How To Hire a CISO

Security on a CISOs pc screen

The Chief Information Security Officer (CISO) does what the title suggests.  They are responsible for information security both internally and externally in a business.  Every business, small, medium, or large, relies on information and technology to function, and the CISO is there to monitor potential technology threats to your company and mitigate risk.  Could your business survive a ransomware attack?  What would happen if your social or email server got hacked and deleted?  Knowing how to hire a CISO, especially a qualified top-class one, is more critical than ever.

In the modern age, digital information security is more important than ever, especially with the extreme financial repercussions that failing at regulations like GDPR can have on a business.  Additionally,  the damage to the brand and reputation of a hack or leak can devastate a company.  It is self-evident how fundamentally important a good CISO hire is for a sophisticated business.

In this guide, I will first explore what a CISO does, the responsible, and how the function should be compensated.  Before I share my best practices on how to hire a CISO, let’s define the position.

What is a CISO

The Chief Information Security Officer (CISO) is the most senior-level executive responsible for developing and implementing the company’s information security program.  This includes developing and refining procedures and policies which ensure the security and robustness of IT systems, communications, data, and digital assets from internal and external threats.

The CISO is sometimes referred to as the Chief Security Architect.   Sometimes the role is made to include the responsibility for physical security and then referred to as a Chief Security Officer (CSO).

Responsibilities of a CISO

The List of responsibilities for your next CISO may include:

    • Training employees on digital security
    • Ensuring digital security compliance
    • Ensuring the company is compliant with local, federal and global laws (GDPR)
    • Ensuring the security of the companies data
    • Developing and managing the company’s computer security incident response team
    • Managing and implementing various security and monitoring tools on employee devices
    • Conducting digital security audits
    • Ensure newly developed technology solutions are secure

Who does a CISO report too?

You need to consider who the CISO your hiring is going to report to.  Given your company’s structure and industry may impact the profile you are looking for.  Here are the typical reporting structures:

      • The CISO traditionally reports to the CIO and or CTO. However, this is becoming less popular.  In order to avoid security risks involved in a project are not being underplayed by the CTO or CIO when communicating to directors or the CEO.
      • Now it’s becoming more popular for the CISO to Report to a Chief Risk Officer (CRO). Many businesses appoint a CISO and CRO to show how important they take cyber security and risk.  As multiple leaders specialize in risk mitigation, it’s far more difficult for any security risks to be overlooked and unaddressed.
      • Depending on the company’s size, CISO often sometimes reports to the CEO. Sometimes the reporting is done to ensure no observed risk gets watered down in the communication chain.  This generally requires the CISO to have a high level of business acumen and communication skills, so they can effectively talk to the CEO, board, and other c-level leaders as they aid in developing the business direction.
      • Another option is for the CISO to report to the COO.  This is done so that tools selected and implemented in the business are secure and compliant.  It gives cyber security and technology equal importance and is very popular in financial services, where security is paramount, and a high budget is allocated out of necessity.

How to compensate a CISO

In the USA, the base salary for a CISO is the following per percentile:

10% – $174,001
25% – $200,513
50% (Median) – $229,633
75% – $265,203
90% – $297,588

With the average including Salary + bonuses + benefits coming to: $365,140

In start-ups, we can see that CISOs are generally well compensated, and companies offer 1-3% equity.

What Qualifications should a CISO have?

A Bachelor and/or Masters in IT/computing and data security is important.  Qualifications are not always necessary, but they help you ensure that the CISO hire you are considering is experienced to the level they say they are.  Given your IT structure, you may need extensive experience with cloud security knowledge and enterprise server security.

Some qualifying acronyms that you may look out for may include CISSP, ISACA, (ISC)2, CISM, CISA, and CRISC.  Ideal candidates are wired for continuous learning.  The landscape feels like it is changing daily.

Working with executive search firms can help you understand your needs.  At Boyden, where I am Managing Partner, we have offices in 43 countries with recruiters that specialize in highly specialized technology functional roles like a CSO.  If you want me to connect you to the right people to help you with your search, please contact me!

The best practices on how to hire a CISO

Not knowing how to hire a CISO correctly can cause your company significant issues.  Albeit months of operation, your security and risk management are under-addressed, leaving you vulnerable.  Here is the main advice I would give to companies who do not know how to hire a CISO.

Start your search early

Executive search is a long and demanding process.  Hiring a CISO with the right skills, experience, and qualifications to lead your company’s cyber security will be long, especially in finding several candidates to pick from.  Additionally, due to the serious nature of the position,  several in-depth interviews per candidate will be required.

