Hiring a CISO - What to consider
By Carl.net on Sunday, July 28 2024, 13:55 - CISO - Permalink
Hiring a CISO can be challenging due to the required breadth of skills and experience. In this article, I work to identify all of the skills and experiences you must look for in your CISO, no matter your industry, and then brush on some of the unique skill areas and how to consider them in light of your specific industry. Everything on this list will be the bar against which your CISO will be judged if you end up experiencing a public incident.
Chief Information Security Officers (CISOs), or what started out as CSOs, are no longer just the technical security person behind closed doors. If you have a public security incident, your CISO will lead the incident response and be your public-facing representative for how you respond. Further, the experience, education, and certification that your CISO has will be examined under a microscope to determine if you hired a qualified CISO. On a day-to-day basis, your CISO will shape the security you use to try and prevent you from having incidents while balancing risk with business needs. The last thing you want to do is skimp on the qualifications of the person you hire. Remember that the bad people are constantly attacking you, and they only have to get things right once. You and your CISO must always be right to hold the hackers at bay.
As a bonus, I will provide a link in the next two weeks to a tool you can use to assess your candidates for your CISO role to help you take the guesswork out of your initial selection. The tool is designed to give you solid evidence you considered reasonable inputs in your CISO selection when you are questioned by regulators, auditors, or your board of directors. After using the tool or some tool of your choice, you will want to do at least three interviews with not only the person who your CISO will work for (COO, CFO, CLO, CEO, CIO, or CTO in that order) but also your CEO or COO and Chief Legal Council. I would also suggest a team interview so the security team can provide feedback and your CISO can understand what they have to work with from day one. I would also suggest having the hiring team read this article to understand what they should be looking for versus having misunderstandings like their new CISO should be a copy of them.
Before I write on this topic, allow me to provide my qualifications to provide an opinion. I have over thirty years in the security field. I have been both a CISO and CSO for clients, have hired multiple CISOs to fill area-level roles covering multiple countries, have managed those CISOs for over six years, and have worked with hundreds of CISOs and CSOs over the last twenty years. Further, I have owned incident response at a global company for over ten years, dealing with every incident type and level imaginable and all of the regulators, auditors, and executives that come with those incidents.
Education:
Let's start with the fact that hiring a C-level executive for your organization and your CISO not having a degree will make you look very suspicious when you have a public incident or are brought in front of regulators, auditors, or your board. There are exceptions, but I would not count on the exceptions and make sure they have other features that significantly outweigh this detriment. Currently, 98% of CEOs worldwide have at least a bachelor's degree, with 74% having either a Masters's or Doctorate degree. In Europe, at least 74% of top managers (not just CEOs) have an advanced degree.(1) Your candidate must have a degree, which should be related to technology or security. You will pay top dollar for your CISO, so require the best you can get. Something you might consider as an alternative to a degree for someone in the security field is a candidate with three years or more of military experience. Some of the skills learned in the military are similar to the ones learned in a university, and the military provides the extra benefit of your candidate understanding warfare, which will help with incident response and the concepts required to protect your organization. Notice I specifically said a technical degree. The CISO position requires technical knowledge, so if your candidate does not have a technical degree, make sure they have considerable technical experience to address this issue.
The number of people with Master's or Doctorate degrees in technical fields or security is high enough that you might consider setting your bar there. No matter how many soft skills your CISO will need, they will still need technical chops. You are likely to have a reasonable number of MBAs on your team, so why not exceed the bar and get the best technical chops you can from an education standpoint?
Certification:
Certification is a charged topic. Like a number of others, I used to believe certifications were not important or required and generally refused to participate in the certification game. A very smart mentor of mine in the political field changed my mind. Her point was that not having some certifications in one's chosen field starts you off in any interaction behind others who have them. Further, everyone with the cert you have knows they can converse at the same minimum level, allowing the people you are working with to be more comfortable with your ability to contribute. If you end up in court, in front of a regulator or auditor, they will use your CISO's certifications as a proxy to determine their and your organization's sufficiency level to speak on the topic versus having to measure your expertise every time. Lastly, I have observed that the number of large organizations requiring certification to be part of their security teams has increased significantly. This shift to requiring certification by large organizations means if your CISO does not have basic certifications, they and your organization are behind the game.
