Congratulations! Your company is well on its way to establishing Compliance maturity. So now it’s time for you, the security leader—who’s actually a security/compliance/jack of all trades leader—to catch a break.
It’s finally time to hire a Compliance leader!
But where should you start? What are the most critical questions to ask in the interview process? In this post, I’ll direct you toward the most important areas to address when hiring for your first security Compliance leader position.
But First, the Basics
Now here’s a sidebar: You already know plenty of questions to ask. Those are essential, too. Things like:
- What are their academic credentials?
- Do they have experience in similar roles?
- With whom did they interact/report to in previous positions?
- How did they set policies?
- Why do they want to work for your company?
- Why should you hire them?
- Why did they leave their last position?
- What happens if an employee reports a breach of Compliance by a senior manager?
- What do they consider are key skills of a Compliance leader? Why? (P.S., Want to know my thoughts on this one? Read this post.)
- What does their ideal Compliance program look like?
- What is their greatest strength?
- And my favorite: What is their greatest weakness? (Just once, I’d like to hear, “I’m such a screamer when I don’t get my way.” But that’ll show up in the background check.)
Time for the Nitty-Gritty
I’m suggesting a further line of inquiry. Because you want questions that separate a good candidate from a great one. Questions that make the right candidate think–and the wrong candidate nervous. Here goes:
1 - What’s the relationship between Compliance and risk? That is, how can you use risk analyses to improve Compliance posture?
Why this is important:
You want a candidate who sees Compliance as proof of a strong security posture, not just a series of boxes to check off. This person uses risk analysis to improve Compliance, keeping in mind improving overall security. So, for example, when risk analysis between audits reveals a security gap, both the security leader and the Compliance leader will determine how to close it and how to address the risk going forward.
2 - Given limited funding, how do you decide which areas of Compliance to focus on first?
Why this is important:
This question may help you assess how much homework the candidate has done. The candidate who has studied your company and its processes understands the importance of each element of the security triad (confidentiality, integrity, and availability of data) to your company. That candidate can tell you the proportions of their budget they would spend on each of these areas, and why. The more detailed the answer—and the questions the candidate asks in response—the more the candidate knows your business.
3 - If we had unlimited funds, how would you improve Compliance?
Why this is important:
There is an obvious answer and a not-so-obvious answer to this question. The obvious answer: upgrade tech, automate processes, overwhelm stakeholders with Compliance training. The better answer considers your company. If money were no object, what’s the wish list for improving your company’s Compliance posture? How would a greater investment in Compliance scale business? What opportunities could/should the company embrace if it had the budget to adopt the relevant frameworks?
4 - What tools do you find most helpful in meeting Compliance requirements, and why?
Why this is important:
This will help you get an idea of the candidate’s flexibility. Are they used to traditional means of evidencing Compliance, like producing data only when an audit comes around? If so, consider whether they have the flexibility to use new tools that enable a stronger Compliance posture. The Compliance landscape, security threats, and business needs are constantly changing. A great candidate would go beyond the strict requirements of Compliance frameworks, so that a strong Compliance posture will reflect a truly strong security posture.
5 - How would you present your perspective on why the company should adopt new frameworks to the Board / management / employees?
Why this is important:
A great Compliance leader doesn't need to be simply knowledgeable. They also need to be able to motivate people across the organization. And so if the hire sees Compliance as a growth enabler, it’s a huge plus if they are also skilled at conveying the advantages of adopting new frameworks to Board members and the rest of the organization. Nowadays, it’s mandatory to show a real business case if we want to avoid wasting time and money. Since business cases involve business-talk, this will allow you to see if this candidate “has it”. Also, since Compliance is often perceived as a burden, how does the Candidate plan on convincing the various business units to follow measures?
6 - Walk me through your experience collaborating with stakeholders at all levels to establish a Compliance program.
Why this is important:
Establishing a Compliance program requires a granular assessment of the people, processes, and technology at an organization. Would this candidate embrace the commitment to getting the details right? The leader will also work with the CISO to train employees in what the program requires of them. The right Compliance leader can communicate to all employees why their contribution to the company’s Compliance efforts is essential—and appreciated.
{{banner-image}}
7 - What’s your experience with X Compliance framework and its requirements?
Why this is important:
Consider the frameworks your company has adopted. Consider frameworks that your company expects to take on. Then pick your candidate’s brain. A great candidate has strong knowledge of Compliance frameworks and the regulatory landscape as they relate specifically to your company. This will also help you get an idea of how fast you are going to see value from this candidate.
8 - A new Compliance framework requires revamping how X department in the Company does their work. Tell me how you explain it to them.
Why this is important:
This will allow you to see if the candidate can work with other departments to achieve Compliance without running roughshod over them. How would your candidate help them see how they would benefit from change?
9 - Tell me about a time you had to make a quick decision related to Compliance.
Why this is important:
This question will give you an opportunity to see how cool your candidate is under pressure: not just the pressure of an interview. When a gap or breach was discovered, what did they do? When they chose to wait and see, why did that make sense, and how did it turn out?
A Non-Question Question
Finally, ask a question that’s not really a question: “Do you have any questions?” The solid candidate will show their knowledge about the company. The great one also shows their curiosity; they want to see where your company goes next, and they want to help make that happen. Here’s your last chance to see how your candidate would contribute to your company as a Compliance leader.
Also: it’s your last chance to see if they ask questions whose answers they should have known. (The best bosses say, “There are no stupid questions,” but on an interview, there are.) So this question can highlight an ideal candidate, or one who isn’t aware of their ignorance. Either way, you’ll learn something.
Enough Questions for You?
Interviewing is exhausting, whichever chair you’re sitting in. But just like Compliance, it can help grow your business—if you hire the right leader.
The right Compliance leader can be the difference between scaling your company and paying settlements to a miffed customer base. The right person can get others on board. The right Compliance leader can even change the perception of Compliance from a hurdle to a business enabler.
A final wish; May every candidate who walks through your door (or crosses your computer screen) be so outstanding that your biggest hiring problem is deciding who’s the best.