How To Hire a CISO
The Chief Information Security Officer (CISO) does what the title suggests. They are responsible for information security both internally and externally in a business. Every business, small, medium, or large, relies on information and technology to function, and the CISO is there to monitor potential technology threats to your company and mitigate risk. Could your business survive a ransomware attack? What would happen if your social or email server got hacked and deleted? Knowing how to hire a CISO, especially a qualified top-class one, is more critical than ever.
In the modern age, digital information security is more important than ever, especially with the extreme financial repercussions that failing at regulations like GDPR can have on a business. Additionally, the damage to the brand and reputation of a hack or leak can devastate a company. It is self-evident how fundamentally important a good CISO hire is for a sophisticated business.
In this guide, I will first explore what a CISO does, the responsible, and how the function should be compensated. Before I share my best practices on how to hire a CISO, let’s define the position.
What is a CISO
The Chief Information Security Officer (CISO) is the most senior-level executive responsible for developing and implementing the company’s information security program. This includes developing and refining procedures and policies which ensure the security and robustness of IT systems, communications, data, and digital assets from internal and external threats.
The CISO is sometimes referred to as the Chief Security Architect. Sometimes the role is made to include the responsibility for physical security and then referred to as a Chief Security Officer (CSO).
Responsibilities of a CISO
The List of responsibilities for your next CISO may include:
- Training employees on digital security
- Ensuring digital security compliance
- Ensuring the company is compliant with local, federal and global laws (GDPR)
- Ensuring the security of the companies data
- Developing and managing the company’s computer security incident response team
- Managing and implementing various security and monitoring tools on employee devices
- Conducting digital security audits
- Ensure newly developed technology solutions are secure
Who does a CISO report too?
You need to consider who the CISO your hiring is going to report to. Given your company’s structure and industry may impact the profile you are looking for. Here are the typical reporting structures:
- The CISO traditionally reports to the CIO and or CTO. However, this is becoming less popular. In order to avoid security risks involved in a project are not being underplayed by the CTO or CIO when communicating to directors or the CEO.
- Now it’s becoming more popular for the CISO to Report to a Chief Risk Officer (CRO). Many businesses appoint a CISO and CRO to show how important they take cyber security and risk. As multiple leaders specialize in risk mitigation, it’s far more difficult for any security risks to be overlooked and unaddressed.
- Depending on the company’s size, CISO often sometimes reports to the CEO. Sometimes the reporting is done to ensure no observed risk gets watered down in the communication chain. This generally requires the CISO to have a high level of business acumen and communication skills, so they can effectively talk to the CEO, board, and other c-level leaders as they aid in developing the business direction.
- Another option is for the CISO to report to the COO. This is done so that tools selected and implemented in the business are secure and compliant. It gives cyber security and technology equal importance and is very popular in financial services, where security is paramount, and a high budget is allocated out of necessity.
How to compensate a CISO
In the USA, the base salary for a CISO is the following per percentile:
10% – $174,001
25% – $200,513
50% (Median) – $229,633
75% – $265,203
90% – $297,588
With the average including Salary + bonuses + benefits coming to: $365,140
In start-ups, we can see that CISOs are generally well compensated, and companies offer 1-3% equity.
What Qualifications should a CISO have?
A Bachelor and/or Masters in IT/computing and data security is important. Qualifications are not always necessary, but they help you ensure that the CISO hire you are considering is experienced to the level they say they are. Given your IT structure, you may need extensive experience with cloud security knowledge and enterprise server security.
Some qualifying acronyms that you may look out for may include CISSP, ISACA, (ISC)2, CISM, CISA, and CRISC. Ideal candidates are wired for continuous learning. The landscape feels like it is changing daily.
Working with executive search firms can help you understand your needs. At Boyden, where I am Managing Partner, we have offices in 43 countries with recruiters that specialize in highly specialized technology functional roles like a CSO. If you want me to connect you to the right people to help you with your search, please contact me!
The best practices on how to hire a CISO
Not knowing how to hire a CISO correctly can cause your company significant issues. Albeit months of operation, your security and risk management are under-addressed, leaving you vulnerable. Here is the main advice I would give to companies who do not know how to hire a CISO.
Start your search early
Executive search is a long and demanding process. Hiring a CISO with the right skills, experience, and qualifications to lead your company’s cyber security will be long, especially in finding several candidates to pick from. Additionally, due to the serious nature of the position, several in-depth interviews per candidate will be required.
Develop a Search team
Doing your search alone is not suggested. You need a team that includes a cross-section of leadership, giving input on what that hire needs to do and making the final decision. Humans are intrinsically biased, and you will bias your own needs. The CISO will touch every aspect of the business, so getting input and participation from relevant executives is warranted.
Including representatives from the departments the CISO will interact with will help you ensure they are qualified to meet everyone’s needs.
I would also recommend reaching out to an executive search firm at this point to aid you in managing the whole process. So members of your c-suite don’t get overloaded with searching for your new CISO.
Develop your list of needs
It is important that your CISO adds value to your company. You need the best ROI when spending money on your cybersecurity investments. Your security program needs to be developed and enhanced at the best price possible. I suggest looking for candidates that can balance business objectives with a comprehension of how security policy should be designed and implemented. Done properly, your CISO should significantly decrease your risk of a breach.
Additionally, look for a CISO that:
- Has excellent communication skills at all levels of the company
- Brings knowledge of the latest software tools to help balance compliance and risk.
- Possesses strong technical and crisis management skills
If you need help drafting a job description that captures the essential requirement of a CISO, lean on your executive search partner for assistance. Boyden has successfully placed many CISOs and has access to several previous examples to help build one that is aligned with your need.
Background check you final CISO candidates
Don’t forget to conduct a background check on your final CISO candidate. Your company’s cyber security requires someone you can trust, so you should look into:
- Degrees, designations and certifications
- Employment history
- Criminal and credit history
- Public records
- Social media
- Degrees, designations and certifications
You need to be confident your business is safe, and these crucial final steps may cause a short delay but save you considerable money in the long run.
Work with an executive search firm
Hiring a new C-level executive is complicated, and adding the unique skill set and qualifications you may require from a CISO makes it harder. Working with an executive search firm will make this daunting task easier. They can take on the management of searching for your new CISO without creating a burden for your executive team. While using their network of experienced and knowledgeable experts to find a range of high-quality candidates, you can stay focused on your primary matters.
I am a Managing Partner at Boyden, and we have offices in 43 different countries around the world. We have CISO experts in those regions and across many industries. If you are looking for help with your CISO executive search, please contact me, I can connect you to the right consultant in the right geography to best suit your needs. Boyden can organize a global search team if your search requires it. Carrying out a confidential search is feasible as well if your CISO is under performing and needs to be replaced.
Share This Article:
Need Expert Executive Search Help?
As a Managing Partner at Boyden, I can personally help you or connect you to a member or group of our global search team who would be best suited to help you and your company’s precise executive search needs.
Contact me now! As a managing partner at Boyden's Global Executive Search Firm with 25+ yrs experience. I'll either help you directly or connect you to someone that I know who is best suited to your companies needs!