April 20, 2017 By David Strom 2 min read

One of the most critical hires of any IT-related job is usually the chief information security officer (CISO) or chief information officer (CIO). But the decision to hire these executives is one CEOs and boards of directors typically do not want to make. This decision is often made during a crisis of some kind. It could result from a knee-jerk reaction to a major security breach or a new CEO’s desire to clean house and set a new strategic path.

On his blog, Froud on Fraud, David Froud referred to the CISO as the “chief impending sacrifice officer.” The reason for the snarky interpretation of the acronym is simple: Too often companies are looking for a quick fix to their security policies and want a new CISO to come in and sort things out. This doesn’t bode well for the CISO, who usually ends up “paying the price” by eventually being fired for not meeting expectations. It doesn’t help that CISOs can sometimes lose sight of corporate business objectives and speak a different language than their corporate superiors.

Listen to the podcast: Directors Are From Mars, CISOs Are From Venus

Breaking Down the Search for a CISO

The hiring decision is really a two-pronged process. First, the enterprise needs to find the right person for the job, and that person must decide whether the job is right for him or her. “By far the biggest challenge for organizations in hiring a CISO is doing it for the right reason(s),” Froud wrote. “Unfortunately, the reason, 99 times out of 100, is a necessity.” The time to really understand this is now, during normal operations — not during a security breach or other IT crisis.

The first step is to think of this hire not as the person, but as the function needed within the organization. That can be difficult because CEOs and boards of directors typically aren’t used to thinking about these functional areas and prioritizing which specific projects need the most help.

In another post, Froud categorized companies into three different focus areas: planning, execution and optimization. Depending on where a company’s security program is in this continuum, the focus areas require very different kinds of CISO in terms of skills and personality. The planner, for example, is good at getting a program started, writing an initial security governance charter and selling it to the executive suite. But he or she may not be prepared to ingrain security into company culture over the long term.

Bringing Big Ideas to Life

Once you know the kind of CISO you need, the next step is matching the right skills to refine your selection set. This might mean working with a series of different people as you move from planning to implementation.

The search for a CISO is not about hiring the right person. Rather, Froud wrote, “it’s about committing to an idea and doing whatever it takes to bring that idea to life.” CEOs and boards of directors facing the tough task of hiring a CISO should remember this excellent advice.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today