April 20, 2017 By David Strom 2 min read

One of the most critical hires of any IT-related job is usually the chief information security officer (CISO) or chief information officer (CIO). But the decision to hire these executives is one CEOs and boards of directors typically do not want to make. This decision is often made during a crisis of some kind. It could result from a knee-jerk reaction to a major security breach or a new CEO’s desire to clean house and set a new strategic path.

On his blog, Froud on Fraud, David Froud referred to the CISO as the “chief impending sacrifice officer.” The reason for the snarky interpretation of the acronym is simple: Too often companies are looking for a quick fix to their security policies and want a new CISO to come in and sort things out. This doesn’t bode well for the CISO, who usually ends up “paying the price” by eventually being fired for not meeting expectations. It doesn’t help that CISOs can sometimes lose sight of corporate business objectives and speak a different language than their corporate superiors.

Listen to the podcast: Directors Are From Mars, CISOs Are From Venus

Breaking Down the Search for a CISO

The hiring decision is really a two-pronged process. First, the enterprise needs to find the right person for the job, and that person must decide whether the job is right for him or her. “By far the biggest challenge for organizations in hiring a CISO is doing it for the right reason(s),” Froud wrote. “Unfortunately, the reason, 99 times out of 100, is a necessity.” The time to really understand this is now, during normal operations — not during a security breach or other IT crisis.

The first step is to think of this hire not as the person, but as the function needed within the organization. That can be difficult because CEOs and boards of directors typically aren’t used to thinking about these functional areas and prioritizing which specific projects need the most help.

In another post, Froud categorized companies into three different focus areas: planning, execution and optimization. Depending on where a company’s security program is in this continuum, the focus areas require very different kinds of CISO in terms of skills and personality. The planner, for example, is good at getting a program started, writing an initial security governance charter and selling it to the executive suite. But he or she may not be prepared to ingrain security into company culture over the long term.

Bringing Big Ideas to Life

Once you know the kind of CISO you need, the next step is matching the right skills to refine your selection set. This might mean working with a series of different people as you move from planning to implementation.

The search for a CISO is not about hiring the right person. Rather, Froud wrote, “it’s about committing to an idea and doing whatever it takes to bring that idea to life.” CEOs and boards of directors facing the tough task of hiring a CISO should remember this excellent advice.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today