Author: Justin Fimlaid
Hiring the right Chief Information Security Officer (CISO) can be a daunting task. Without standardized role and responsibility definitions, it’s difficult to identify quality CISO candidates. The challenge is steeper for those who lack familiarity with the security discipline, or struggle to align their security function with broader business objectives. Ultimately, the responsibility for ensuring CISO success lies with the hiring organization.
Organizations that take the time to define the role, evaluate leadership and advisory skills, and incorporate business alignment into the hiring process are more likely to find a candidate who can successfully lead their security function and align it with business objectives. To avoid common pitfalls in the hiring process, organizations should consider the following strategies:
1. DO YOUR PREP WORK
It’s likely that you’re hiring a CISO because your organization lacks the staffing or subject matter expertise you need. For successful senior recruitment, ensure interviewers are prepared and the job description is clear.
Closely review your existing job description and see if it still applies, or if your security needs have evolved. Check that you’ve included non-technical traits that are essential for CISO success and take the time to imagine and describe the best match for your organization. The right candidate will understand your business and be sensitive to the balance between security and organizational success. Our blog post, Recruiting Your Best Security Partner, offers recommendations to help identify a stand-out security leader who is far more than a well-organized and cybersecurity practitioner.
2. DON’T OVERLOOK YOUR CURRENT STAFF
In a job market with hundreds of thousands of open cybersecurity roles, don’t overlook your in-house talent. According to Dark Reading, training employees in new skill sets (i.e., “upskilling”) is a relative bargain for companies seeking to fill skills gaps, compared with the average cost of hiring a new technical employee, which hovers around $32,000.
“Given the level of risk, cybersecurity hacks are a boardroom conversation across organizations,” says Gary Eimerman, CPO at Pluralsight. “Upskilling internally for cybersecurity talent is significantly more cost effective than hiring externally for cybersecurity skills.”
Consider recruiting internally to uncover high-potential team members with strong business acumen and a passion for security. They may already be familiar with your unique business operations and goals. If they possess two-thirds of the requisite skills, and are coachable and eager to grow, you can help them overcome their skills gap and build desired technical and communication capabilities.
3. DON’T DOWNPLAY THE ROLE OF YOUR CISO
A common mistake is assuming that someone who knows a lot about security is automatically qualified for the role. Technical expertise is just one aspect of the CISO role; it also requires mentoring, communication, and leadership skills. The recruiting and interview structure must be designed to measure more than technical expertise if you’re going to find the leader you need.
A CISO’s scope is broad, balancing access and ease-of-use with the security of the organization’s data, websites, applications, and networks. They act as a bridge between cybersecurity teams and business managers. Ensure their place in the organizational chart reflects the expected scope of work. If they aren’t part of the executive team, consider an organization change. Giving your CISO a seat at the table as a C-suite partner will give them the holistic view necessary to create those balanced recommendations and effect meaningful change.
Hiring the right CISO can be taxing but investing in the right person will pay dividends in financial, organizational, and even reputational terms. If you’re looking for a place to start, NuHarbor’s job description template provides a solid general description of a security leader that would succeed almost anywhere. Download and customize the description with your company name, the position title, the industry, and role focus.
For more expert insight and practical tips, catch the video podcast of NuHarbor’s PWNED Episode 167 – Cybersecurity Seat – Half-Full/Half-Empty, Have Patience.