as unwise and imprudent. I don't see how the "new" company could find out why the candidate did this (create the hostage situation) although it is possible to see this from an outside, seeing both sides of the transaction POV.
I think this happens fairly frequently - and you are correct, this was a technique that was promoted in the past. Hard to NOT do this during an interview, or else why would you want to change companies?
MANSUR - I feel that looking for truthful, direct responses is something we may look for in any position hiring. Though hardly limited or a must only for CISO positions, screening for integrity and ethics is the norm these days )thank goodness) and the higher on the ladder you climb the more important and vital these (and other) qualities are.
Tests may be good but I think a good interviewer can be the "lie detector" especially in a sensitive position.
@Brian - appreciate you provoking the conversation. You made me think of a point from the hiring company side -- using salary range as a screening tool in a position as sensitive as a CISO was a mistake. Organizations should focus on the right candidate and be willing to pay market salary or it will be difficult to retain the top candidates in these high demand and difficult to fill positions.
@Steve - yes I completely agree with you. Technology changes so rapidly that screening for past learning history and ethics and integrity is more important that what version of some software they know. Yet I see many job ads with too many specific requirements that will be difficult to find in a single candidate and these position remain unfilled for a long time. Not sure why organizations have become less willing to allow some learning time in a job.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
The publishing world has long been controlled by powerful companies with high costs, barriers to access, restrictions on distribution, one-sided copyright ownership contracts, and lengthy delays in getting critical information and knowledge out to a broad audience. In this world it often seemed all but the most famous of authors controlled little while publishers controlled everything. In the academic community, the sad result has been an excessive price increase in the cost of textbooks. Technology is finally empowering authors.
In all my years interacting with CFOs, I have not met one who actually understood IT -- not that I expected them to.
Why, then, do I continue to see ads seeking a strategic CIO who will report to the VP of Administration and Finance or the CFO? Sometimes ads are slightly better: CIOs report to the Chief Operating Officer. Those conducting the recruitment will sagely say: “The CIO will have complete empowerment and access to all cabinet members and the president.” However, these organizations appear to lack an understanding of the role of the CIO and the CFO.
After observing and writing about CEOs who do not leverage their CIOs to propel their organizations forward, it was very refreshing to learn about the great CEO/CIO partnership at Kaiser Permanente at this year’s World Health Congress held in Maryland.
Despite an initial round of federal funding to develop state health information exchanges (HIEs) as part of Obamacare, these clearinghouses were challenged to develop a financially sustainable model. Because it addressed sustainability early, the Delaware Health Information Network is viewed by many as a template for HIE success.
It began as a relaxing visit with my college buddy and his family. It became a glimpse into the technology-enabled future of worldwide collaboration in engineering.
50 billion household devices will be on the Internet by 2020, according to Cisco. And we're hearing foreign governments are hacking our infrastructure. Surely our refrigerators are next!
Sean Smith, a US Foreign Service IT manager, gave his life in service of his country and the world. His life and death are a humbling example for all of us who work in IT.
All the recent hoopla about cloud security overlooks an important point, which is that it's not strictly a cloud problem. The linkage of online services into cooperative chains creates the risk, and only biometrics and federation of providers can save us.
E-discovery is the requirement to make available all digital information related to, and in conjunction with, a legal proceeding. An appeals court ruled recently to limit the scope of e-discovery searches, which gives corporate counsel and IT executives a bit more power over the e-discovery process.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
New tools like laptops, tablets, smartphone, and wireless connectivity let us work from San Diego to Katmandu, and anywhere in between. But time management remains a problem.
Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The IBM Smarter Commerce Global Summit in Monaco kicked into high gear today, and we've already begun to see news emerging from that lovely city-state by the sea.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
