6 top attributes employers want in new CISOs

As the chief information security officer role rises in importance, so do the expectations of hiring organizations. These are the key qualities and skills recruiters are asked to look for.

Aspects of employment / communication / networking / partnership / collaboration / teams / hiring
Metamorworks / Getty Images

Looking for your next position as a CISO, preferably one with more pay, better benefits, and more on-the-job responsibilities/respect? Then you need to know what skills and qualities prospective employers are seeking now from their CISO hires to maximize your chances of getting your dream job. Here are the top six attributes recruiters sayorganizations are looking for in a CISO.

1. Previous CISO experience (probably)

Today’s employers expect new CISOs to bring a wealth of skills to their positions. According to Burke Autrey, partner and CEO of IT talent recruitment firm Fortium Partners, organizations are seeking experienced candidates who have served as CISOs “multiple times at multiple companies.” In their previous positions, their duties will have covered “governance, compliance, monitoring/threat detection, and incident response as a leader,” he says. Such CISOs will have also gained experience in managing “budgets, people resources, peer executive and board interaction, and law enforcement and insurance liaison responsibilities.”          

“Our clients are looking for past experience with breached or compromised situations and how they dealt with them, where they may have missed something, how they reacted to it and how they shored up their companies’ defenses,” agrees Michael Piacente, managing partner and co-founder of executive search firm Hitch Partners. At the same time, many smaller firms are willing to consider giving security professionals their first CISO jobs, as long as they have the necessary skills.

2. Expertise in product security

“The first most important skill, without a doubt, is a thorough knowledge of application and product security,” says Piacente. “This is the ability to collaborate at a very deep technical level with product development and engineering teams.”

This is especially true for technology companies. “Most of our clients are in high-consequence, disruptive software companies where their product/application security compliance, customer enablement, and hiring are key to their platform success,” Piacente says. “Security in their world is not just a necessity or a checkbox item, but a feature of their actual platform.”

3. Ability to anticipate regulatory and threat risk

Another must-have skill is being knowledgeable about governance, risk and compliance. “Companies want a CISO who understands the nuance of taking a company down the path of certifications such as ISO or SOC2, FedRAMP, or NYDFS [New York Department of Financial Services],” Piacente says. “A prospective CISO needs to have been through these full cycles to understand the nuances of what their company needs versus what they don't need.”

More broadly, organizations want CISOs who can work on a philosophy of anticipatory risk mitigation, says Piacente. “Such CISOs know what issues are on the horizon with respect to product security, compliance requirements, and prospective threats.”

4. Ability to build customer and partner trust

Aspiring CISOs must also be able to show that they can help the company’s sales and marketing teams instill trust in the security of their products and services. CISOs might be asked to fill out questionnaires that customers or partners send to vet the company’s security practices, for example. “A lot of our clients are software companies seeking CISOs with the ability to manage a corporate IT operation, including applications, business technology, infrastructure – everything,” says Piacente. “While CISOs have traditionally been associated with a certain level of customer and partner support, the past three-plus years have shown a rapid increase and intensity in this portion of the CISO scope. Approximately 80% of our searches include some form of customer and partner enablement scope. We anticipate this trend continuing as the CISO function becomes a key influencer and collaborator across the business.”

5. Certifications, MBAs, computer science background

Many employers will consider certifications when hiring CISOs. According to Autrey, traditional CISOs with a technical/engineering background will often have obtained security-specific certifications such as CISSP (Certified Information Systems Security Professional), CISA (Certified Information Systems Auditor), or CISM (Certified Information Security Manager).

As the CISO role evolves, however, risk-based and hybrid technical/risk-based security leaders are assessed more on their experience, executive presence, and boardroom skills than their technical knowledge and certifications. Many CISOs consider the subject matter of the certifications good continuing education even if they don't obtain the certification. Employers may want to discuss certifications and continuing education as one element of a well-rounded CISO.                       

When it comes to general degrees/certificates, “Computer science is, without a doubt, the primary piece that employers are looking for in most CISOs,” says Piacente. “When it comes to our clients, many of the CISOs they’ve hired actually started as software developers and engineers, so they have the comp sci background.”

Piacente notes that for the cloud-based software companies his form works with, CISOs tend to have a deeper discipline around software engineering or relevant technical/development backgrounds. “On the certification side, I can see that logic as well,” he says. “However, not a single search where we placed a CISO in five-plus years had a hard requirement for any type of certification. In the cloud-native space, it is just not a high priority, but it certainly makes sense with other CISO archetypes.” 

Many employers also want their CISOs to have masters in business administration (MBAs). “This may surprise people, but the reason employers want their CISOs to have MBAs is due to the elevation of the CISO's role over the last three to five years, with them playing a larger role in general business matters and reporting to the board,” Piacente notes. “While having an MBA is not critical for getting hired as a CISO, it is certainly helpful.”

6. Interpersonal and social skills

Given the need for CISOs to work constructively with others in the company, employers are looking for people with solid interpersonal and social skills. This means displaying “calm under pressure, resolve in the face of a challenge to their authority, and the ability to translate threats and impacts in business language,” says Autrey.

Today’s CISOs also need a key personality trait: empathy. “That's empathy with your internal organization, your external partners, and potential customers,” says Piacente. “They also need to understand that not everyone understands security like they do and be able to speak to these people positively using terms that they understand.”

As well, employers want their CISOs to be able to set realistic plans, goals and deadlines for their departments, and to be able to explain it all in clear, non-technical terms. “The audience that the CISO has to work with is extremely varied from sales to marketing, the general council and legal to finance,” Piacente says. “If you try to deal with cybersecurity by just trying to ‘build a wall’ around the company without regard for other people’s needs, your colleagues won’t respect it. In fact, they’ll try to get around it. But if you work with them on building cybersecurity solutions that let them do their jobs while achieving a lower level of risk, then this is where success comes in.”

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.