Three Keys to Hiring the Right CISO
Now that National Cybersecurity Awareness Month is in full gear, we’d like to address a basic question for most midsize and large organizations: How do you hire a chief information security officer (CISO)?
During the Nuix User Exchange in September, Rich Cummings, our SVP of Cyber Product & Strategy, described the talent war as a zero sum game: “All the good people just keep going from company to company.” Cybersecurity Ventures estimates there will be 3.5 million unfilled cybersecurity jobs by 2021—compared with one million in 2016. And there’s compelling evidence that the role of CISO is the most difficult tech role to hire for.
With that in mind, here are three key areas to consider in candidates for your CISO or head of security.
Vet the Resume Basics
Ideally you want to see candidates who have already had a well-rounded career but in many cases, the required experience will depend on the specifics of your operation. As a baseline, your candidate should have a background in one or more of vulnerability scanning, cybersecurity investigations, or penetration testing. Your CISO should have a demonstrated track record in the key areas they will oversee and it obviously helps if your company has a network that can vouch for them.
In many cases, organizations hire a CISO when they’re starting a security program for the first time. This should factor in heavily to your process: Will they be starting from the ground up or do you have processes and people already in place? For new or young security programs, hiring a CISO with experience is even more critical.
The CISO has a responsibility to develop, execute, and communicate the security roadmap across the organization. Many times, this means the role has a bit of a salesperson component, as the CISO must make the case for investing in the right areas. Communication skills, verbal and written, as well as ability to navigate complex organizational structures and personalities, are fundamental to success in the role.
Search for Philosophy and Key Personality Traits
You want a CISO who can appreciate all the different angles of security including your physical premises, your networks, and your IT policies. Your CISO should have an eye for operational security—all the best IT practices aren’t worth much if someone can simply sneak into an unsecured office or server room.
Inevitably, the CISO will have to deliver bad news to the executive team. That means you want a candidate who can speak truth to power and be willing and able to set realistic goals and identify problems with an unbiased eye.
The goal of any CISO is to reduce risk as much as possible. Risk is the aggregate of an organization’s threats and vulnerabilities. Threats can range from hackers to power outages to someone spilling coffee on a server. Vulnerabilities encompass the weaknesses across software, hardware, systems, and people. Vulnerabilities multiplied by threats gives you a sense for your risk factors. A CISO should be able to:
- Identify organizational priorities
- Rate the confidentiality, availability, and integrity of your data
- Be prepared to begin protecting your most critical assets from day one.
Set the Right KPIs
Many companies we talk to struggle to set benchmarks for their CISOs. A goal like “no hacks in six months” isn’t realistic.
While the tangible goals vary greatly by organization, your CISO should set clear expectations and have the credibility to recommend the right investments early on. As Chris Pogue, our Head of Services, Security and Partner Integration explains, you only have to be wrong once for a potentially fatal hack to occur.
Before bringing on a CISO, you should have at least a basic understanding of the key security investments you need to make. However, the CISO should also be prepared to develop a clear security roadmap, which may include basics like setting policies, retiring outdated operating systems, and identifying and remedying physical and software threats across your organization.
The talent gap in cybersecurity is very real: a study by jobsite Indeed found that for every 10 cybersecurity job listings, only 7 are even clicked on. This is a significant mismatch compared to other fields.
The good news is that there is widespread awareness of the problem. Universities and colleges are working hard to step up and fill that gap with qualified candidates and non-academic groups are also recognizing the importance of investing in cybersecurity talent and grooming the pipeline.
A CISO should be versatile and previously tested. You should consider the entire spectrum of skills and personality traits, from IT security background to credibility with company leadership.