During the next couple of years, organizations will be scrambling to hire information security personnel. Some will even be looking for a chief information security officer (CISO).
After learning about the candidate selection process in several organizations and after listening to a few anecdotes from several major search organizations, I was puzzled to find out that hardly anyone was screening for ethics and integrity during the interview process. Yet, in my opinion, these are the most important character traits for a CISO to possess.
Here is a story to illustrate the point: An organization wanted to hire a CISO, and it gave its search firm a strict range for the salary. The search firm duly used the range to screen out potential applicants. Several highly qualified candidates honestly admitted the range was too low, and they chose not to interview for the position.
After several rounds of interviews and discussions with the remaining candidates, one emerged as the strongest and received an offer at the highest point on the salary range. The candidate balked, saying that it was lower than his current compensation; he suggested a number 10 percent higher than the offer. Since no other candidate was strong enough, the organization met the candidate’s demand. The candidate then turned around and used the offer to obtain a salary increase from his current organization, and he turned down the new organization.
Neither the search firm nor anyone in the organization looking for the CISO was happy about this outcome. And I found it interesting that, even after the salary range was increased, the search firm did not go back to all the highly qualified candidates who had been screened out previously to see if the new range delivered a possible applicant.
Nor did anyone involved acknowledge that the chosen candidate had been unethical for the following reasons:
Though he knew he would not accept something within the advertised range, he told the search firm he was comfortable with the range and went through the interview process, thus misleading his potential employer.
He failed to inform his current employer in good faith that he would like a raise. Instead, he used the new offer to obtain a raise, thus creating a hostage situation with his current employer -- hardly a recipe for maintaining trust in a highly sensitive position.
Events like this happen all the time, and there appears to be a cultural acceptance of negotiating the best offer you can. I agree with this in principle, but I think the manner in which this is done is very important. Subtle exchanges during the process reveal a lot about a candidate's character. This candidate may have ruined his future prospects with his current organization, as well. It may have opted to keep him for now, but it is quite possible that it will make contingency plans for his future departure. In my opinion, it would be negligent not to do so.
Organizations need to ensure that screening for ethics and integrity is a key component of the CISO hiring process. I would not dream of hiring a CISO with weak ethics, and I would have turned down this candidate the moment he asked for something above the strictly advertised range, which had already been discussed with him. In addition, if the range were increased, I would have asked the recruiting firm to include all the qualified candidates who had been screened out of the pool simply because of salary range.
To me, ethics and integrity are the most important character traits a CISO can have. A CISO is in a highly sensitive position, dealing with all the security issues of an organization; how can someone with questionable ethics be appropriate?
If my CISO has weak ethics and integrity, is my organization really going to be secure? What do you think of this issue?
Steve, - Soft skills are difficult to ascertain since it is easy for someone to act out what they know an employer would want. What with the numerous advise columns on how to pass that interview. On the other hand i agree with you sometimes excess rigidity with pay scales may not be so good. It is better to leave it open but knowing what the company budget is...you never know who comes along and maybe the budget can actually be adjusted without them having to cheat.
So right Steve. I had the same thought when I saw some of those ads. Softer skills are much harder to teach unless we get them very early in their careers - as student interns or fresh college grads. I think looking for ethics, integrity and a strong history of prior learning and adaptation is far more important than specific skills. Everyone has to learn and adapt in a new job and continue learning if they are to be successful in the technology field.
@Mansur - what's with those extremely specific ads? I've seen several in recent months that I read and thought "well, here's a needle in a haystack!" I wonder how in the world can they be so specific and expect to fill it that way, since we all probably know that often with hiring there's a "close enough" candidate that gets hitched to a learning curve on the job. I've never seen it for softer skills or attributes like ethics or integrity but still wonder.
@Steve - yes I completely agree with you. Technology changes so rapidly that screening for past learning history and ethics and integrity is more important that what version of some software they know. Yet I see many job ads with too many specific requirements that will be difficult to find in a single candidate and these position remain unfilled for a long time. Not sure why organizations have become less willing to allow some learning time in a job.
