Not employing a chief information security officer (CISO) may sound foolhardy, but it is not uncommon. Only 49 percent of companies currently employ a CSO or CISO, according to Cybrary’s 2016 Cyber Security Job Trends Report.
Why is this? The reasons are myriad, from the lackadaisical “it won’t happen to me” business attitude to information security to confusion around the CISO’s purpose, budget constraints and trouble identifying the right candidate.
Unclear KPIs and CIOs carrying out CISO job functions muddy the waters too. However, it’s increasingly clear a CISO is required to prioritize information security and be a strategic enabler for the business.
Is the time right to hire your first CISO?
The most important point companies must understand is why they have made the decision to hire a CISO. Is it because they need someone to build a security infrastructure, to lead security strategy, or have they simply been recommended to do so by the board of directors or audit committee? The who then becomes important, given the different skillsets of CISOs and the wide-ranging salary and leadership expectations.
Joyce Brocaglia, managing director at recruitment firm Alta Associates, recalls hiring Steve Katz as Citi CISO back in 1994, widely believed to be the first role at the time. She says that the type of role - and applicant - has now changed. “Back then we were placing leaders whose focus was very technical in nature. Today, we are replacing those technicians with executives who have a holistic approach to security and risk, can act as enablers, and work with technology leaders in their transformational efforts.”
"Katz himself believes Citi was ahead of its time in understanding the strategic value of security. After suffering an attack at the hands of a Russian group, Katz said this alone "was enough of a wake-up call for the CEO and board that they wanted a head of information security in place at the executive level." He says that most firms are now looking to do the same, largely to adhere to GLBA, FS-ISAC and other regulatory requirements."
Two prime examples of first-time CISOs
Cloud-center-as-a-service firm Serenova hired Stuart Clark as its first-ever CISO in March in a bid to drive further business growth. “We had a security department but we didn’t have an elevated person in that position,” said CEO Vasili Triant, adding that the firm’s director of security reported into engineering. “I wanted to be proactive and stay ahead of the curve.”
Describing Clark’s appointment as a “major strategic addition,” Triant interestingly noted it paralleled recent business growth, too, with a software business “doing gangbusters” resulting in a “lot more security questions” from customers.
Although just two months in, Triant says Clark is already having a positive impact. “Could it have happened two years ago? It could have, but it might not have blended too well,” the CEO adds, citing the firm’s move from Redwood to Austin, Texas.
Others have taken the plunge, even small- to medium-sized businesses. Derek Kramer, CIO at Service King Collision Repairs Centers hired CISO Anil Varghese last year and has already seen numerous benefits. “Immediately, we were able to enact a plethora of organizational policies that quickly promoted and raised awareness of proactive security programs and practices,” he says.
[Related: -->How to survive in the CISO hot-seat]
“This quickly built a more secure environment, and teammates became more aware of best practices related to information security. Additionally, we have built our security staff while partnering with many of the top security companies to ensure we are at the forefront of protecting all consumer and business partner data,” says Kramer.
Navigating the recruitment process
Navigating the recruitment process in any job is a maze. There’s the under-qualified, the over-qualified and the bluffers -- and that’s before you talk about recruitment agencies. The consensus is that businesses should define what they want first in a CISO.
“The old saying goes ‘never go shopping when hungry’,” says Katz. “Figure out what you want. Do you want a technology expert or a security executive? I would say a security executive because they’re going to save you time and money.”
Serenova’s Triant and Clark agree. “Are you looking for a doer, an architect, someone to maintain infrastructure or someone to build some scratch?” asks Triant. “Do more than just wording a job description. Think strategically about how you want the role to be executed, and take time to map it out” adds Clark.
In the case of Serenova, Triant wanted a strategic leader who could get their hands dirty, too, and Clark’s role now sees him liaise directly with sales teams on products and services as well as set broader security strategies.
This was borne out of board approval. “My board gets security. They realized it was going to create more value for the business,” says Trian. The detailed recruitment process took six months.
In the hiring process, Triant went beyond the traditional references and LinkedIn recommendations, taking applicants out for coffee, getting other departments to interview candidates, and finding if there’s a culture fit.
For Darren Argyle, newly appointed first-ever CISO at Qantas, businesses should also be prioritizing candidates who go beyond security and understand business. “Beyond the real world cyber security experience, they should have a firm grasp of finance, leading teams/developing people and be strong collaborator/stakeholder manager.”
The CISO approach to recruitment
Entering the recruitment process as a CISO is a different challenge. They’re wary of gimmicky, marketing led jobs and brownfield sites, with no mandate for change. Katz, now owner of Security Risk Solutions LLC, says CISOs must first decide if they can step into an increasingly strategic role. Do they want to side-line their hard-earned technical skills in favor of developing softer skills “they have never been taught?”
If the answer is yes, and the role appears to be both interesting and challenging, Katz says applicants should consider the company and culture before commute and compensation. He adds they should ask if the role tactical, technical or strategic and if they can cope with a role likely to be up to 50 percent marketing and evangelism. He urges applicants to leverage connections, such as system integrators, to find out more on the firm. “Do your research,” he urges.
This view resonates with Serenova’s Clark, who says that “due diligence” is key to finding the right role, even if you find unwanted answers. That said, the direct CEO reporting line was critical, too, in signing on the dotted line. “It was the primary factor for me. Personally, I was not looking for a CISO role when approached by Serenova.”
“Security must be independent to be successful. One thing CISOs applauded me [on this role] was that the executive was ready to give them attention, the empowerment to make decisions and drive strategy,” adds Triant.
[Related: -->Why CISO is the hardest tech role to fill]
Argyle, a first CISO in two jobs at “very different stages of maturity,” believes this mandate and supported investment was critical in both jobs, while Brocaglia admits such jobs may only appeal to certain characters. “The first time CISO role is a very attractive position for a professional who is interested in building,” she says.
“If they are willing to roll up their sleeves and not worry about the size of their staff but rather the size of their influence and impact, they are better suited for the roles. For many cybersecurity executives, a first-time CISO role gives them an opportunity to move from being a second or third in command in a larger organization to finally running the show,” says Brocaglia
The road ahead for the CISO
What should a CISO know stepping into a first-time job, and what issues will they likely face? Clark tentatively admits that resources can be an issue, from compliance and governance down to managing security operations centers (SOCs) and data centers and understanding the nitty gritty technical details, such as AWS security components.
To succeed, he says, it comes down to knowing what you signed up for. “You have to be all-in - if you’re not all, in find somewhere where you are. For me, I am looking for an organisation not only where there’s a culture fit but where it's about iteratively getting better,” says Clark.
Argyle adds that it’s essential to have a “clear set of roles and responsibilities. As soon as you land, set about understanding your scope and document a charter for your role and the function. This comes before your strategy. Without this, you'll not have a clear mandate and change won't happen.”
Service King’s Varghese adds that his experience has so far been “rewarding and fulfilling,” crediting the executive leadership. “Being Service King’s first CISO, you are walking into the situation with eyes wide open knowing several occasions exist to mature processes and policies and break preconceived notions on what the role represents. Most CSO/CISOs relish and seek out these opportunities, to mature a firm’s approach to security and build out a robust, IT risk management program.”