1. Flexibility can win a great hireI’m a firm believer that with any search, the devil is in the details. That starts with a VERY well-written job description which includes the title, reporting structure, thorough job description, a solid sales pitch on the company, and experience level. A security leader job description is difficult because, besides the CEO, it’s the only job that has tentacles into every aspect of the business. Your CISO will probably run point on security operations. Prevention, detection and response, risk management, governance, education, legal and regulatory, business enablement, identity and access management (IAM), and leadership chops are a must. But it gets a little murky after that, and flexibility can be greatly rewarded. Why? The person you will hire has no formal educational training for this role – because it doesn’t exist. What he or she learned came through hard-earned experience, trial and error and good mentoring. Industry experience can also be tricky. Several industries have security skills that are transferable because the regulatory frameworks are fairly similar.
2. Be open to candidates with massive salary differences and not-so-defined titlesIt’s not uncommon for me to submit two candidates for the same role with as much as an $80K salary difference! Plus, current titles for candidates can run the gamut. Security is still a young industry, and companies value security very differently. I know security executives in smaller markets that can run circles around their big town, high-paid peers. Make no mistake, in security, there are diamonds in those unsearched hills and valleys as long as you keep an open mind.
3. Significant dialogue and negotiation are the normThe standard client response to my point above is, “Awesome! I want to lower my salary projection from $210K to $165K. Go find me one of those!” I hate to be the bearer of bad news, but security people are tribal, and boy do they talk. That highly experienced security person that took a leadership role seven years ago in Columbus on a cut-rate salary because nobody really knew what a security leader was supposed to do? That person who scratched and clawed for budget, grew in trust with the Board, and built a security program to be proud of on elbow grease and smarts? He/she knows full well how underpaid they are. Plus, security professionals are notoriously careful (it’s kind of the gig). These candidates know their worth, and they are ready to cash in. Also, be prepared for the interview process with security leader candidates to be a highly back-and-forth dialogue. Given the liability at stake for both company and candidate, expect a constructive process where both parties feel comfortable with the role and the compensation package. It can take some time, but it’s worth it. The process of finding your security leader can be a little unruly. Set your expectations on a search that’s a bit of an adventure. It will pay off.