CISO roles – both full-time and fractional – are on the rise. Their skills can help a growing organization enhance its security program, keep it on track, and guide in times of crisis and change. However, finding the right CISO can be tricky business, especially if this role is new to your organization. Here are the skills to look for when hiring your CISO.
They Have to Be Agile.
Being a CISO is a tough job. Expectations are high, they may be stepping into it (a crisis), and they have to inspire trust within their engineering team and the C-suite. Not many personalities can do both. Therefore, your CISO has to be nimble enough to gracefully traverse all of these variables.
They Have to Speak Multiple Languages.
Unlike some IT leaders, your CISO won’t be confined to just communicating with IT departments. They’ll be tasked with communicating strategies to board members, non-technical executives and customers. CISOs have to be able to effectively communicate with each tier of your business, otherwise they’ll never be able to get organizational buy-in for their plans. In some cases, this is the type of communication gap that occurs when a senior-level engineer rises the ranks internally and is now in a CISO role, but they can’t speak effectively to non-engineer roles because they were never trained to.
They Have to Use Their Right Brain as Much as Their Left.
A great CISO will demonstrate creativity and flexibility that matches their expertise in IT. Most incoming CISOs will have their own playbooks and preferred processes. However, the right CISO will be able to adjust and customize their approach based on your organization’s unique structure and variables. The result should be one that enhances the overall security program in a way that increases security awareness and visibility while reducing uncertainty and risk.
This complement of both technical intelligence and situational savviness is important so that they’re able to successfully merge their cybersecurity vision with your organization’s reality.
They Have to Have Been Around the Block A Few Times.
Working in specialized regulatory environments, like PCI and HIPAA, are very helpful and even necessary for a CISO. If they haven’t already been through these types of compliance efforts from a leadership standpoint, they won’t be fully prepared for the role. Regulatory violations can come with steep penalties, such as GDPR non-compliance violations are predicted to be in 2019, so having a CISO on-board who actively works to ensure your organization’s compliance is of the utmost importance.
Incoming CISOs should also have handled or be experienced performing tabletop exercises simulating a cybersecurity breach – one that activates an incident response protocol – also from a leadership standpoint. Why? Because they will have learned from the process and will bring that knowledge into your organization. It will demonstrate that they are prepared to handle this type of high-stress situation, including keeping clear sight of roles, responsibilities and critical communications. These kinds of experiences make for better leaders.
They Have to Be Able to Understand, Quantify and Measure Risk.
This is a key security trend for 2019. One significant enough that incoming CISOs should bring this up proactively during their interview.
The quantification of risk is something that many CEOs, CFOs and board members are thinking about and beginning to ask for. The fact is, quantifying risk has always been both an enormous challenge and somewhat of a holy grail for information security leaders. The industry is finally making the turn, and we’re able to quantify risk in a much more scientific way than ever before, although, there is still much work to be done. As such, your CISO needs to be the person to establish and/or optimize the information security measurement framework and manage the execution of it from the top down.
While the role of the CISO can seem an intimidating hire at first glance, don’t let the complexity of its technical focus overwhelm you. Ask your CISO candidates to explain their experience, successful methodologies and strategies to you. Be sure that they’re both flexible and creative in their approach, and don’t hesitate to quiz them on current cybersecurity trends and issues, including how those might fit into your future security strategy. Finally, learn about their prior experience with information security visibility tactics, breaches and compliance efforts. Just as in any relationship, finding the right fit is key to ongoing contentment and peace-of-mind.