At a minimum, you want a CISO with some basic security certifications. The very basics are the Certified Information Systems Security Professional (CISSP)(2) and the Certified Information Security Manager (CISM)(3). You want your candidate to have both, not just one. If they do not have these two basic certifications but have everything else you want, do not hesitate to hire them, but do require that they get the certifications in the next year. Neither of these certifications should be challenging for someone with the experience to be a CISO. If they have concerns about their ability to get both in a year, they are not CISO material.
Once you move past the basic certifications, there are other useful ones to help you measure your CISO candidate's knowledge and ability. You might consider the Certified Information Systems Auditor (CISA)(4), Certified Chief Information Security Officer (C|CISO)(5), Certified Ethical Hacker (CEH)(6), Certified in Risk and Information Systems Control (CRISC)(7), or any of the other domain-specific certifications that show skills in areas your CISO must excel in. In a few weeks, I will post a certification-specific article covering more domain-specific certifications.
General experience and skills:
Experience is the gold standard against which all others should be judged in the CISO role, but it can be very challenging to measure, which is why education and certification hold as much weight as they do. There are some general areas where you want your CISO to have experience and some that might be unique to your organization.
1. Being a CISO - There are several role names depending on the organization that do the same things as the CISO role so do not count anyone out who does not hold the title. That said, look for your candidate to have been doing most of the items on this list to determine if they were CISOs in role.
2. Time in higher-level security roles - There are very few people who have been CISOs, and a lot of organizations who need a CISO. So, look for people in higher-level security management roles for at least ten years. If they have only been in higher-level management security roles for less time, they are likely not your candidate. It takes time to move from being a purely technical person to understanding risk and thinking like a leader. Also, remember that level names mean very different things in different industries. A VP in banking is a manager in most organizations. At the same time, a Director in some organizations is a manager in some organizations but an executive in others.
3. Organizational size - The CISO role is expansive, and the larger the organization, the more chances the person will have to run into many of the problems they will need to resolve in your organization. You want a CISO with experience in an organization with at least 1,000 employees at some point in the career, better would be 10,000 or more. There are exceptions to this rule, but take them on a case-by-case basis. You are using organizational size as a proxy for the breadth of their experience in the other categories.
4. Risk Management - The life of your CISO revolves around risk. If you are talking to a CISO candidate and they do not discuss risk, you are not talking to a CISO. Almost every decision a CISO makes will be a balance between the organization's risk appetite and the business's need to do business. You want a CISO who has not only operated a risk program but also, if possible, created one. You also want your CISO to have had formal education in risk and/or be certified in risk. The specific risk models or tools they use are less important than their ability to view, assess, and balance risk. They should be able to talk about the differences between qualitative and quantitative risk assessment and, when they might use one or another, and the problems with both. This is also the R in GRC(8), which is a vital component of how your CISO will view security.
5. Compliance - Every organization will have compliance mandates that must be met. These compliance mandates might come from regulations, laws, contractual obligations, industry mandates, standards, policies, or other external or internal rules. When filling your CISO roles, you should already know what some of these compliance mandates are, and over time, your CISO will help you identify others. You will never find anyone with total knowledge of all of your compliance mandates, so the skill you want in a CISO is experience working to meet a few compliance mandates; that compliance experience will allow them to help you meet your specific compliance needs. Knowledge or experience with the compliance requirements you know you need to meet is great, but do not write off a candidate with compliance experience, as they might bring more to the table on how to meet your mandates more easily than someone with only knowledge of your mandate. You are looking for experience meeting compliance mandates, not experience with just mandate X. Your current mandates will change over time, so your CISO will be continuously learning new mandates, and hopefully, because of their experience with multiple types of compliance mandates, will have been shaping your security programs to meet current and future ones. This is also part of the C in GRC(8), which is a strong component of how your CISO will shape and view your security needs.
