When an organization reaches a certain size or adopts a more strategic role for security in their planning and operations, they look for a Chief Information Security Officer (CISO) who can act as an advisor and a bridge between cybersecurity teams (and challenges) and business managers. Their scope is broad; balancing access and ease-of-use with the security of the organization’s data, websites, applications, and networks.
When you’re hiring a CISO, the lack of standardized role and responsibility definitions make it difficult to know what you need, making it nearly impossible to ensure that they have the right skills to be a good match for your organization. The challenge gets steeper when you aren’t familiar with the security discipline.
If you’re in this process, or are planning to be, these recommendations will help identify a stand-out security leader who is far more than simply a well-organized and cybersecurity-focused resource.
It’s important that your CISO be broad and deeply capable in cybersecurity, but the candidate is also an evangelist who advocates for ideas and difficult decisions that they believe will benefit their organization. They need to know how to position the business benefits for security choices and they must demonstrate empathy for the effort they will need from peers and partners. Your CISO will introduce new concepts to their own security staff, highlighting the merits, and work with them to drive these ideas to completion.
Every day, your CISO needs to evangelize security improvement by being an effective communicator capable of convincing others that each of these ideas matter to the mission of the organization.
Your candidate can never be satisfied with the knowledge they already have. A great CISO is self (and market) aware, understanding that no matter how well their job is going today, tomorrow will present new threats and challenges. There is always more to learn, and your ideal candidate should relentlessly remain current and actively avoid becoming intellectually sedentary. During your interview process they should be able to describe the sources that they use to stay informed, give specific examples of something new they have learned lately, and even describe their thoughts on some recent security development. It’s important that they know they will need to stay sharp to excel in this role.
Managing cybersecurity technologies involves single-mindedness, technical dedication, and independent effort. Your CISO will require even more breadth because you need them to create and/or manage a security team. In the competitive and highly volatile market for security expertise, this means that your leader will need to recruit, mentor, cultivate, and motivate a team that will always be able to easily find work somewhere else.
The best candidates will understand the importance of interacting frequently with their team and business partners with purpose and confidence. If the candidate is unable to communicate effectively with their associates, or if they don’t understand the value of these connections, the security function won’t evolve to a central, strategic, role. Whether for internal security team success or broader security team influence, understanding and valuing relationship development is key.
Advisor and Advocate
A successful CISO consistently recruits support for ongoing security projects and scaling. They do this because smooth-running security operations can appear almost invisible for lack of incidents and urgent events. Your security leader will value ongoing reporting and awareness of their team's operations and will be able to offer insights and progress reporting even when no security events are on the table. Peers in business-functions should be key stakeholders and the CISO should work in concert with colleagues to directly align security with your business challenges.
Look for candidates that are interested and excited about being a strategic advisor on issues of security and how they relate to business. They are looking to be part of a leadership team where they will learn about the business and use that context to make meaningful contributions. You will maximize the impact and job satisfaction of your new CISO by choosing someone who is looking for this type of access and who is willing to take the time to understand a business so that their advice and their team’s efforts are valued.
It's important to know that your potential CISO has existing connections with other security leaders because those relationships are critical to recruiting, to product recommendations, to information sharing and incident response. During the interview process, ask the candidate to connect you with two of their most valued industry influencers. If those contacts are knowledgeable and impressive, you’re talking to someone who has taken the time to earn and nurture an accomplished network. This is valuable for any CISO and indicates the candidate’s maturity and willingness to help and be helped.
Experience under Pressure
A quality CISO has experience with the pressure of conflicting priorities, of staff attrition, and of critical security events. You want to hire a leader who has seen their fair share of incidents, and who knows how to respond effectively and calmly within the security environment. Work with the candidate to illuminate their experiences, and with respect to incidents, their approach to mitigation and remediation. It’s important that you hire someone who is going to be able to help you work through the storm, especially if you are engaging in this search to provide prompt and practical support.
A Final Recommendation
It’s likely that you are looking for a quality CISO because your organization lacks the staffing or subject matter expertise you need. Hard-won experience teaches us that one of the most critical elements of successful senior recruitment is the preparedness of the interviewers and the clarity of the job description.
Prior to your first conversation with a candidate, do the following:
First, tap your network to find a couple of senior security leaders who are willing to help you with job description, lightweight candidate vetting, and even some final round interviewing. There are many senior security leaders who value new opportunities to help and expand their networks. These inputs will improve your odds of finding an authentic leader and expert. Second, take the time to document and share your interview topics well in advance of actual candidate contact. Spread your evaluation of the traits above (and others) between early calls, in-depth interviews, and closing contacts or reference checks. Security interviews can quickly move to anecdotes that take time away from other topics, so make sure that your interviewers check all of your priority blocks.
The right security leader will change your firm. Take the time to find your best match, and then take more time to help them understand the role that you need them to fill. With this thoughtfulness, your new CISO, your organization, and our market as a whole, will win.