How to find and hire a great CISO

In-house recruiters, CTOs, and executives everywhere are wondering: How to find and hire a great CISO to join their team, and if you are reading this – you are likely among them.

Faced with the challenge of not having a dozen available CISOs in their network of friends and acquaintances, many start posting job ads everywhere. There are a few key questions here:

  1. Should you headhunt your CISO from a competitor or search on LinkedIn? Should you rely only on the jobs section on your website?
  2. How do you find the right CISO and avoid spending months or years dealing with the wrong employee?
  3. What is the perfect job description for a CISO for your company?
  4. Which cybersecurity skills are relevant for a CISO today?

    In this article, we try to answer all these questions and more.

We recommend that while searching – which can take anywhere from 2 to 6 months or more, you try our Virtual CISO service. Our clients usually cancel their search after just one month with us. And even if they don’t – in just one month, we would set the foundations of your information security program and start its execution – something a new hire can never achieve.

Should you headhunt your CISO from a competitor or search on LinkedIn?

If you know the person well and are sure they will do a better job with you than at your competitor – then you should try to headhunt them. If they know your line of business, they have already faced many of the same challenges in your industry, and during the interview process, you will find out how their skills and experience match your requirements. 

Posting the job on LinkedIn attracts the people who are actively looking for a change – and those are rarely the ones who represent great candidates. Great candidates are usually constantly getting offers and are extremely busy, too busy to look for a job. There are *rare* exceptions to this rule when good people are chased away by politics or rough life situations. But such exceptions prove the rule. 

When given this choice, headhunting a good CISO is better than posting a job ad on LinkedIn. And no, you shouldn’t rely on your website only. Good candidates are unlikely to visit your website, let alone land at your jobs section, unless they are novices and start their careers. 

How do you find the right CISO and avoid spending a year dealing months or years with the wrong employee?

It is a little like a dating game, except here you might face millions in losses or your whole company going under after a massive security breach. The risk is just too high to rely on resumes and ticking boxes in a list of ‘features.’ 

To know how to find the right CISO, you should answer a few questions, too. 

What is your objective for the next one or two years?

Is your IT in desperate need of security, or are your governance procedures behind it? Or are you under pressure to get certified for ISO 27001, PCI/DSS, or HIPAA? 

In other words, should you focus on compliance or practical, technical security defense measures? 

If you need to focus on compliance, as sometimes business, sales, and marketing depend on that, look for someone with a compliance or auditing background. 

If your main concern is fending off hackers and preventing a breach, then definitely look for a techie who is not afraid to get their hands dirty, regardless of how big your company is. 

Finding the right one: avoid common HR pitfalls and avoid going through thousands of resumes. Instead, visit the https://www.reddit.com/r/netsec/ channel on Reddit, where you will always find the latest Infosec hiring thread. Then visit popular Slack and Telegram channels, where the great security folks like to hang out (google is your friend, we won’t list them all here). 

What is the perfect job description for a CISO for your company?

Do yourself a favor and don’t copy somebody else’s job description for your future CISO. Everything about your company is unique, and even small details can make or break the match. 

Sit down with your IT team and with your executives and carefully define the problems your company is trying to solve. Then base the CISO job description on that. 

There are a few key points for the CISO job description you should include:

  • If you use cloud services or if you host cloud services for others, include: “Experience in creating defenses for cloud services hosted in AWS/Google/Microsoft 365. You must know your way around (name your cloud vendor here)’s security settings and have experience in preventing and responding to security incidents in that environment”. 
  • If you have mostly on-premise infrastructure, demand technical skills, even if they worked in engineering many years ago. “Knowledge in detecting adversaries in Linux and Windows environments, establishing security monitoring to detect adversaries.” 
  • Always include “Threathunting experience” in the job description regardless of how big your company is. Why? Because this keyword differentiates people who spent their life in Excel and Outlook and have no idea how attacks happen in the real world from the real security pros. 

What about the job requirements? Should you require a university degree?

It depends. Would hackers care if your CISO had a university degree? Does a university degree help in building defenses against threats that did not exist just 3 months ago? We doubt 99% of university professors have relevant knowledge on current attacks at a level good enough to teach, and your ideal CISO is not a fresh graduate. 

Large companies like Google and PwC stopped requiring university degrees from their best hires. The higher education systems have proven time and time again that they can’t produce adequate professionals for the cyber world.

Which cybersecurity skills are relevant for a CISO today?

Diplomacy is probably the most overlooked skill for a CISO. Managing the pressure between multiple teams working on multiple projects is a skill acquired in battle. You should definitely include questions designed to discover how good is the candidate at diplomacy and people skills. Maybe challenge them a little? See how they respond to aggression or pressure, within limits, of course. 

When talking about cybersecurity skills, if you don’t plan on having a large security team and your CISO is supposed to do all the work, focus on their technical skills. They should handle and analyze malware and malicious documents, analyze large amounts of logs, make sense of them, harden various operating systems, and know what DISA STIGs are all about. 

Actually, that last part: DISA STIG is key. If your candidate doesn’t know what that means, kick them out immediately and not look back. 

If you have been trying to hire a great CISO for the past year and cannot find the right candidate, maybe it is time to try an alternative for a month or two.

Ask our team for a short meeting to discuss our Virtual CISO offer – and perhaps we could serve you better and longer than a full-time CISO hire would.

The average lifetime of a CISO in a company is between 6 months and 2 years. They often get headhunted by recruiters for a 10% salary increase or better health benefits – and companies have to start the search from zero every time, paying recruiters, interviewing dozens of candidates. You know very well how painful the search process is every time. We can save you from that pain.