CISO’s are important and they are in short supply. In fact, the position of the Chief Information Security Officer is in really short supply and it is hard to overstate their importance. So I believe we should talk about some ways to hire a good CISO. But first, let’s talk about some of the mistakes that are made with CISO’s and how to avoid them.
First, because you have a guy in your IT department that is good with security or firewalls is not necessarily a good CISO candidate. More likely than not he is a poor CISO candidate, but many times that is the person that gets the job. This is indicative of the problem. Most executives do not take the job as seriously as they should.
What Not To Do
Many times the CISO is hired and that person is put into an impossible situation. They are told they are responsible with the company’s cybersecurity. However, they are not given the tools, or authority or access to get the job done. And when they fail they are the first to go.
Then the company hires another CISO with the same structural and systemic problems and the pattern repeats itself. A good CISO is worth their weight in gold and even if your company does sustain a major breach your CISO should still be kept on unless they exhibit a fundamental flaw or failure in their execution of the position.
Five Rules On Hiring A CISO
- First, you need to write a job description that gives the CISO access to every part of the company including the executive suite. Remember if you are going to influence the cybersecurity of your company then the executive’s involvement is essential to this success. This job description should also be looking for the executive skills of the candidate.
- Next, you need to be recruiting for a CISO all of the time. You should have a bench of candidates. Remember what I said above many good CISO’s gets pushed out of the door just because there was a breach at no fault of their own. You need to take advantage of this flaw in the market.
- That leads me to the next rule. Vet the candidates thoroughly and then vet them again. Background checks, multiple interviews over time. Look at their credentials and check them. Talk to references in detail. Give them scenarios to solve. They should come with a plan. Look at their technical skills as well as crisis management skills, and executive skills.
- Building on this look at getting help hiring a CISO. I do not mean a recruiting firm I mean a trusted advisor to help you with the selection, and vetting process. Someone who knows cybersecurity holistically.
- Finally be ready to pay they are very expensive when you find a good one. Use the creative incentives you have to attract them to your company. Make them feel like they can make a difference at your company this will go a long way.
We will talk more about this critical issue in future articles but this should get you started.