Demand for top-level security professionals continues to exceed supply. Recent data from the job site Indeed shows that “severe cyber security skills shortages persist in every country.” In fact, in only two countries—the U.S. and Canada—does the supply of job seekers exceed even 50% of employer demand.
In this environment, the best security professionals can be selective in choosing where to apply their talents. It is, therefore, important for corporate management and board members to get inside the heads of these leaders and understand what factors make them satisfied and successful in their jobs.
To help, we have identified four overarching questions CISO candidates typically ask when evaluating an opportunity. As you look at the questions below, it is worth thinking about how your organization stacks up—and what actions you might be able to take to make improvements.
- “Who is my sponsor and how much influence does he or she have?”
This is likely to be the first question on the CISO candidate’s mind, and he or she is thinking about this issue in at least two specific ways. First, while the CISO is likely to have some interaction with the board and C-suite, there will still be many conversations that affect the information-security function to which the CISO will not be privy. As a result, the CISO will have to rely on his or her supervisor to act as an effective intermediary in advocating for resources and policy initiatives and in educating the board and CEO on information security issues as they unfold. Second, when the CISO needs to take an unpopular position to strengthen an organization’s information security profile, he or she must be confident that there will be support in high places.
- “How deep is the organization’s commitment to information security?”
This is more than a question of staff and budget allocation, although those elements are certainly important. The CISO wants to know that the C-suite and the board appreciate the complexity and uncertainty at the core of the information-security function and the need to make everyone in the organization—top to bottom—responsible for security. For the CISO to be successful, he or she must be empowered to act and be armed with the necessary resources to deploy, both in times of normalcy and crisis. Although the CISO expects organizations to have high standards, he or she will avoid enterprises that reflexively cycle through security teams.
- “What key performance indicators will I be measured against?”
Given that every large organization must assume that it is continually under cyberattack, it follows that security breaches are a matter of not “if,” but “when.” Therefore, it is not realistic for a company to hold its CISO to a “one strike and you’re out” performance benchmark. The conversation about expectations is just as important as those about resources, reporting lines, and compensation.
- “Where will I be in five years?”
Those who lead the information-security function are like other functional leaders in their range of career ambitions. For some, the opportunity to lead the function at a quality organization is the goal; others, however, are looking ahead to a CIO role or even a broader position in organizational leadership. It is important to understand each candidate’s desires vis a vis what the organization can offer. Remember that the CISO’s reporting relationship will be one factor that frames this issue in his or her mind.
In today’s environment, board members cannot afford to be complacent in their oversight of cybersecurity issues and, in particular in helping the organization hire the right people for the most critical positions. A big step is to understand the issues that are of the most importance to today’s CISOs.