It is no secret that finding and recruiting strong Chief Information Security Officer (CISO) candidates is far from easy. Many CISOs typically stay in a role for a few years and subsequently are not able to dedicate adequate time to the development of junior leaders who could become the next wave of security leaders.

Most organizations are forced to look externally for the experience they require. However, looking for outside hires also contributes to the shortage of potential internal leaders, as skilled professionals are often overlooked. For the security industry to thrive, this needs to change, and it starts with grooming the next generation of leaders. 

The Role of the Security Lieutenant

A CISO needs a strong bench of lieutenants to take control of the different security areas within the company. These leaders will play a critical role in the success of the security team, as well as the organization as a whole. The strongest of these leaders are ideal candidates to be groomed into future CISOs.

Selecting one of your leaders for grooming starts with those who are already the head of a primary security function such as operations, engineering and architecture, or IT compliance. But the CISO role is larger than those areas and a lieutenant should be able to handle duties that can range from supporting risk management across security domains to understanding business and technology needs, as well as supporting education on cyber risks.

Potential future CISOs also need a set of ‘soft’ skills that can be further developed in-role. Candidates should have the ability to manage relationships and communicate with leaders outside of the security function. An understanding of how security fits into wider business objectives is also important, and it helps if a candidate has already displayed non-technical leadership ability and a desire to take on additional responsibilities.

Security is a constantly evolving field, so above all, lieutenants must have the drive to continually develop their skills and gain experience from all interactions, both inside and outside their own department. An understanding of financial concepts and portfolio management are also essential skills to develop.

Challenges Recruiting Security Deputies

Recruiting for security roles is never easy. The challenge stems from an evolving threat landscape that increases pressure from internal stakeholders, outside parties and customers. In order to meet new industry requirements, security programs are growing in scope and the leadership roles have to spread over multiple domains such as fraud, privacy, risk and physical security.

While recruiting for lieutenant roles, expect to come up against at least four challenges: 

• Recruitment Timeline: On average, it takes seven months to recruit the right security leader. During that time, the team will have to manage the same amount of work and responsibilities with less support.
• Recruitment Costs: For years there has been a continual upward trend in the cost of recruiting and retaining security roles. Strong candidates are in high demand, and organizations are willing to pay the market price for strong expertise. If you want to attract and retain the best talent, it’s important to be competitive and understand what other companies offer in terms of benefits and on the job perks.
• Finding the Right Skill Mix: Being an effective leader requires a fine balance of technical expertise, soft skills, business acumen and the ability to remain calm in stressful situations. Unsurprisingly, few candidates possess this balance. Successful candidates will need to develop those skills and current leaders will need to provide situational training and exposure to upper management. This experience is critical in their development and isn’t widely available to prospective security leaders.
• Cultural Match: It is also important to recruit candidates that are a good cultural fit for your organization. To help ensure this, include HR and other internal experts in the evaluation process. It’s important that all levels of the CISO organization are represented in the interview process. Just having a candidate meet with the management team does not provide a sufficient picture of how they will fit with the full team. For the same reason, it’s also a good idea to have them interview with business customers.

Internal vs. External Recruitment

There’s an age-old argument about whether internal or external recruitment is a better source of security talent. And generally, it comes down to the preferences of the incumbent CISO. However, the availability of internal resources, the type of expertise and/or experience needed for the role also plays an important role. The Cyber Business Executive Research: Building the Future of Security Leadership report, lays down some of the main traits CISOs and some of the top security leadership recruiters in the industry believe may help identify and recruit strong security deputies:

1. For internal recruitment:
   • It is critical to always hire candidates with solid technical competencies.
   • Look for candidates with the ‘soft’ skills needed for leadership and a readiness to be trained.
   • Identify likely successors to your current security leadership and create a plan for their development.
   • Identify potential deputies early to allow them time for growth. It can take years to prepare a promising candidate for even junior leadership roles.
2. For external recruitment:
   • Use your current CISO’s network to identify candidates. It helps if your CISO has an established following in the industry.
   • Maintain a continuous pipeline of potential candidates, as security roles turn over frequently.
   • Proactively hunt for candidates. Many organizations have aspiring candidates, but no leadership positions for them to fill.
   • Build relationships with career advisors that provide continuous cybersecurity education, they have constant access to experienced applicants.

Building the Future of Security Leadership

The security field is growing rapidly, and CISOs are taking on an increasingly wide range of responsibilities. As cybercrime continues to grow, and organizations rely even more heavily on their digital infrastructure, strong leadership will be critical to ensuring the effective management of cyber risks. Finding, recruiting and developing the next generation of modern CISOs is not an easy task, but will pay dividends if done right.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.