Don'tsDON’T list all of the skills that a fully-functioning security program requires and cram it into a job description. Consider your company’s current security posture and risk tolerance. Synopsys recently released its CISO Report with a very interesting look at the CISO “tribes.” Does your company view security as an Enabler, a Technology, Compliance, or a Cost Center? Paint a picture of where your company stands in security and where you want to go. If you do this well, security leaders that aren’t interested will opt out before the interview process, saving you valuable time. DON’T post a security leader position on a job board. First, it’s a time killer because you’re going to get 400-500 resumes. (A lot of people think they can be a CISO.) Second, it’s almost always the case that the right candidate isn’t sitting around perusing job boards. Security leaders are busy and well-paid. They tend to be passively open to new opportunities and have to be sold to even consider something new. DON’T be too quick to take a hard line on salary. Nowhere is the free market more on display than in Security leadership. Get ready for some sticker shock because security leaders that have built a successful program tend to get paid. After an interview process, you might decide that you need this type of candidate and are willing to adjust salary expectations accordingly.
DosDO spend the time to carefully match desired qualifications with responsibilities. Security leaders run the gamut from the deeply technical with applications backgrounds to lawyers with compliance expertise. The goal here is to create a realistic balance that doesn’t choke your pipeline to nothing and doesn’t invite a cattle call of candidates from all walks of the security spectrum. One of the best resources in all of security – a document that I use every day – is the SANS CISO Mindmap. It’s an excellent resource in considering the responsibilities of a security leader. Use this to match qualifications with responsibilities and you’ll be ahead of the game. DO consider what you need to protect. This will determine how much industry-specific security knowledge your company needs. Many security leadership and background skills are transferable across industry, but there are caveats. IoT and supply chain security are unique animals requiring experience. Banking and financial services are interesting because of their respective regulations. Since regulations hit financial services first, I’ve found that this type of security background can be handy for healthcare companies. DO look at a candidate’s staying power. A security program build or re-tool is a four- to six-year job. If you see a security leader who’s jumped to new shiny gigs every couple of years, just walk away. DO consider your company culture. Do you want a younger security hotshot or a leader who’s experience has caused some gray hair? It’s an important determination. When a company doesn’t know, the search always takes longer because I need to submit two very different candidates right off the bat and see which way the wind blows. Once that determination is made, the search can begin in earnest. DO prepare for a different type of interview process than you have ever participated in before. Security isn’t accounting. The stakes are high and so is the liability – for you, your customers and the career of your chosen security leader. The right candidate is going to pound you with questions, and he/she will look to be comfortable with the answers or at least the budget, time and backing necessary to execute. Security leaders are, by nature, cautious. I rarely see a candidate willing to “take a flier” without all the facts. Hiring a security leader is an adventure regardless of the status of your company’s security posture and risk tolerance. The goal is to remove the clutter early, identify the right candidates quickly and structure a productive interview process. These DOs and DON’Ts will help put your company on the right track.