A Checklist for Hiring a CISO

Category: Data Security , Cyberbytes
Author: Josh Isley

Every organization has different methods of filling staff positions. Some organizations have a simple process while others take a more complex approach. It takes time to screen through resumes, interview candidates and make those important decisions that determine the direction of the company. Hiring a Chief Information Security Officer (CISO) might be one of the most challenging hires an organization can make. Ideal candidates are scarce and excellent candidates are rarer. It’s crucial to understand exactly what to look for in a CISO candidate. Hiring the wrong candidate can bring security ramifications that can plague an organization for years to come. Here’s a checklist to consider when hiring a CISO.

Credibility with the company

The CISO position is not a place for someone to “learn on the fly.” A CISO should be able to implement a security plan for the organization and identify risks immediately. Organizations should feel comfortable with the candidate from the very start. Support and trust go a long way in determining a successful hire. Companies will often hire from within their IT management team because of the comfort level that a familiar face provides. This can be a successful strategy if the candidate possesses the necessary technical and business-oriented skills to perform at the highest level.

Holistic approach to risk

CISOs must do more than just identify potential risks. Every area of technical and physical security should be addressed and managed. It is the duty of the CISO to lay the groundwork for the company’s security strategy by implementing policies and procedures. They should be able to manage security issues with a business approach. They see the big picture of how technical risks effect the current state of the organization as well as what implications they bring for the future of the organization.

Strong communication and interpersonal skills

Many times, CISOs are second or third in command in a company. This means they will be in contact with the executive suite, IT professionals, and non-technical employees. The CISO should be able to communicate effectively with each of these three sectors. The CEO and board of directors should feel confident in the company’s security plan based on a CISOs presentation. If strong communication skills are lacking, the executive suite might struggle to see an ROI from the security budget.

The CISO should also thrive in technical communication. This allows for strong leadership oversight of how the IT security team is managed. IT pros should all be on the same page with the CISO by understanding the ins and outs of the company’s security strategy.

Communication with non-technical employees might be the most important interpersonal skill for a CISO. Employees need to know how they play a role in protecting the integrity of the company. They should be provided with education resources that build their knowledge of cybersecurity. They also need to be informed of data breaches that occur in other organizations. This helps them see what causes a data breach and how it can be prevented.

CyberAttacks Webinar Recording - Watch Now!

Builds a strong team of IT professionals

As stated, IT pros should trust the security strategy of the CISO. This begins with the hiring process. A CISO should be able to build a team of strong IT security professionals around him or her. These IT pros should share the same vision as the CISO and have a proven record of thriving in the IT threat landscape. It’s also important to have an appropriate number of IT pros on staff. D.J. Vogel, a security and compliance professional for the Chicago professional service firm Sikich LLP, says, “Security has such a wide breadth of knowledge that no candidate can be an expert in everything.” Having a diverse team of IT pros with specialized skills strengthens the entirety of the company’s security.

Creatively manages a budget

Budgets can be a tricky asset to maneuver in the security space. Organizations often know what they are willing to spend on cybersecurity even if a CISO is not on staff. When a CISO is brought in, they are responsible for creating an effective security budget that won’t create a financial burden for the business. Not every business is capable of meeting every financial request of the CISO. This is where quality CISOs show creativity to adjust security measures to meet the budget they are provided. Quality CISOs will also be honest with the board about what security gaps exist due to budget gaps.

Schedules regular audits

A strong CISO candidate understands that they aren’t the be-all end-all of security. At the same time they understand the magnitude of their position and the responsibility that lies on their shoulders. This is why it’s so important for a CISO to prioritize regular security audits. This includes vulnerability scanning, penetration testing, phishing simulations, and any other variation of risk assessment. This ensures that all gaps are being filled and all threats are being resolved. Asking questions that revolve around security audits and the frequency of them is certainly worth addressing during the interview of a CISO candidate.

vCISO Solution

Many organizations are not ready to take the step towards hiring a CISO. It’s certainly a major decision for any organization no matter the size. Regardless of this, implementing a strong security plan is an easy decision. Every organization needs a plan to mitigate risk and prevent malicious attacks. NXTsoft’s ThreatAdvice vCISO solution can help create a security plan for any organization without increasing headcount or breaking the bank. A virtual CISO allows organizations to outsource cybersecurity responsibilities and realize the benefits of strong cybersecurity oversight without the headache and additional expense of hiring in-house. ThreatAdvice vCISO provides a software solution backed by an experienced team of CISO’s that is worth evaluating if you a considering hiring an in-house CISO.

December 19, 2019
Back