6. Incident Response - You will have incidents. There is a good chance you are already exposed in several places you do not know about, and a good CISO will find some of those quickly after they join your organization. Every CISO should have "significant" experience leading incident response and be able to describe the basic triage solution they use to deal with incidents, how they deal with external parties, including regulators and law enforcement, and at least one story of how they failed when dealing with the media.
7. Audit - Every CISO should have in-depth knowledge of audit, being both the auditor and the auditee. This is why I suggested the CISA certification above. CISOs get audited. A CISO should be able to describe in detail how they have dealt with audit situations. Better is as part of their duties they should have also run audits. Any CISO without this experience will significantly hinder your organization's growth and may cast you in a poor light with regulators, external auditors, and your board.
8. Policy, standards, process, and procedures - Security policies are the statements you make to your employees and external parties on how you do things. Highly rule-driven people will not agree to conform to your organization's security stance without a policy. Regulators and auditors will not accept that you have reasonable security without written policy. And if the worst happens and you need to fire someone for violating what you believe to be your security stance without a policy, you will be standing on very shaky ground. Your CISO must have created, maintained, and shaped policies. There are no exceptions to this rule. This is also part of the G in GRC(8), which is one of the tools your CISO will use to help guide your organization's security stance.
9. Threat Intelligence - Your candidate should know how to do threat intelligence beyond calling a vendor. The bad guys have specific methods of operation, and direct hands-on knowledge will allow your CISO to protect you more effectively than theoretical knowledge. I am not saying your CISO should be a hacker, but experience in the field and hands-on knowledge of the dark web is a solid key to success. If you are talking to a particularly experienced CISO, they should be able to describe where to find stolen credentials, what sites have in-depth discussions on hacking activities, and what sites they are or have been members of.
10. Cloud Security - let's be honest with ourselves. The cloud is really just a way to outsource your infrastructure (IaaS), your platforms (PaaS), or your software (SaaS). There is no magic here; it's just marketing around outsourcing. If everything works out right, you will save costs on your technology and be more agile. Based on my direct experience, not everything will move to the cloud gracefully, and depending on your industry, you may have some security needs that make moving to the public cloud a no-go. The great thing about cloud security is that the scope of what you are responsible for is reduced versus your hosting everything on-premise. I wrote my organization's first cloud security whitepaper 15 years ago and very little has changed since. Today, it is unlikely you will find anyone in the security field who does not have some cloud experience. The great thing is that everything your candidate knows about securing on-premise hosted infrastructure, platforms, and services applies to the cloud. The way something is done will be specific to a particular cloud provider, but the concepts will still be the same.
Your candidate should understand cloud architectures and the differences between cloud-based and on-premise security. If your CISO does not discuss multi-tenancy issues and vendor management regarding cloud security, they are missing part of the picture. They should also be able to describe some of the issues with using multiple cloud providers, specifically security technology issues, networking, and IAM.
11. Identity and Access Management (IAM) - Much of security is not about how you keep people out but about giving the right people access to what they need. This is where IAM comes into play. IAM is the key to identifying someone and giving them the proper access to do their job. Historically, much of security has used the Blow Pop (TM) model, where we created hard, crunchy outsides to protect the soft and chewy parts inside. This model is great until someone gets inside and eats the soft, chewy part. The current buzzword is zero trust, and zero trust works by assuming everyone is bad and only giving people access to precisely what they need. To do this, you need IAM. Your candidate does not need to be an expert in a specific vendor's IAM technology but should have a basic knowledge of Microsoft Active Directory, AWS IAM, or another cloud provider's offering, and potentially Kerberos, as much of the IAM world is based on Kerberos.
12. Security architecture - Your infrastructure and organization is made up of multiple separate components that must be combined and work together. Your architecture is the magic that makes this happen. A well-considered architecture will help your business grow, and a poor one will hinder your organization's strategy (9). A good CISO will have experience as an architect for some type of system or organizational structure. They do not have to have been a lead architect at a Fortune 100 organization, but strong architecture experience or training is a key to success.
