The market for top-tier CISOs is now highly competitive. Information cybersecurity has become a high-profile corporate concern, and the bar has been raised on the pool of qualified candidates. By one estimate there were 2,700 CISO job openings in the United States in June 2015. So even if organizations are able to effectively evaluate candidates against current and future requirements, they must also be prepared from the start to actively sell the opportunity to an audience that is naturally skeptical.
In our experience, every CISO candidate asks four overarching questions when evaluating an opportunity:
1. “Who is my sponsor and how much influence does he or she have?”
This is likely to be the first question on the CISO candidate’s mind, and he or she is thinking about this issue in at least two specific ways. First, although the CISO is likely to have some interaction with the board and C-suite, there will still be many conversations that affect the information security function to which the CISO will not be privy. As a result, the CISO will have to rely his or her supervisor to act as an effective intermediary in advocating for resources and policy initiatives and in educating the board and CEO on information security issues as they unfold. Second, when the CISO needs to take an unpopular position to strengthen an organization’s information security profile, he or she has to know there will be support in high places.
2. “How deep is the organization’s commitment to information security?”
This is more than a question of staff and budget allocation, although those elements are certainly important. The CISO wants to know that the C-suite and the board appreciate the complexity and uncertainty at the core of the information security function and the need for making everyone in the organization, top to bottom, responsible for security. For the CISO to be successful, he or she must be empowered to act and be armed with the necessary resources to deploy both in times of normalcy and crisis. Although the CISO expects organizations to have high standards, he or she will avoid enterprises who reflexively cycle through security teams.
3.”What key performance indicators will I be measured against?”
Given that every large organization must assume that it is continually under cyberattack, it follows that security breaches are a matter of not “if” but “when.” Therefore, it is not realistic for a company to hold its CISO to a “one strike and you’re out” performance benchmark. The conversation about expectations is just as important as the ones about resources, reporting lines, and compensation.
4. “Where will I be in five years?”
Those who lead the information security function are like other functional leaders in their range of career ambitions. For some, the opportunity to lead the function at a quality organization is the goal; others, however, are looking ahead to a CIO role or even a broader role in organizational leadership. It is important to understand each candidate’s desires against what the organization can offer. Remember that the CISO’s reporting relationship will be one factor that frames this issue in his or her mind.
For more information on what to expect and consider while hiring a CISO, download your copy of Navigating the Digital Age. Get the book here.