With cyber attacks on the increase, both in terms of frequency and severity, many organizations are giving thought to hiring a chief security officer of chief information security officer. But what should the criteria be for hiring this individual?
ISACA Now recently talked to Joyce Brocaglia, founder and CEO of Alta Associates, an executive search firm specializing in information security, IT risk management and privacy. Brocaglia shared her insider views on the process of hiring a first chief information security officer (CISO).
ISACA: What are the top considerations when hiring an organization’s first CISO?
Joyce Brocaglia: The most important thing companies must understand is why they have made the decision to hire a CISO in the first place. Clients frequently see the following scenarios:
1) They currently have someone managing security who is incapable of creating a comprehensive strategy.
2) They have a decentralized organization and want a CISO to develop a centralized organization.
3) Their board of directors or audit committee has concerns and recommends they install a CISO.
Each scenario influences the skills a successful candidate should possess. After understanding why they are hiring a CISO, they must determine where the role sits in the organizational chart, its budget, team makeup and compensation.
ISACA: What should an organization look for in CISO candidates?
Brocaglia: First-time CISOs must have immediate credibility within the organization. That means they should hit the ground running, assess the current state of the information security program, and create a roadmap for moving forward. Typically their initial 90-day goals are to meet key stakeholders, understand organizational needs and identify low-hanging fruit. That means the candidate must be client-facing and collaborative, while also possessing the requisite technical skills.
Many successful first-time CISO candidates are currently second in command at larger, more mature organizations. Candidates interested in building an organization, have a holistic approach to risk and can articulate technical issues in business terms, are best suited for this role.
ISACA: What is the process for a best-in-class CISO search?
Brocaglia: Although many companies consider doing the search themselves, given the demand for CISOs and the complexity of the role, they are best served by retaining an executive search firm specializing in information security. Many firms have recently recognized the potential revenue in cybersecurity recruiting and claim to be specialists, so buyers beware. Hiring managers and talent acquisition executives should thoroughly interview search firms and ask for examples of recent similar successful searches and references.
A track record and trusted network of industry relationships are keys to successful CISO searches. The hiring company should be confident in the recruiting firm’s knowledge of market data on compensation, its ability to understand their culture and its network to provide a diverse slate of qualified candidates. With extreme demand for well-qualified candidates, an inverse relationship exists between the length of the interview process and likelihood of acceptance.
Organizations should streamline the process by ensuring interviewers understand the CISO role and responsibilities, and remember to sell the benefits of joining the team. Our firm sets up a launch call with the hiring manager and key stakeholders, provides a slate of spot-on candidates within the first 15 days, has biweekly update calls and partners to find the best possible candidate in a timely manner.
ISACA: How is the CISO position established in an organization?
Brocaglia: The decision to hire a CISO usually comes from the board of directors or C-suite executives. Some become uncomfortable with their organization’s risk level. Others respond to a breach, an audit or consulting firm recommendation. Some recognize the need to be proactive about security and keep their company out of the headlines. The executive team must ensure the new CISO is positioned high enough in the organizational chart.
Most companies have the CISO report directly to the CIO. They also need to provide the CISO executive sponsorship and support in an active, public way internally and externally to demonstrate the company has prioritized cybersecurity and the CISO role. This supports the CISO’s efforts to influence the culture changes often required in organizations that had not previously considered information security an important differentiator and contributor to success.
(This interview originally appeared on the ISACA blog, which can be viewed here).
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access