13. Multi-platform - Monocultures are generally considered bad; to put it another way, diversity brings so many benefits that its opposite is usually a disadvantage. This is true in platform experience also. You want your CISO to have some experience with multiple platforms so they know at least what else there is to offer. For example, let's use Microsoft for a moment. If your CISO only knows Microsoft technologies, how will they assess a vendor you want to use with a Linux-based product? Or if they only know about Azure what if you will also be using AWS or Google? Knowledge of multiple platforms is crucial to your CISO's ability to address security risks across everything you do. They do not have to be experts in everything but should have general knowledge of many types of platforms.
14. Artificial Intelligence (AI) and Machine Learning (ML) - AI and ML are the buzzwords of 2023 and 2024, and if you believe everything you read and hear, a lack of knowledge on this topic is a sure sign of a Luddite. The truth is that even if your organization has not embraced the AI bandwagon, your employees are still using it as shadow IT. Your CISO must have some experience and knowledge of AI and ML. There are specific issues with the use of AI, with one of the biggest ones being how to maintain control of your IP and data. Your CISO does not have to have built something using AI or ML, but they should be able to discuss AI-related issues.
15. Linux and Python - A significant number of security tools run on Linux and use Python as their scripting language of choice. Your CISO should be comfortable as a user of at least one Linux platform and should be able to list at least one Linux variant used for security testing (Hint - Kali, BlackArch, BackBox, Parrot Security OS, CAINE, DEFT, etc) and how they have used it. They should have had some basic Python experience or training but do not have to be a coder. Most Python scripts they or their team need can be borrowed from online sources.
16. Security technologies - Every CISO should have experience implementing, configuring, managing, and specifying some basic security technologies, including Firewalls, Intrusion Prevention/Detection Systems (IPS, IDS), Security Information and Event Management (SIEM), Web Application Firewalls (WAF), Endpoint Detection and Response (EDR), eXtended Detection and Response (XDR), Managed Detection and Response (MDR), Information Rights Management (IRM), AntiVirus (AV), vulnerability assessment/penetration testing/remediation tools, and Data Loss Prevention (DLP). Your CISO will unlikely be an expert in all these security tools, but they must have a general understanding of their use and how they fit into the security landscape. Some experience with one or two tool's configuration is also key, as that will allow them to help their security teams when they run into issues.
17. Computer and network forensics - Forensics is a specialty in computer security, and finding a CISO with in-depth experience with it can be a challenge. At a minimum, you need someone who has consumed forensics reports and can understand their structure, what the reports are good for and not suitable for, and when forensics might be necessary. At some point, if not regularly, your organization will need either computer or network forensics to work through an incident, and a lack of knowledge about this topic will cost you time and money and potentially cause considerable public embarrassment. Look for candidates with experience using forensics in incidents and even better training/certification in forensics or forensic tools.
18. Vendor management - A poorly secured vendor can expose your organization to any number of risks your organization would otherwise have already mitigated. Every place your infrastructure touches a vendor's infrastructure is a hole for external parties to penetrate you. Strong vendor management experience and skills are required for any CISO.
19. Investigation - Investigation is the tool that turns a potential incident into an incident so it can be mitigated. CISOs and their teams use investigation skills regularly; CISOs should have considerable experience with investigations and be able to describe where and how they have successfully used the skill. CISOs do not have to be prior police investigators or private investigators but, once again, must be able to describe it's use in practice.
20. Legal - CISOs do not need to be lawyers, but they need contract and regulation experience. Further, they need experience negotiating with lawyers as your CISO may need to be called in to identify problems in potential contracts and help the opposing side understand why what they are asking for is either not possible or not beneficial to either party. Also, a CISO with little experience working with lawyers may not understand when and how legal privilege is required or even when it is ineffective. Some experience testifying would also be a plus to have in the off chance your CISO is called to testify in court or in front of regulators. The type of experience testifying is probably less important than them having some.
21. Privacy - Privacy used to be considered a subcategory of security, but with the promulgation of regulations mandating privacy, it has become a topic of its own. Your CISO must have privacy experience, specifically around meeting laws or regulations. Most privacy regulations have several similarities, so as long as your candidate has some experience, your specific regulation will not cause them a challenge. Also, if they have experience meeting a different regulation than your specific one, they may bring solutions you have not yet considered.
