How the CISO can hire the right organization

Gartner and others have proposed that the first 100 days are critical to the success of the CISO. It's not quite that simple...

The employment prospects for Cyber Security practitioners continue to be at an all-time high, with no end in sight. In contrast to the demand, a recent report indicated 80% of Fortune 100 CISOs have held their current position for less than five years[i], and many in the industry accept that a CISO’s tenure will be 2.1 years before moving to a new opportunity[ii].  It seems that there is a continuing mismatch between CISOs and their Organizations. The hiring of a CISO can be problematic; often they are 1) not hired by the right people, 2) not hired for the right reasons, 3) do not report to a hierarchy that will make them successful, and 4) do not have the necessary support to make substantive changes within the Organization.

GARTNER and others have proposed that the first 100 days are critical to the success of the CISO [iii]. In this article, we suggest that setting of initial expectations during the hiring process, on the part of the Organization and the candidate CISO, is a more critical first step to ensure a shared understanding that will ensure the success of a CISO and his/her Organizational Cyber Security program.

The building and refining of a Cyber Security program, as with any IT program, can be a multi-year undertaking that affects the people, processes, and technology within the organization. Accepting 2.1 years as the norm for CISO tenure ensures that the multi-year Cyber Security implementation plan will not reach fruition and a new CISO, who will likely possess a different vision, will be required to take the helm mid-transformation. The common adage “the interview is a two-way process” is especially relevant when an executive search team works to bring a CISO into the organization. The prospective CISO should adequately assess the organization and ensure whether the hiring and executive team, often two distinct groups, have created the right environment for the CISO to be successful.  The checklist presented here is from the vantage point of the prospective CISO, however, many of the questions should be reviewed by the Executive sponsor as he/she chooses to support adding a CISO to the Organization.

What is the Mission Statement of the organization?  Or, more broadly, what is the business of the Business? The goals of the organization determine the relative importance of Cyber Security to the Executive Team and the Organization.  Are IP, PII and Data, and the protection thereof, the primary business of the Organization? If the organization is focused in another sector (e.g., manufacturing/healthcare/sales/services) what types of data will need to be protected, and is the protection of Information vital to the Continuity of Operations? This is likely the most important determination in how critical the CISO will be to the organization and whether you will become a business enabler.

Is the Organizations Cyber Security domain regulated? Regulated sectors often have more clear mappings for baseline Information Security requirements, for example: Federal space (NIST, CSF), Healthcare (HIPAA, HITRUST), Banking (FFIEC, SOX, and Gramm-Leach-Bliley).  While regulation and compliance don’t equate to Cyber Security, regulated sectors provide less ambiguity for organizationally ‘baseline acceptable’ Information Security.  Non-regulated sectors often haven’t chosen a framework against which a program is aligned and haven’t developed a culture of ‘baseline acceptable’ Information Security that can be built upon for further success.

What is the vision for and the current maturity of the Organization’s Cyber Security program?  The prospective CISO should ascertain whether a framework has been selected, an Organization Cyber Security policy implemented and whether underlying policies are in place and routinely updated.  If the strategy is ‘protect everything’, the applicant CISO can assume that little effort has been completed in developing a Governance, Risk, and Compliance (GRC) team or implementing a Risk Management Framework (RMF). The lack of these items doesn’t preclude the success of the CISO and the Cyber Security program, however, it may be an indicator that the CISO is entering a ‘build from the ground up’ greenfield opportunity. Conversely, it may also be an indicator that the Organization hasn’t valued Cyber Security and won’t change that stance. This would be an area for the prospective CISO and the Organization to clearly define what success in the role will entail.

What is the CISO reporting structure?  Much has been written on the topic of CISO reporting and the inherent challenges given different organizational alignment.  The current body of thought agrees that an optimum reporting structure would align the CISO directly to the CEO and Board, or indirectly through a CRO risk organization.  In common practice, Gartner[iv] has found that nearly 60% of all CISOs report to the CIO or other IT executive.  In practice, CISOs not in the CIO organization often maintain sizable security functions and organizational relationships within the IT organization.  The prospective CIO should weigh the issues of conflict when aligned to a CIO, understand the relationship to the CIO, and assess what factors the CIO views within the CISO's purview.  As Gartner noted in their research, “There is no single, recommended organization structure that works for all organizations. There is, however, an optimum one for each organization.”[v]

Budget, Team, Responsibilities. The prospective CISO should understand the scope of his/her responsibilities and what resources (Budget, Team) he/she will be able to bring to bear.  Will the CISO have an independent budget (typically 8-10% of total IT budget), or will the budget be commingled with the larger IT budget?  Will the composition of the team be sufficient to complete support the Cyber Security program, and if not, is there a commitment to further grow the team?  What responsibilities will fall under the CISO’s purview; an understanding of ‘what is Cyber Security’ can lead to a mismatch of roles between the CISO and the organization.  Organizations often misunderstand the role of a CISO and attempt to combine the CISO/Cyber Security Architect/Cyber Security Engineer into one role. While many CISOs can step up to this opportunity, this is generally more appropriate for a smaller organization.

Success for the CISO and the Organization.  Finally, the prospective CISO and search team should agree on ‘what constitutes success for this role’.  They should agree on the current Organizational Cyber Security maturity, the plan to either implement a new plan or build on the existing model, and the changes that are expected and the reasonable timeline.

As a summary, here is a basic checklist of the questions the prospective CISO should ask as he/she decides whether the talents and skills they bring to the table will be a fit for the Organization and whether they have achieved alignment of vision before taking on the role. While the list is not all encompassing, and we expect this list could continue to be developed, these are a starting point for the CISO and the Organization. We feel this shared vision will reduce the potential CISOs and Organization mismatch, improve the outcome of the Cyber Security program, and reduce the CISO tenure within the Organization.

Organizational Scoping and Interview Questions:

  • Is the mission statement well defined?
  • Is the business or its information regulated? If so, which regulations apply?
  • Has the organization selected a governing information security framework (NIST, ISO, etc.)?
  • Has a roadmap for the program been developed? If so, to what degree has it been implemented?
  • Is executive level support demonstrated through the CISO's organizational reporting structure?
  • Are there adequate resources to accomplish what the CISO is charged with accomplishing?
  • Is the staffing / budget in place presently or does it require augmentation?
  • Does the staff have the skills to meet all mission areas?
  • Does the organization have a vision for the employment of the CISO and is there executive support for the changes needed for the CISO to be successful?

 As always, we appreciate feedback and the insights of other Cyber Security professionals and will add or modify this list based on community input. Please feel free to reach out to either of us with discussion points.

[i] https://digitalguardian.com/blog/anatomy-ciso-breakdown-todays-top-security-leaders-infographic

[ii] Ponemon Institute

[iii] http://www.gartner.com/smarterwithgartner/your-first-100-days-as-a-new-chief-information-security-officer-2/

[iv] “Determining Whether the CISO Should Report Outside of IT”, Tom Shultz, https://www.gartner.com/doc/2770321/determining-ciso-report-outside-it

[v] Ibid..

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.