This is the 2nd piece of a 2-part series. The first part can be found here: How to Hire a CISO: Trends
Michael Piacente is a Co-Founder and Managing Partner of Hitch Partners, and continues to share his expertise on the current trends for the CISO role, when, why, and how your scaling comphttp://guildtalent.com/blog/how-to-hire-a-ciso-trends-and-challenges/any should consider hiring a CISO.
Defining the Process
Nearly every company we work with has a different way of evaluating their own need for a CISO.
1. Determine where and to what level the consequence of their security challenge, level of data governance needed, and to what level of data sensitivity exists.
Asking these questions is a way of getting there, and also provides insight into where compliance and governance fall in the pecking order of priorities compared to the security engineering aspects of the role.
What is the company is selling?
Who are they selling to?
How they are selling it to their clients (i.e. cloud-native delivered v. packaged software)?
2. Discovering the maturity of their security program helps determine the current reporting structure.
If security operations only exists under engineering or product dev today than that is a good data point to determine the leveling of leader one might need to be successful.
If the position is primarily centered around needing a compliance and sales enablement expert than the approach to the search would be quite different.
There is no one or two most common reporting structures for today’s modern CISO
In 8 parallel CISO searches, all over the US and small to large companies, we found the CISO reporting to eight different executives; CTO, Chief Product Officer, GC, CEO, CIO, SVP Eng, and COO.
3. Type of data is important, while the size of the company is not
- While the specific type of data is important we really do not see the size of the company as a main factor when deciding what kind of CISO a company may need.
- There are some obvious rules such as a 150 person startup probably does not need nor will they be successful in attracting the CISO from Google or Netflix.
Finding a Fit
1. Communication needs to be aligned before going to search
Companies often struggle with internal alignment on the domain. This lack of alignment is often the root of the critical mistakes that companies make when attempting to complete a CISO search on their own.
- Will this leader be interacting primarily with other technical/eng/product teams?
- Is this a cross-functional adviser, presenting regularly to the executive team and BoD?
- Are there communicating often with clients?
It is critical that the company’s executives align on the desired domain expertise throughout the search process. Companies should be prepared to prioritize which domain expertise is most critical in the near term and/or consider filling the role with multiple hires to complement the expertise the CISO may be lacking.
2. Talent is finite while responsibility has grown exponentially
The challenge when embarking on a CISO search is that the pool of available and appropriately matched leadership talent is finite while the scope of responsibility parameters for the CISO position has grown exponentially.
The breadth of domain experience for a CISO has rapidly evolved in a short period of time. A CISO background typically stems from either Corporate Security, Security Engineering, or Compliance/Risk/Governance and while the combination of these backgrounds is always desired.
It is extremely rare to see a CISO with intimate knowledge and experience in all areas.
CISOs in the market today who have indeed mastered most or all of these areas these leaders are most certainly considered the unicorns of the space; coveted by all but not extractable by most. As a result, many companies are faced with making sacrifices on their security leadership searches.
- There is a massive talent war within the executive security community.
- The modern CISO is one of the most sought after and difficult hires to make due to a significant shortage of qualified candidates and a rapidly changing scope.
- The modern CISO search has become one of the most challenging, time-consuming, and expensive searches a company may entertain.
- The size of a company is not a determining factor, while domain expertise and alignment is a priority.
- Companies often make things significantly more challenging by not preparing and calibrating their search criteria, leadership expectations, compensation, location, and other key variables.
- Companies will need to do a better job partnering and calibrating on CISO searches if they are going to expect better results.
If you in a company where this has been or is expecting to be a challenge, give us a call, We built our company to help you with this very specific and unique need.