22. Application development security - Every organization has people who write code; experience has shown that all code has bugs. Your CISO should have direct experience with policy and implementing mitigations for application development security issues. They do not need to be a coder but do need to understand what technologies, processes, and procedures can help solve the security issues. Your candidate should have direct experience with code scanning, secure coding checklists, and secure Software Development Lifecycle (SDLC) policy to help mitigate this issue.
23. Information Rights Management (IRM) Data Loss Prevention (DLP) - Even if you have the best and most trustworthy employees in the world, they are going to steal your IP and data. The honest ones, not by intent but through misunderstanding or accident, people will walk out with what makes your organization unique. Of course, some will do so intentionally. IRM or DLP, depending on the vendor, are part of the keys to help you stem the tide of your assets flowing out of your organization. Your CISO needs experience with these technologies, specifically in application and tuning. Also, their experience should cover where you need IRM/DLP and some experience in how you tune the technology to get the best results and the fewest false positives.
24. External standards - External standards are one of the best ways to allow other organizations to judge your security posture. They are also a great way to guide your overall security program. The two reigning champions are ISO 27001 and country-specific ones like NIST CSF / 800-53. Over the past ten years, out of thousands of client questions, ISO 27001 is the most often asked for, with country-specific ones like NIST being occasionally asked for in country. On the topic of privacy, 27701 is the most asked for globally. Your candidate should have direct experience with some global standards (ask specifically for ISO 27001 since it is the most popular globally) and some knowledge of in-country standards. If you do anything with hosting your candidate should also understand the difference between a SOC1 and SOC2. Still, as long as they have some experience getting an organization certified under a standard, the specific standard is less important.
25. Employee education and training - You can get everything else right, but if your employees are not well-educated on security, you will fail. Many years ago, a friend and fellow employee stood up from his cube and yelled, "The network would be fine if it were not for the darn users." All of us, of course, laughed, but the reality has not changed in thirty years. People are smart and creative, and they will come up with innumerable ways you have never considered to do things. Education is the key to guiding all of their great ideas. When people understand the need for security and why you do something a certain way, they can consider that when they are being creative. Your CISO candidate needs direct experience specifying and creating security training.
26. Overall technical aptitude and experience - Even with all of the nontechnical hats your CISO will wear, the role still has a strong technical component. A CISO without some technical chops will be unable to understand the full suite of risks your organization faces. You can backstop the CISO with someone who is strongly technical, but pouring water from bucket to bucket always leads to loss, and their inability to lead technically will cause your teams to doubt their abilities. The best case scenario is to find someone with technical experience, but if you find a candidate with everything else and no technical chops, understand the limitation and plan to mitigate it.
27. Physical security - I try very hard not to make definitive statements about security, but if you do not get your physical security right (notice this is my second definitive statement after training above), nothing else you do in IT security matters. One of the tricks that hackers used was to sneak into an office after hours, pull the hard drive out of a computer, and replace it with a broken one. Now they have everything on that computer and the organization is none the wiser because they think the hard drive failed. It does not matter if it is on-premise or in the cloud; if physical security fails, your data belongs to someone else. Worse, if the incident is reportable, it can be much more complicated in a physical security failure situation to even understand the actual scope versus the potential scope of the loss. Look for a candidate with some understanding of physical security and, if possible, some relevant experience. With that said, CISOs with real physical security experience are much harder to find and are generally considered unicorns.
28. Business Continuity (BC) - I have failed to bring up the tried and true CIA triad. CIA stands for Confidentiality, Integrity, and Availability and is one of the oldest models or frameworks used in security. Everyone used to strive to link their programs to the CIA model components as part of their work, and BC is a strong consumer of the A in the CIA triad. Look for a candidate with BC experience, and if your CISO does not own BC at your organization, ensure they are involved in the process.
