What to look out for when hiring a new CISO?

The traditional role of the CISO is changing. It is being challenged by emerging new regulations such as GDPR, which are impacting all industry sectors, and the arrival on the scene of the new role of the Data Protection Officer (DPO) any firms.

The role is being marginalized by long-term digital transformation trends, which are changing the historical role of the CIO, and the emergence of broader corporate concepts, such as resilience, which is bringing out a more holistic way to address business protection matters from the Board down.

At the same time, the CISO role has never been more important, in the wake of non-stop cyber attacks and data breaches.

Hiring a new CISO could be hard for many firms and finding the right person will involve a careful approach, articulated around the following principles.

1. Is the role a Firefighter, figurehead or change agent?

First of all, the hiring manager must be clear about the nature and objectives of the role, and the context in which the hire is taking place. It could be that the firm has never had a CISO before. It could be that a new role is being created, for example at Group level. It could be that the departing CISO was perceived as highly successful and that their departure is a big loss. It could be that the departing CISO had been in the job for many years but had achieved very little in practice.

In all cases, security is becoming a far more complex and transversal matter and getting results will mean that the CISO will have to work across corporate silos, with IT, HR, other support functions, business units and geographies. The managerial complexity of the role and the level of experience required to be successful must be acknowledged.

2. Management experience is paramount; more than raw technical knowledge

The role of the CISO is no longer some form of low-grade tech job. Even more, it is no longer a role for a junior executive, a life-long consultant or an ex-auditor: It will require grit and a true field experience to achieve anything. And preferably a good amount of knowledge of the industry sector and corporate politics. Those only come with real-life management experience.

Judging by what we see in the field, an internal assignment is generally more productive, and less risky, as the new CISO will know the firm and will be known to key stakeholders. But it means the CISO role must have a truly senior profile to attract the best internally, the incentives package and role visibility have to be right.

The new CISO does not have to be a technologist or someone already in a CISO role. As a matter of fact, key will be in their ability to articulate the business value of security, and that should come more naturally to business leaders. Control-mindedness, personal gravitas and political acumen are likely to be important success attributes for the CISO, probably as important – if not more – than their raw technical knowledge of the security field.

3. Think outside the box and take your time

This is definitely the type of search for which thinking outside the box could be rewarded, and where most will come – in terms of long-term success – from the personal profile of the individual involved.

Overall, take your time. It is likely the role will be difficult to fill and rushing into appointing someone “because you need to” will only lead to mistakes. Use an interim CISO if necessary until the right person is found, but you must not hire in a hurry.

The CISO role has never been more important.The firms that fail at appointing a new CISO are those which rush and push an inexperienced techie in a poorly defined role.