I would recommend starting three to six months before your hopeful start date to ensure you get a good candidate by that date needed.  In the emergency situation of an unexpected leave of a c-level leader like a CISO, it takes on average 76 days to replace them.  Starting well ahead will ensure the workload becomes more manageable and the right candidate is selected.

Develop a Search team

Doing your search alone is not suggested.  You need a team that includes a cross-section of leadership, giving input on what that hire needs to do and making the final decision.  Humans are intrinsically biased, and you will bias your own needs.  The CISO will touch every aspect of the business, so getting input and participation from relevant executives is warranted.

Including representatives from the departments the CISO will interact with will help you ensure they are qualified to meet everyone’s needs.

I would also recommend reaching out to an executive search firm at this point to aid you in managing the whole process.  So members of your c-suite don’t get overloaded with searching for your new CISO.

Develop your list of needs

It is important that your CISO adds value to your company.  You need the best ROI when spending money on your cybersecurity investments.  Your security program needs to be developed and enhanced at the best price possible.  I suggest looking for candidates that can balance business objectives with a comprehension of how security policy should be designed and implemented.  Done properly, your CISO should significantly decrease your risk of a breach. 

Additionally, look for a CISO that:

  • Has excellent communication skills at all levels of the company
  • Brings knowledge of the latest software tools to help balance compliance and risk.
  • Possesses strong technical and crisis management skills

If you need help drafting a job description that captures the essential requirement of a CISO, lean on your executive search partner for assistance.  Boyden has successfully placed many CISOs and has access to several previous examples to help build one that is aligned with your need.

Background check you final CISO candidates

Don’t forget to conduct a background check on your final CISO candidate.  Your company’s cyber security requires someone you can trust, so you should look into:

      • Degrees, designations and certifications
      • References
      • Employment history
      • Criminal and credit history
      • Public records
      • Social media

You need to be confident your business is safe, and these crucial final steps may cause a short delay but save you considerable money in the long run.

Work with an executive search firm

Hiring a new C-level executive is complicated, and adding the unique skill set and qualifications you may require from a CISO makes it harder.  Working with an executive search firm will make this daunting task easier.  They can take on the management of searching for your new CISO without creating a burden for your executive team.  While using their network of experienced and knowledgeable experts to find a range of high-quality candidates, you can stay focused on your primary matters.

I am a Managing Partner at Boyden, and we have offices in 43 different countries around the world.  We have CISO experts in those regions and across many industries.  If you are looking for help with your CISO executive search, please contact me, I can connect you to the right consultant in the right geography to best suit your needs.  Boyden can organize a global search team if your search requires it.  Carrying out a confidential search is feasible as well if your CISO is under performing and needs to be replaced.  

Share This Article:
Robert S Travis About Me page

Need Expert Executive Search Help?

As a Managing Partner at Boyden, I can personally help you or connect you to a member or group of our global search team who would be best suited to help you and your company’s precise executive search needs.

Related Articles:

Courses Image 06

How to Hire a C-level Executive

Hiring any C-level Executive is a complex and long process. As getting a bad hire carries so much risk at this level. In this guide I will teach you how to hire a C-level executive and the corect interview process - Read More

Courses Image 05

How to Hire a CEO

The CEO, is a hard role to hire. You need to find someone who believes in the business & product. Who has good ideas for its future. While ensuring the team they build can execute on them. Lets learn how to hire the right one for your business. - Read More

CRO working with CMO and CEO

How to Hire CRO

The CRO is often one of the shortest tenured people in a leadership team. With the duty of merging the capabilities of the Marketing, sales and tech team to find synergies to grow revenue and grow it fast! Read More

How to Hire Senior Management (7+ guides!)

Your senior management, the people who execute you executives vision. All require a highly niche set of skills depending on their area of expertise. Here we explore how to best hire them and deep dive into key roles. Read More

CIOs data

How to Hire a CIO

Your next CIO needs to build the systems to capture, manage and proliferate the data from across your business. This means they need to have a deep understanding of your business and industry. As well as the technology which could power it. Read More

Robert Travis Executive Search Managing Partner at Boyden contact me

Want Professional Executive Search Help for any Industry Globally?

Contact me now! As a managing partner at Boyden's Global Executive Search Firm with 25+ yrs experience. I'll either help you directly or connect you to someone that I know who is best suited to your companies needs!

Arrange an Appointment

Fill in this short form to get connected to a specialized consultant in headhunting your open positions.

Contact Information