What to look for in your next CISO

CISO is a trendy job title, but turnover is high. Here's how to hire one who'll last.

Hiring a chief information security officer (CISO) is a tricky process. The job title is in the limelight, especially these days, when breaches are happening to so many businesses. The job turnover rate is high, with many CISOs quitting or getting fired because of security incidents or management frustration. And the supply of qualified candidates is low. According to the ISACA report, State of Cyber Security 2017, 48 percent of enterprises get fewer than 10 applicants for cybersecurity positions, and 64 percent say that fewer than half of their cybersecurity applicants are qualified. And that's just the rank and file IT security positions, not the top jobs.

So here are some things to consider when you need to find a CISO and you don't want to hire a "chief impending sacrifice officer."

Which CISO style is right for you?

Make sure your expectations match with your candidates. Motivations cover a large landscape, including corporate culture, your business philosophy, and the actual underlying IT infrastructure to be protected. "Every company has its own DNA," says Shahar Ben-Hador, who has been CISO at Imperva for the past two years.

Companies look for CISOs at different points in the security lifecycle, which affects the kind of help they need in terms of security planning. Security consultant David Froud suggests there are three CISO types:

  • Those who create security plans from scratch, before a company even knows what it needs
  • Those who get things done and put these plans into action
  • Those who are more long-term managers and can play the political games

These are not mutually exclusive skills, and they may not be how you characterize your company's security and business processes. "If you're looking to hire a CISO to sort out your security, you've already started down the wrong path," says Froud. "The hiring of a CISO is not about finding people; it's about committing to an idea and doing whatever it takes to bring that idea to life."

Once you have this understanding, there are then various corporate cultural aspects to consider. "I have found that no matter how comprehensive our policies may be, if you don't have the right culture among your workforce, they won't matter. Education, understanding, and inclusion are the ways to build the right security environment," says Joshua Belk, who was the FBI's CISO at the beginning of the decade and continues to work in IT security today.

On the cultural front, you need to understand the generational mix of your employees. Consider software giant Citrix, which has 9,500 employees, 51 percent of whom are millennials. Citrix commissioned a study with the Ponemon Institute and found the following:

  • 55 percent of security and business respondents said millennials pose the greatest risk of any age group in regard to circumventing IT security policies and use of unapproved apps in the workplace.
  • 33 percent said baby boomers are most susceptible to phishing and social engineering scams.
  • 30 percent said Gen Xers are most likely to exhibit carelessness in following the organization's security policies.

As the article citing this research says, "Different generations of employees hold different mindsets about security, but it's important to keep in mind that any employee could fall victim to any type of security incident, regardless of age."

Experience matters

You should find out if your candidate has ever put together a post-breach plan. Review what it contains. "What tasks do you perform first? Do you need to re-image an infected system? You need to see what the malware is doing, and where it has been across your network before you can mitigate it and respond effectively," says Lenny Zeltser, an instructor at the SANS Institute and now vice president of products at Minerva Labs. "It is more than just a simple notification that you have been hit."

The latest from Ponemon — 2016 Cost of Cyber Crime Study & the Risk of Business Innovation

One way to learn whether a CISO has the qualities you need is to consider testing candidates for their personality type. For my first job in journalism, I was given a personality test, which determined that I am ISTJ on the Myers-Briggs scale. If I was going to become a CISO, a better match would be ESTJ, according to Froud's experience with the many CISOs he has known over the years.

At a minimum you should acquaint yourself with the various personality types and know what to look for. But it may make sense to actually test your final candidates, too. The typical ESTJ is driven by external motivations (that's what the E stands for) and are natural leaders, two qualities you need in any CISO.

Once you have a better idea of the kinds of security projects and the types of people who would work best, your next major decision is whether to go after candidates with more hands-on experience or credentials. Most of the time, experience wins out. "I do not know one CSO/CISO who is primarily focused on technology," says Froud. "It's the people and processes that give [security] technology context, not the other way around."

Part of the challenge is that security technology is always changing. "Threats evolve and adversaries innovate all the time, so defenses to prevent attacks have to innovate and evolve too," says Ben-Hador. "And businesses evolve as well. As a company's infrastructure evolves, so does its threat landscape."

Sometimes, the candidate choice is obvious. "The person we selected had many years of experience, most in a financial firm and a few years with a defense contractor," says the CIO at a medium-size Manhattan office. "Many other candidates did not have this in-depth experience. InfoSec was either something that had been just a component of their responsibilities or something they wanted to transition into."

But hiring a CISO isn't just about finding someone with the most technical prowess. It is easy to get lost in the weeds. "You will be lost in a never-ending cycle of throwing technology after technology at something that could likely be fixed by adjusting the business processes you're trying to protect," Froud cautions. "Remember that the vast majority of the CISO function is just a series of consulting projects designed to help the business meet its goals."

Still, it is important to have a balance. "A successful CISO needs to be both strategic and tactical," says Ben-Hador. "The devil is in the details. It's fundamental for the CISO to understand what those critical assets are and to focus on protecting them."

Back to basics

Often, those who have been on the front lines of defending networks can formulate better strategies to lead into the next phase of the business. "Nobody appreciates comprehensive procedures and standards as much as someone who has just taken down a client's firewall," Froud says. Strong CISO candidates will have these foundational skills. 

"Security is a joint partnership between IT and our users; it is a shared responsibility of the entire enterprise," says Ganesan Ravishanker, CIO and associate provost at Wellesley College in Wellesley, Mass. "If our users aren't following best practices, they can expose our enterprise to data security issues. Security is a critical part of everything that we do." 

In short, there's a lot to consider in finding the perfect CISO. It involves hiring someone who can balance planning and effectiveness as well as leadership and knowledge, and be sensitive to the company's culture and philosophy.

What to look for in your next CISO: Lessons for leaders

  • There are three CISO types, suggests one expert. Understand which type you need.
  • Culture is critical when building the right security environment.
  • Hiring a CISO isn't just about finding someone with the most technical prowess. 

This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.