There’s a big shortage of qualified CISOs on the market meaning there are openings everywhere but a lack of credible candidates to tackle this strategic role.
Leaving the CISO role open is never going to be a good option and you have to expect a five to six month lag time before you find the right person.
So how do you successfully fill this critical gap?
Ideally, your CISO is a technologist and partner to the business. Given that demand for these specialists is exceeding supply, finding the 'perfect candidate' may not be an option. Let’s look at the different models of CISO that you could potentially secure.
Different models of CISO
Security chiefs’ career backgrounds will vary but I find that candidates generally fall into one of the following archetypes:
- The risk manager
- The technologist
- The white hat hacker
- The cop
The risk manager
Risk managers come from a classic audit background. They have good interpersonal skills and have been operating as a second line of defence. They bring solid skills with frameworks for assessing and managing risks.
The risk manager profile can be easily sourced from a Big 4 audit or consulting firm. While they tend to lack technology depth, this is outweighed by their slick presentation and professional network.
Some IT risk and assurance professionals do have some technical skills and I’ve come across a few that are penetration testers. In the main though, the risk professional traditionally ‘ticks boxes’ and ensures sufficient controls are in place.
This is a useful start but it’s not going to be enough. You need to look out for someone with a resume that demonstrates they are accountable and willing to learn.
The technologist typically will come with a deep network and infrastructure background. He or she may have been a CTO in a past life and managed a security team. A focus on operations and projects will rate highly and they have an appreciation of the effort required to complete tasks like patching.
A CISO role requires strong technical depth and understanding of technology architecture fundamentals is a critical skillset. This candidate has some ‘scar tissue’ which is really useful when dealing with managing change and tackling the balancing act between operating and maintaining infrastructure.
When considering a technologist, watch out for the soft skills such as how they work with other staff. A CISO’s key role is to build a culture of cyber security across an organisation and while the technologist will understand the importance of this intent, their needs to be a strong focus on how to communicate this agenda.
The white hat hacker
This potential candidate will most likely be a referral rather than an applicant – a ‘white hat’ hacker who simply wants a new lifestyle.
Their natural instincts and ‘hands on’ skills are the greatest asset that they bring to the table. The hacker has very strong technical skills to anticipate and respond to cyber threats.
They may have weaker planning and business engagement skills, but would be seen as a natural subject matter expert – perhaps even a spokesperson for the company as a symbolic hire with a high profile in the marketplace.
Look out for a clear understanding of how well they manage a team and positively influence a community. In many ways, this should come natural to the hacker.
The final caveat is understanding how to tell the difference between a white and black hat hacker. I’m not sure that there is an easy litmus test.
This candidate will come from a compliance and security background and you can guarantee that he or she will be all about ‘adherence.’ The candidate will be strong on governance and discipline with a focus on scorecards to measure progress.
The policeman or policewoman is an authority figure or enforces standards and is respected for being a tough person to deal with. This cop will ensure that the organisation maintains a strong security posture and be able to easily liaise with law enforcement and other external entities.
While the cop is a handy person to have around, you also require some leadership to be displayed, rather than just compliance. Merely following the letter of the law may not work in certain circumstances.
You will need your CISO to manage change and not just maintain the status quo.
Now that you have your short list categorised mentally, it’s time to make some decisions. But remember, don’t dwell on this too long as the CISO candidate most likely has a few options in front of them.
Ideally, your CISO has a combination of the above skills. But ultimately, you need a leader who is passionate about building high performing teams and can ‘evangelise’ cyber security across the enterprise.
It’s a hard combination to find. Good luck.