You Cannot Solve Your Cybersecurity Leadership Problem Simply By Interviewing Differently

We read a recent post by Tracy Lawrence that gave us hope for a better cybersecurity leadership hiring process...until the end.

But the journey through her post is worth your time as long as you take a detour.

As Tracy notes:

For decades, a long track record has been the gold standard for executive hiring. In today’s disruptive business environment, over-indexing on experience may actually be working against you.

As an executive recruiter and CEO coach, I’ve seen the same well-intentioned mistake play out more times than I can count. Boards and senior teams filling critical leadership roles focus on the candidate with the deepest industry background, the longest tenure, the most impressive titles. They’ve ‘seen it all before.’ On paper, they look like exactly the right hire. Then, six months in, the organization is struggling. The new leader keeps reaching for solutions that worked in their last job, even though the current business environment has moved past them.

Go Tracy Go!

Tracy closes with this:

First, revise your interview process to explicitly assess adaptability, not just accomplishments. Behavioral interview frameworks that ask candidates to describe how they’ve responded to failure, disruption, and uncertainty will tell you far more than questions focused on past wins. Structured assessments designed to measure learning agility can add valuable rigor to the process.

Second, reexamine your criteria for senior roles. Many job descriptions are still written to attract the leader who has managed this type of challenge before. That framing may actually filter out the more adaptive candidates in favor of those who fit a pre-existing template. Think carefully about whether you’re hiring for the environment you’re in, not the one you came from.

Third, evaluate leadership teams you already have with this lens. Many organizations have experienced leaders who are excellent pattern recognizers but are now struggling as the patterns themselves shift. Identifying those individuals and investing in their development before the performance gap becomes a crisis is a much better outcome than discovering the problem after a high-stakes initiative has gone sideways.

We completely agree with Tracy about the following:

• The candidate's history of pattern-recognition is important but not what you're hiring them for as a cybersecurity leader
• Her second point is excellent and we have no substantive argument with it

We disagree with Tracy about the following:

• You cannot "interview better" by interviewing for learning agility. Learning agility is pattern recognition by a different name, in that you're being flexible in looking for different patterns
• Assessing the current leadership team in terms of learning agility is like asking them be more empathetic or have more emotional intelligence: it will change the temperature for a while but not the climate. To change the leadership team you must do more than try to get them to have learning agility (see our posts about this)

Tracy deserves kudos for highlighting a key fact: you're looking for the wrong leader by looking for someone who is like the previous leader but, you know, different. 

Fact: you will re-tread your previous insufficient cybersecurity leaders if you keep sourcing them the same way you're used to in order to create the applicant pool. 

We've covered this many times: you need to improve the talent level of the candidate pool. Once you do that, then you will pick leaders who thrive, have a different idea of what the organization needs to do to be cybersecure, and will be effective with boards. 

The business problem of leadership is not solved by interviewing leaders for learning agility. The business problem of leadership is solved only by considering talented candidates for leadership.

Ask us how you can solve the business problem by getting this critical hire right.