How to Hire a Chief Information Security Officer

Chief Information Security Officers are senior-level executives, responsible for protecting invaluable company information, data, and technology – all while staying true to the organization’s overall mission and goals.

Hiring CISOs is on the rise – and the reason is clear. With 2020’s massive employee exodus from corporate offices to kitchen tables and basement desks, company security infrastructures are more vulnerable than they’ve ever been. When COVID-19 began spreading in America, 18 million COVID-19 related phishing emails and 240 million spam emails were being sent per day. So, it’s no exaggeration to say that protecting corporate data has become harder than ever.

Companies structure their IT departments differently. So, if you haven’t started thinking about hiring a CISO, you probably aren’t alone. If you’re ready now, let’s dive in!

What exactly does a Chief Information Security Officer do?

Broadly speaking, CISOs are responsible for executing, implementing and maintaining a company’s systems, communications and assets from cyberthreats. CISOs maintain a large umbrella of responsibilities, including but not limited to:

• Protecting data from loss or fraud
• Evading cyber attacks and threats
• Managing security hardware and software
• Keeping ahead of security needs
• Leading security investigations

CISOs are also responsible for establishing and implementing high-level policies and procedures, as well as appropriate standards and controls. Last, but certainly not least – CISOs often manage and dull out responsibilities to a team of employees, who are collectively responsible for maintaining company security.

What skills should you seek in a CISO?

The CISO role requires a deft balance of skills, and therefore a talented individual. Here are some of the most important qualities your CISO should possess:

Educational Background
Seek a candidate with a higher degree in the information technology field, and a deep knowledge and professional education in finance or accounting. Some companies also require a CISA certification, passing the CFE fraud examination test, and/or earning an OCSP (offensive security) certificate.

Experience
Anywhere from 7 to 12 years of work experience is desirable – including at least five in a managerial role. Experience within your industry is ideal (for obvious reasons), and at least 2 years of risk assessment and management background is also important. When interviewing, ask your candidate to discuss a situation in which s/he had to utilize or problem solving skills – offering specific examples.

Communication
Exceptional communication skills are a must. From inside the company’s C-Suite, to the IT team, to outside vendors, and prospective clients.

What should the process of searching for and hiring a CISO look like?

It all starts with the job description. This means clearly stating the requirements, skills and qualifications needed to be a great CISO. But it also means selling the opportunity. The goal isn’t just to find a qualified candidate. It’s to find candidates who are both qualified, and excited about your organization. Click here for help on creating your chief information security officer job description.

Second, it’s about getting the word out – effectively! Don’t ignore general sites and job boards that target IT professionals (especially since there are shortages in qualified IT professionals across many industries).

Finally, don’t forgo considering a recruiting firm that specializes in staffing information security professionals. Proven track records and trusted networks are key when it comes to facilitating successful candidate searches.

Conclusion: How to Hire a Chief Information Security Officer

The CISO position is a high responsibility, high impact role. New CISO’s are usually expected to hit the ground running, producing an assessment of the current security state along with future goal setting within the first 90 days of employment. Your CISO will need to have excellent communication skills – including the ability to articulate technical issues in business terms. Ideally, he or she should have experience as first or second in command at an organization in, or adjacent, to your field.