Evaluating crisis experience in CISO hiring: What to look for and look out for

A CISO presented with a key analytic shortcoming during an intrusion event may be more likely to overlook data quality or ethical issues in a new machine learning product they think would prevent similar incidents going forward. Or a positive support experience with an insurer during a crisis might perversely incentivize a too-comfortable relationship with an insurance provider that can limit innovative security thinking.

Cyber crisis experience is different from other crisis experience

Fortunately, recent research on cybersecurity incidents and professionals sheds new light on the impact of cyber events for decision-making. The traditional view of crisis effects sees psychological effects ripple outward from major incidents from those impacted most directly to those farthest away. The closer you are, in other words, the more the potential for subjectivity and bias.

With cyber events, however, distance appears to work in reverse. Crisis responders are more likely to see such episodes as idiosyncratic, full of unique variables that we need to be wary about learning from. Decision-makers with an interest but not a stake in a crisis, on the other hand, are more likely to latch onto real-world parallels — even if they are not cybersecurity-related — and learn potentially misleading lessons from them.