Evaluating crisis experience in CISO hiring: What to look for and look out for

When hiring qualified security personnel, established practice tells us to look for a host of positive signals. The ideal colleague, as the conventional wisdom goes, is likely well-rounded and open-minded, furnished with everything from extensive certifications and solid formal education to previous professional successes and known collegiality.

This is particularly true for the hiring of CISOs and their key lieutenants. But how should hiring managers factor crisis experience into the hiring process? How can you value performance under pressure and make sure that critical experience isn’t just learned bias? 

The stakes of effectively valuing crisis experience in an individual’s qualifications can be high. Psychological research and business studies tell us that a typical crisis can surface a host of pathological behaviors, from tunnel vision and overconfidence to an affinity for groupthink — and decision-makers are prone to leaning on past crisis moments to deal with future action.

A CISO presented with a key analytic shortcoming during an intrusion event may be more likely to overlook data quality or ethical issues in a new machine learning product they think would prevent similar incidents going forward. Or a positive support experience with an insurer during a crisis might perversely incentivize a too-comfortable relationship with an insurance provider that can limit innovative security thinking.

Cyber crisis experience is different from other crisis experience

Fortunately, recent research on cybersecurity incidents and professionals sheds new light on the impact of cyber events for decision-making. The traditional view of crisis effects sees psychological effects ripple outward from major incidents from those impacted most directly to those farthest away. The closer you are, in other words, the more the potential for subjectivity and bias.

With cyber events, however, distance appears to work in reverse. Crisis responders are more likely to see such episodes as idiosyncratic, full of unique variables that we need to be wary about learning from. Decision-makers with an interest but not a stake in a crisis, on the other hand, are more likely to latch onto real-world parallels — even if they are not cybersecurity-related — and learn potentially misleading lessons from them. 

For the practical question of hiring around cyber crisis experience, the answer is counterintuitive but ultimately simple — hire for crisis experience but beware the onlookers!

When Julius Caesar crossed the river Rubicon, it was more than just a political or strategic point of no return — he chose to break the law and centuries of convention by moving his armies toward Rome and changing history, ultimately launching a civil war that resulted in Caesar becoming dictator for life and ushering in the Roman Empire.

Decades of psychological evidence suggest that these Rubicon-crossing moments are the result of a shift from a deliberative (thinking) mindset to an implemental (doing) one. Importantly, this is something that afflicts all humans and not just the historically famous ones. If a CISO’s job is primarily made up of routine security tasks and crisis prevention, then their mindset is predominantly going to be deliberative.

Even regular security decision-making, such as the choice of new vendor partnerships or response to minor security incidents, is defined by a “what if?” future-looking mentality oriented on the core imperatives of the role.

When an existential crisis hits, whether the onset of war or a massive ransomware attack or a car crash, a Rubicon is crossed. Psychologists have consistently shown this to be the moment in which deviation from objectivity is most likely. After all, the order of the moment is no longer to plan, but to act!

Moments of crisis can cause a loss of objectivity

The psychological impact of a typical crisis isn’t uniform except that it makes us uniformly prone to losing objectivity. We might lean into groupthink, become overconfident in plans already set in place, or even adopt unfounded fears about unknown factors.

Generally, however, decision-makers tend towards a few key effects — they are less receptive to allowing incoming information to update their expectations and they lean into biases about incoming information.

They exhibit greater-than-normal vulnerability to cognitive dissonance, self-serving evaluations and illusions of control. And, in the absence of an obvious obstacle to success, they become much more optimistic (or less realistic) about their own ability to execute their tasks.

These tendencies are among the most well-documented in the modern behavioral sciences. In the broader homeland and national security domain, they also form the foundation for thinking about exposure to security events.

Proximity to crime, terrorist attacks, natural hazards and even financial disasters can create real emotional and sometimes existential trauma. For those in law enforcement or similar areas, the question of valuing crisis experience during hiring becomes one of cautious evaluation.

Did a past incident lead to unexpected behavior on the part of the professional in question? Does that past event appear to dominate their current approach to their role?

Most importantly, does objective analysis of that past episode bear out in their reaction to a new crisis? If so, crisis experience may be a plus. If not, caution may be warranted.

The cyber response to a crisis works differently

Does this logic bear out for those looking to hire a new CISO or other key cybersecurity personnel? Recent research suggests not. Instead, experts have increasingly pointed out that major cybersecurity incidents rarely have the clear existential or emotional stakes we would expect for other kinds of security events.

Even where the stakes might appear existential, there is rarely physical damage or destruction in a cyberattack. The result is that in cyber, psychological impact is seen further from the epicenter of attacks rather than at the heart of an incident.

Additional research describes the cybersecurity response as a search for parallels. When individuals encounter a crisis event, psychological evidence suggests they use analogy and history to understand the scope of a situation, its possible solutions, and its moral dimensions.

With cyber events, unfamiliarity leads individuals to seek such parallels, but the response requires an operational perspective more than strategic awareness and those at the heart of crisis response usually have the most information, both of which illuminate the distinctive details of a given event and discourage over-generalization.

By contrast, the general public is generally less aware of the quirks of cybersecurity incidents and has less visibility of unfolding events, leading the average citizen to use historical parallels that may not even be digital in nature (such as thinking about a terror attack on government facilities when trying to understand a ransomware attack on a hospital) to understand them.

Hire for crisis experience but beware onlookers

Recent research makes the bottom line clear for cybersecurity hiring — against the grain of traditional thinking, valuing crisis exposure in hiring contains less risk and greater potential value in cybersecurity than in other areas.

So long as a candidate’s track record is verifiable and clear in its contribution to intrusion events, direct experience of a crisis may actually be more indicative of future success than more traditional metrics.

By contrast, be wary of the “onlookers,” those individuals with qualifications but whose learned experience comes from arm’s length involvement in a crisis. While such persons may contribute positively to their organization, the role of the crisis in their hiring should be de-emphasized relative to more conventional metrics of future performance.

Naturally, one challenge for hiring managers and CISOs will be to decide what constitutes exposure to crisis for the purposes of personnel decisions. The emerging consensus of research is that being present for multiple stages of the response lifecycle — being impacted by an attack’s disruptions or helping with preparedness for a future response — is far better experience than simply witnessing an attack.

Those who experience the initial effects of a compromise or other attack and then go on to orient, analyze, and engage in mitigation activities are the ones for whom over-generalization and perverse informational reactions appear less likely.

Clearly, the value in crisis experience should be seen differently in cybersecurity than in other areas. Those with proximity to threat incidents at each stage of the response lifecycle stand to offer objectivity in future crises whereas those without are at greater risk of operating from a position of bias.

This suggests that not only should those hiring CISOs seek out these backgrounds, but they should also support activities and hiring benchmarks that speak to these experiences, such as involvement in diverse tabletop programming or simulation design.

They should also — as research has consistently supported — not look for jacks-of-all-trades, but rather jacks-of-a-few-trades, balancing diverse career training against experience in key roles.