What to look out for when hiring a new CISO?
The traditional role of the CISO is changing.
It is being challenged by emerging new regulations such as GDPR, which are impacting all industry sectors, and the arrival on the scene of the new role of the DPO in many firms.
It is being marginalised by long-term digital transformation trends which are changing the historical role of the CIO, and the emergence of broader corporate concepts, such as resilience, which are bringing out a more holistic way to address business protection matters from the Board down.
At the same time, the CISO role has never been more important, in the wake of non-stop cyberattacks and data breaches.
Hiring a new CISO could be hard for many firms and finding the right person will involve a careful approach, articulated around the following principles.
The broad profile of the role must be clear: Fire fighter, figurehead or change agent?
First of all, the hiring manager must be clear about the nature and objectives of the role, and the context in which the hire is taking place. It could be that the firm has never had a CISO before. It could be that a new role is being created, for example at Group level. It could be that the departing CISO was perceived as highly successful and that their departure is a big loss. It could be that the departing CISO had been in the job for many years but had achieved very little in practice.
At high level, the hiring manager must define the broad profile of the role: Fire fighter? Figure head? Change agent?
In all cases, security is becoming a far more complex and transversal matter and getting results will mean that the CISO will have to work across corporate silos, with IT, HR, other support functions, business units and geographies. The managerial complexity of the role and the level of experience required to be successful must be acknowledged.
Management experience is paramount; more than raw technical knowledge
The role of the CISO is no longer some form of low-grade tech job. Even more, it is no longer a role for a junior executive, a life-long consultant or an ex-auditor: It will require grit and a true field experience to achieve anything. And preferably a good amount of knowledge of the industry sector and corporate politics. Those only come with real-life management experience.
Judging by what we see in the field, an internal assignment is generally more productive, and less risky, as the new CISO will know the firm and will be known to key stakeholders. But it means the CISO role must have a truly senior profile to attract the best internally, that incentives package and role visibility have to be right, and that the reporting line must match all those factors.
The new CISO does not have to be a technologist or someone already in a CISO role. As a matter of fact, key will be in their ability to articulate the business value of security, and that should come more naturally to business leaders. Control-mindedness, personal gravitas and political acumen are likely to be important success attributes for the CISO, probably as important – if not more – than their raw technical knowledge of the security field.
Think outside the box and take your time
This is definitely the type of search for which thinking outside the box could be rewarded, and where most will come – in terms of long-term success – from the personal profile of the individual involved.
Overall, take your time. It is likely the role will be difficult to fill and rushing into appointing someone “because you need to” will only lead to mistakes. Use an interim CISO if necessary until the right person is found, but you must not hire in a hurry.
This is all the more important for organisations which have never had a CISO before, or those which have been stuck in a decade long spiral of failure around security matters.
The CISO role has never been more important.
The firms that fail at appointing a new CISO are those which rush and push an inexperienced techie in a poorly defined role.
Positioning the role accurately in relation to the firm’s objectives around security, thinking it as a senior leadership role, and taking the time to find the right leader are the keys to long-term success.