29. Encryption and hashing - Encryption is one of the key technologies that every candidate should be very familiar with. They do not need to know how to roll their own, nor would, in almost all cases, you want to use a homegrown encryption protocol. However, the basics of symmetric and public key encryption are very important, as well as how and when you might use encryption. Also an understanding of the issues that encryption might cause you (hint, when using an IPS or IDS). Hashing algorithms are very valuable in security, and candidates should have knowledge of them. They do not need to be experts in hash cracking using JTR or HashCat, but they should be able to describe some useful ways that they might use hashing.
30. Networking - I left networking for last in this section because it is the basis of the Internet. Without networks, you do not have the Internet. The network is how your clients and the hackers get to you. CISOs need some networking experience to understand how network-based attacks work and ways to mitigate them.
Unique Experience:
This is the fine-tuning section where something specific (notice I did not say unique) to your organization should be considered.
1. Technology X - Every organization has specific technologies they use. It would be great if every CISO knew the specifics of every technology, but with all of the other things CISOs must know and do, it is just not possible. The best policy is to look for technology X as a good to have but not a requirement, with related technologies as reasonable alternatives. You already have any number of experts in your specific vendor's technology, so as long as the candidate has experience and or knowledge of a related technology, you will be in great shape. That said, you should set a reasonable timeline for your CISO to become familiar with your specific technology using their team and other related resources. Better is to ask them in the first month to deliver a plan on how they will become familiar with technology X.
2. Regulation X - Every industry has regulations that must be met. Over the years, I have interacted with people from every sector; invariably, they tell me how their specific regulation is unique. There is no question that each regulation has specific items that are unique to it, but when you stand back, the regulations are more similar than not. Every regulation has components that must be met, reporting that must happen, and rules that must be followed when things go wrong. The specific details of those items are easy to find and summarize. At the same time, the skills learned by meeting any regulation apply to meeting any of them and cannot be learned through theory, only practice. Find a CISO with general regulatory experience, but don't get stuck on regulation X. Make it a nice to have but not a must, or you may throw out most of your best potential CISOs and be left with someone who has that specific experience but is lacking much of the rest you need.
3. Industry X - From a CISO's point of view, every industry has the same basic risks, just each risk is rated at different levels based on their underlying threats. After working with thousands of clients, experience has shown that the basic risk basket stays mostly the same; it is the risk rating that changes. If you are an auto manufacturer, your risk portfolio will be very similar to that of a bank or a hospital, but the auto manufacturer will have a greater risk of IP theft, the bank of monetary theft, and the hospital of information exposure, causing their risk ratings for each risk to differ. Your CISO bathes in risk constantly and will adjust their thinking to match your industry. Don't choose based on industry X but on the candidate's ability to talk about your risks related to industry X.
Alternatives to Experience:
We have covered a significant breadth of experience your CISO needs, but what if they are lacking in a specific area? Should you throw them out? Of course not, as no CISO will get full marks in every area, but you can use experience alternatives to help balance your selection.
Other certifications. Almost all topics covered in the experience section have a certification that purports to show some level of skill and experience in the topic. If you run the person through your process and they look interesting but you are concerned about their experience in something, ask them if they have a certification in that area. For example, if they lack experience in risk, they might have a risk-based certification.
Education. Advanced education is always a plus and should be considered instead of experience if available. However, since education (including certification) is theory and not practical experience, it must be weighted less strongly than experience.
Leadership and related soft skills:
I left leadership and soft skills for last, as in a CISO role, they should be a given. Much of what CISOs do requires considerable time and effort to convince others to do things they do not want to do. And often, lead your employees, contractors, vendors, and clients into doing the right thing without letting them know they are being led. Your CISO needs the positive traits of a politician and leader to be successful in the role.
1. Talent management - We will cover what a CISO does in another article, but just considering all of the things your CISO needs to know, it is obvious they will need some help. My current team has 58 people, and there is zero chance I could provide the services I do without them. Your CISO should have direct experience in building and leading teams. In today's environment, they should have global team experience and must have remote experience. Very few medium or large organizations exist in a single office and are instead spread across a country or multiple countries. Your candidate's demonstrated experience building and managing teams remotely is critical to their success.
