One of the most critical hires of any IT-related job is usually the chief information security officer (CISO) or chief information officer (CIO). But the decision to hire these executives is one CEOs and boards of directors typically do not want to make. This decision is often made during a crisis of some kind. It could result from a knee-jerk reaction to a major security breach or a new CEO’s desire to clean house and set a new strategic path.

On his blog, Froud on Fraud, David Froud referred to the CISO as the “chief impending sacrifice officer.” The reason for the snarky interpretation of the acronym is simple: Too often companies are looking for a quick fix to their security policies and want a new CISO to come in and sort things out. This doesn’t bode well for the CISO, who usually ends up “paying the price” by eventually being fired for not meeting expectations. It doesn’t help that CISOs can sometimes lose sight of corporate business objectives and speak a different language than their corporate superiors.

Listen to the podcast: Directors Are From Mars, CISOs Are From Venus

Breaking Down the Search for a CISO

The hiring decision is really a two-pronged process. First, the enterprise needs to find the right person for the job, and that person must decide whether the job is right for him or her. “By far the biggest challenge for organizations in hiring a CISO is doing it for the right reason(s),” Froud wrote. “Unfortunately, the reason, 99 times out of 100, is a necessity.” The time to really understand this is now, during normal operations — not during a security breach or other IT crisis.

The first step is to think of this hire not as the person, but as the function needed within the organization. That can be difficult because CEOs and boards of directors typically aren’t used to thinking about these functional areas and prioritizing which specific projects need the most help.

In another post, Froud categorized companies into three different focus areas: planning, execution and optimization. Depending on where a company’s security program is in this continuum, the focus areas require very different kinds of CISO in terms of skills and personality. The planner, for example, is good at getting a program started, writing an initial security governance charter and selling it to the executive suite. But he or she may not be prepared to ingrain security into company culture over the long term.

Bringing Big Ideas to Life

Once you know the kind of CISO you need, the next step is matching the right skills to refine your selection set. This might mean working with a series of different people as you move from planning to implementation.

The search for a CISO is not about hiring the right person. Rather, Froud wrote, “it’s about committing to an idea and doing whatever it takes to bring that idea to life.” CEOs and boards of directors facing the tough task of hiring a CISO should remember this excellent advice.

More from CISO

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks.However, while many organizations don't question the value of a CISO, there should be more debate over who this important role reports…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…