Times have changed. Today, cyber-crime problems have reached a tipping point, which requires another set of specializations that can be found in a Chief Information Security Officer (CISO). The CISO usually reports to the CIO, but the position requires broad powers with the discretion to use them with minimal oversight.
Demand for CISOs is creating a new shortage of talent, because CISOs are getting snatched up as quickly as businesses can find them. However, there are good candidates out there, and plenty of others are also training themselves to fill the role.
What should a company look for when hiring a CISO?
1. Autonomy
A CISO cannot be a follower. They need to be allowed wide latitude to do their jobs appropriately. If a cyber-attack happens, the CISO should be ready and able to respond immediately-- not after a lengthy series of inquiries and approvals from higher-ups.
Obviously, a lot of trust goes along with this role, and hiring authorities should take that into account by thoroughly vetting potential CISOs before hiring one.
2. Challenges
Good CISOs right now are concerned largely with their own careers and with finding suitable challenges that will build their skillsets. Considering the demand for CISOs, companies should assume that candidates are considering multiple offers. One deciding factor for the CISO likely will be how interesting and challenging they find a particular company's problems.
If everything seems to be running smoothly, highly qualified CISOs are likely to say, "Well, I'm not needed here," and look for another job where they will be more immediately useful.
3. Certifications
The general job of CISO is new enough that it's easy for people to fake credentials or exaggerate their past experiences. Genuine certifications that are from reputable organizations and that are backed by testing are one of the few reliable ways that a non-technical HR officer can know they're hiring genuine talent.
A CISO who cannot produce proof of certifications from external organizations is likely to be too much of a gamble unless that individual has extensive references or other documentation that corroborates his or her claims.
4. Interpersonal Skills
A CISO is in a very delicate position, because the role requires balancing privacy and security needs for the company, its staff, and its customers. This cannot be treated solely as a technical job. The most effective CISO will regard the human needs of people within and outside the organization.
A CISO must have the necessary interpersonal skills to balance out their technical skills and an ability to see the big picture in terms of how policies affect people and their lives.
5. Incentives
Given the demand for qualified CISOs in the industry, many are now setting their own salaries, and, generally, they get them. Furthermore, poaching is incredibly common in the field at the moment. A company should be prepared to reconsider their usual policies in terms of incentives and compensation for the sake of retaining a qualified and effective CISO.
It's clear that smart approaches to hiring, vetting, and retaining a quality CISO are necessary. Companies should be willing to sweeten the deal significantly -and to keep it sweet- to hire and hold onto a CISO. The alternative could be a revolving door of short-time hires.