@Brian - appreciate you provoking the conversation. You made me think of a point from the hiring company side -- using salary range as a screening tool in a position as sensitive as a CISO was a mistake. Organizations should focus on the right candidate and be willing to pay market salary or it will be difficult to retain the top candidates in these high demand and difficult to fill positions.
MANSUR - I feel that looking for truthful, direct responses is something we may look for in any position hiring. Though hardly limited or a must only for CISO positions, screening for integrity and ethics is the norm these days )thank goodness) and the higher on the ladder you climb the more important and vital these (and other) qualities are.
Tests may be good but I think a good interviewer can be the "lie detector" especially in a sensitive position.
SLFISHER - I see it as you do - although not unethical (in my book anyway) I do see it as unwise and imprudent. I don't see how the "new" company could find out why the candidate did this (create the hostage situation) although it is possible to see this from an outside, seeing both sides of the transaction POV.
I think this happens fairly frequently - and you are correct, this was a technique that was promoted in the past. Hard to NOT do this during an interview, or else why would you want to change companies?
Right, and Mansur, I'm just trying to provoke conversation.
Don't you think that if the candidate went through these stages and the company never felt that it was a possibility he would bail, maying they need a CISO even more than they thought they did before? I still say it says something about the company, too.
At the simplest level look for direct and truthful responses to questions. At the complex level, you can administer tests that analyze ethics, perform background checks, verification etc.
And I have to agree -- I don't see that what the applicant did was unethical, either trying to negotiate a higher salary with the hiring firm, or with the existing firm. I agree he may have ended up burning his future with both companies, but a lot of people are schooled to do exactly those things when applying for a job.
And, he may have fully intended to take the job and it was only after his company found out he was leaving that they were *then* willing to pay the raise he'd already asked for and been denied.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
In all my years interacting with CFOs, I have not met one who actually understood IT -- not that I expected them to.
Why, then, do I continue to see ads seeking a strategic CIO who will report to the VP of Administration and Finance or the CFO? Sometimes ads are slightly better: CIOs report to the Chief Operating Officer. Those conducting the recruitment will sagely say: “The CIO will have complete empowerment and access to all cabinet members and the president.” However, these organizations appear to lack an understanding of the role of the CIO and the CFO.
After observing and writing about CEOs who do not leverage their CIOs to propel their organizations forward, it was very refreshing to learn about the great CEO/CIO partnership at Kaiser Permanente at this year’s World Health Congress held in Maryland.
Despite an initial round of federal funding to develop state health information exchanges (HIEs) as part of Obamacare, these clearinghouses were challenged to develop a financially sustainable model. Because it addressed sustainability early, the Delaware Health Information Network is viewed by many as a template for HIE success.
It began as a relaxing visit with my college buddy and his family. It became a glimpse into the technology-enabled future of worldwide collaboration in engineering.
True story: Despite the HITECH Act of 2009, the CEO of a major urban hospital continued his institution's policy of not hiring a CIO or CISO. Like many others, he took a wait-and-see attitude, even though HITECH strengthened the enforcement of healthcare security and privacy laws, and provided financial incentives for healthcare organizations to adopt electronic health records and information security.
50 billion household devices will be on the Internet by 2020, according to Cisco. And we're hearing foreign governments are hacking our infrastructure. Surely our refrigerators are next!
Sean Smith, a US Foreign Service IT manager, gave his life in service of his country and the world. His life and death are a humbling example for all of us who work in IT.
All the recent hoopla about cloud security overlooks an important point, which is that it's not strictly a cloud problem. The linkage of online services into cooperative chains creates the risk, and only biometrics and federation of providers can save us.
E-discovery is the requirement to make available all digital information related to, and in conjunction with, a legal proceeding. An appeals court ruled recently to limit the scope of e-discovery searches, which gives corporate counsel and IT executives a bit more power over the e-discovery process.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
New tools like laptops, tablets, smartphone, and wireless connectivity let us work from San Diego to Katmandu, and anywhere in between. But time management remains a problem.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Ushering in a new era of cognitive computing systems, IBM announced today the IBM Watson Engagement Advisor, a technology breakthrough that allows brands to crunch big data in record time to transform the way they engage clients in key functions such as customer service, marketing, and sales.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
