How and why to hire a CISO

If you haven't yet hired a chief information security officer, you're not alone. Here are the considerations for creating the position and making the hire.

Not employing a chief information security officer (CISO) may sound foolhardy, but it is not uncommon. Only 49 percent of companies currently employ a CSO or CISO, according to Cybrary’s 2016 Cyber Security Job Trends Report.

Why is this? The reasons are myriad, from the lackadaisical “it won’t happen to me” business attitude to information security to confusion around the CISO’s purpose, budget constraints and trouble identifying the right candidate.

Unclear KPIs and CIOs carrying out CISO job functions muddy the waters too. However, it’s increasingly clear a CISO is required to prioritize information security and be a strategic enabler for the business.

Is the time right to hire your first CISO?

The most important point companies must understand is why they have made the decision to hire a CISO. Is it because they need someone to build a security infrastructure, to lead security strategy, or have they simply been recommended to do so by the board of directors or audit committee? The who then becomes important, given the different skillsets of CISOs and the wide-ranging salary and leadership expectations.

[Related: -->What it takes to become a chief information security officer (CISO)]

Joyce Brocaglia, managing director at recruitment firm Alta Associates, recalls hiring Steve Katz as Citi CISO back in 1994, widely believed to be the first role at the time. She says that the type of role - and applicant - has now changed. “Back then we were placing leaders whose focus was very technical in nature. Today, we are replacing those technicians with executives who have a holistic approach to security and risk, can act as enablers, and work with technology leaders in their transformational efforts.”

"Katz himself believes Citi was ahead of its time in understanding the strategic value of security. After suffering an attack at the hands of a Russian group, Katz said this alone "was enough of a wake-up call for the CEO and board that they wanted a head of information security in place at the executive level." He says that most firms are now looking to do the same, largely to adhere to GLBA, FS-ISAC and other regulatory requirements."

Two prime examples of first-time CISOs

Cloud-center-as-a-service firm Serenova hired Stuart Clark as its first-ever CISO in March in a bid to drive further business growth. “We had a security department but we didn’t have an elevated person in that position,” said CEO Vasili Triant, adding that the firm’s director of security reported into engineering. “I wanted to be proactive and stay ahead of the curve.”

Describing Clark’s appointment as a “major strategic addition,” Triant interestingly noted it paralleled recent business growth, too, with a software business “doing gangbusters” resulting in a “lot more security questions” from customers.

Although just two months in, Triant says Clark is already having a positive impact. “Could it have happened two years ago? It could have, but it might not have blended too well,” the CEO adds, citing the firm’s move from Redwood to Austin, Texas.

Others have taken the plunge, even small- to medium-sized businesses. Derek Kramer, CIO at Service King Collision Repairs Centers hired CISO Anil Varghese last year and has already seen numerous benefits. “Immediately, we were able to enact a plethora of organizational policies that quickly promoted and raised awareness of proactive security programs and practices,” he says.

To continue reading this article register now

Subscribe today! Get the best in cybersecurity, delivered to your inbox.