In my experience, the hiring of a CISO is one of the last things on the minds of the overwhelming majority of Board of Directors (BoD). Well, maybe more accurately; it’s the last role they want to hire. Who wants to spend money on security? Where’s the ROI? While there is often significant kudos for corporate responsibility, its effects on the bottom line are invariably lost in translation.
I’ve written more than enough blogs on why cybersecurity is so essential to every organisation. Even tried to spell out some of its many benefits, but 180 subscribers will hardly change the course of a multi-billion £/€/$/¥ industry.
However, I will count this blog a HUGE success if I succeed in one, and especially both of the following:
- An organisation hires the exact right person for their cybersecurity needs; and/or
- A prospective CISO asks all the right questions and gets the right job for them.
By far the biggest challenge for organisations in hiring a CISO is doing it for the right reason(s). Unfortunately the reason, 99 times out of 100, is necessity. From landing a big contract, to regulatory compliance, to post-breach PR, the CISO role is often nothing more than an empty suit. Compound this with the BoD having no idea of the right questions to ask the prospective candidates, the whole thing likely started out with little idea of what they were actually trying to achieve.
Security is not about technical requirements, it is a business process, and until the BoD see it as such no CISO job description (JD) will ever land the right candidates. In security, if you’re not an expert, never ask for what you want, find someone who can fully detail the things you need. You’d be amazed how often these things are very different.
Steps to Hiring the Perfect CISO
But first, we need to stop thinking about the CISO as a person, CISO is a function. Or rather, a series of projects that culminates in a function. Security begins with a plan, then evolves through several phases into a coherent cycle of business enabling processes. I’ve never met a single individual with either the skill-set, or even the interest, to perform all of these phases. I for one would rather chew tinfoil than babysit something that does not require fixing.
Second, I am going to assume that the hiring of the CISO is going to be managed by the BoD, if not, none of these steps make sense.
Finally, I am going to use the types of CISO I defined in The 3 Types of CISO: Know Which You Need to illustrate my point.
Step 1: BoD must finalise three things: 1) their Mission Statement, 2) their Value Statement(s), and 3) their short / medium / long-term business goals.
Step 2: BoD uses all resources at their disposal to find the right resource(s) to turn the Mission/Values/Goals into an appropriate security strategy.
Step 3: Hire a p-CISO (Planner) for Phase 1 – skill-set prerequisites must include:
- drafting Governance charters and policy sets;
- standardising and performing initial risk assessments;
- controls gap analysis;
- developing business impact analyses (BIA);
- defining a basic set of minimum security controls; and
- chairing a Governance Committee meeting (this is a requirement across all 3 CISO types).
[Once Phase 1 tasking is roughly 75% complete, Phase 2 can begin. the p-CISO will be expected to fine-tune the draft JD for the e-CISO and hand over all relevant knowledge / duties.]
Step 4: Hire an e-CISO (Executor) for Phase 2 – skill-set prerequisites must include:
- matching Policy Set with both business goals and the prevailing corporate culture;
- socialisation and distribution of procedure and standard document coordination to relevant SMEs;
- integration and centralisation of security control output into a unified incident response capability;
- assignment and formalisation of all security responsibilities; and
- implementation of disaster recovery (DR) and business continuity planning (BCP).
[Once Phase 2 tasking is roughly 75% complete, Phase 3 can begin. the e-CISO will be expected to fine-tune the draft JD for the o-CISO and hand over all relevant knowledge / duties.]
Step 5: Hire an o-CISO (Optimiser) for Phase 3 – skill-set prerequisites must include:
- performing an objective review of all security controls including policies (with Internal Audit if available);
- maintain their aspect of the company-wide Risk Register in-line with the security strategy and business goals;
- formalise management information and security/risk metrics into a BoD-level reporting process; and
- implement a cyclical program for continuous improvement.
Sample Phased Approach
That’s it, 5 simple steps. Very difficult and potentially expensive steps, yes, but simple nonetheless. Clearly these steps are VERY high level, and there is a lot more detail involved than that. This process could also take many months or even years. But the hiring of a CISO is not about finding people, it’s about committing to an idea and doing whatever it takes to bring that idea to life.
For that to happen, the BoD must stay involved. For the CISO roles as defined above to succeed the BoD needs to use as much of its influence as necessary to fully support them. A dotted line reporting structure directly to the BoD works best.
In my experience, if you’re looking to hire a CISO to sort out your security, you’ve already started down the wrong path. It’s the CISO who usually ends up paying the price.
If you’ve made it this far, you are probably thinking that the title of the blog should have been: How to Implement a Security Program. And you’d be right, it should, but the people wanting to hire a CISO probably wouldn’t have read it.
[If you liked this article, please share! Want more like it, subscribe!]