2. Muti time zone skills - This is a topic I rarely see covered, but working across global time zones (and, in some cases, just national ones) is considerably more difficult than working in a single time zone. Your candidate will not work from nine to five or even five days by ten hours per day. They need the experience and time management skills to work in broken periods across 24 hours. As the person hiring them, you need to understand that you will not see them from 9 to 5 but may see them at 6 AM, 2 PM, and 3 AM. During a significant incident, you may even see them online leading teams 24 hours a day for multiple days.
3. Interview techniques - CISOs interview people constantly. The hiring process and investigations are the most obvious times, but also, just about any time a CISO asks a question, they are using interview skills to obtain accurate and truthful knowledge about the topic. A CISO candidate should be able to describe some techniques they use in interviewing, with special emphasis on detecting lies.
4. Communication - Communication is a skill, and its top practitioners can be viewed as wielders of forbidden arts. Good communication is hard. Shoot for someone who can communicate reasonably well and knows their limits. For example, I know I can get my point across, but when communicating with large audiences, I usually ask the comms team to help. Also, your candidate should understand and explain the risks of cross-communication and the need to control communications.
5. Honesty and reliability. You might not consider honesty and reliability a soft skill, but without the two, you do not have a CISO but a hindrance to your organization. Your CISO's word should be their law. You must be able to trust them and rely on their word and deeds. This may be the hardest thing to measure during your interview process, but you must measure it and throw out any candidates who have shown a lack of honesty and/or reliability. A thorough background investigation (not a standardized check) with, in the best case, an interview by the investigator should be able to sort your top candidates for you. I have one if you need the name of a seasoned investigator of this type. They are very hard to find, but I do not mind sharing mine privately.
6. Innovation - Your CISO is bathed in risk, balances your business needs and security needs, must protect you from internal and external threats, and, when things go sideways, will clean up the mess. To do all of these, they will need to be an innovator. It is better if they understand your business well enough to come up with ideas for growing and expanding your business. Creative thinkers with good ideas are hard to find so look for hints that your candidates can innovate. Patents are a good proxy, but very few people have them, so look for things they have done that show innovation. Any form of creativity you can find in their resume may point the way to your innovative CISO. The best part of hiring an innovator is that they will devise creative ways to streamline their part of the organization so that you get more for the same price.
7. Job stability - CISOs, by the nature of the job, are long-term planners. It takes time to understand the full suite of risks facing an organization, develop a plan, and then execute it. A candidate who has been job hopping is not the right person to fill any CISO role. You need stability. If nothing else, you need a CISO that, when something goes wrong, you can count on to take responsibility and stick around to help clean up the mess. With that said, CISOs who have been working for startups may look to be job hoppers when they were actually hired to do a job and then expected to move on.
8. Understanding the business need - This may not sound like a soft skill, but it is vital, which is why I listed it last. By the nature of the job, CISOs will cause some friction. They will slow processes and implement things required by regulations or other compliance or governance needs that can make things more difficult. A good CISO will help the organization understand the requirements, create an appropriate process, and then work with other executives to shape the process to fit the business needs while keeping the organization's risk tolerance in mind. This is very challenging to do correctly, and your candidate should be able to describe a compliance program they created and ran where this balancing was required.
I wish you the best of luck in finding and hiring the best CISO you can get. The number of qualified CISOs available is considerably less than the number needed, so a good CISO will be challenging to find and will be expensive. You want the best you can get to keep your organization and data safe, and when things go wrong, clean up the mess. Hopefully, this article has helped you identify the full suite of qualities required so you can find exactly the person you need.
References:
(1) https://www.study.eu/article/the-academic-backgrounds-of-the-worlds-most-powerful-ceos
(2) https://www.isc2.org/Certifications/CISSP
(3) https://www.isaca.org/credentialing/cism
(4) https://www.isaca.org/credentialing/cisa
(5) https://ciso.eccouncil.org/
(6) https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh/
(7) https://www.isaca.org/credentialing/crisc
(8) https://www.ibm.com/topics/grc
(9) https://www.amazon.com/Enterprise-Architecture-Strategy-Foundation-Execution/dp/1591398398
© 2024 Carl Almond