Hiring a CISO (or want to be one?) Know you this…
"Too often security teams makesa lot of noise when things are wrong, but disappear when things are going well"
Everyone’s heard the CISO jokes: How it can mean “Career Is Soon Over”; the old “three envelopes” chestnut; the #cisotips hashtag that satirises the security advice given by supposedly out-of-depth executives.
Maybe you’ve also read the worthy pieces about how this senior security role wreaks havoc with the mental health of many; burn out and churn are rife. Take a look at infosec Twitter, for example, and arguably the only more common conversation about CISOs than the timeless “should a CISO be technical?” debate is the one among younger cybersecurity professionals wondering why the hell would anyone want to be one?
(It’s often a question in which sarcasm fights it out with thinly veiled ambition: there are plenty of security and risk professionals aspiring to the higher pay grade, cachet, and strategic responsibility that comes with making it the C-Suite; yet there’s also often little guidance available about making it to the role, unless you have an existing CISO in your network – it’s mutually supportive community, many CISOs say; one in which professionals from otherwise rival companies network both formally and informally to share experiences.)
A good CISO can be a critical bridge between otherwise isolated IT teams or SOCs staffers and the broader business leaders – and many organisations that never had a CISO are beginning to realise that they need one. (As recently as 2019, just 62% of the Fortune 500 had a CISO, security firm Bitglass found; recent headline fodder Colonial Pipeline didn’t have a CISO in place either, despite running the biggest gasoline pipeline in the US and being a key bit of critical national infrastructure.) The Stack spoke to several experienced CISOs and specialist CISO recruiters, to get their view on a) becoming one and b) CISO hiring trends in 2021.
See also: "A lot of security professionals have VERY strong opinions..."
Owanate Bestman is the founder of specialist cybersecurity staffing resource firm Bestman Solutions and exceptionally close to the market. He told The Stack that enterprises hiring a CISO for the first time, particularly “where there is an immature or small security presence, often expect the CISO to do everything from penetration testing remediations to helping the firm meet security compliance standards. Many of the responsibilities listed in spec need amending. In most cases, the hiring manager needs a consultation as to what is realistic and what the market remuneration benchmarking is as these are often misaligned.
He added: “With many first time CISO hires, it feels like the business is looking for a unicorn who is both extremely technical, extremely strategic and will work for far below market rate. On my part it’s an interesting consultation which calls for some re-education and a willingness for the business to be flexible.”
Hiring a CISO
Neil Price, Head of CIO at executive recruiter Harvey Nash Group told The Stack: "The marketplace for the top CISO talent today is very buoyant. The best CISOs in the market will have the choice of which role to take and will choose to join an organisation where they can make a difference, be recognised for their efforts and where there’s appetite to continually improve, because when you’re not progressing you are falling behind. Organisations that wish to engage the best talent to deliver the best outcome need to describe an environment where the incoming CISO will have buy in at the highest levels, budget to succeed and freedom to deliver.”
Given the competitiveness of the market, what about training and recruiting internally? Price agrees, "you should look internally first, it may be that the best approach to a fresh strategy is in the team already" although he advocates a hybrid approach of internal talent nurturing and external sourcing.
As Owanate Bestman adds, "firms training up CISOs internally is not very common when there hasn’t been a CISO in that position before. This internal promotion tends to happen if an existing CISO has left, which paves the way for a 'security manager' or 'head of security' to push for the title of CISO.
"The problem I have seen here is that they may be CISO in title, but their responsibilities remain the same because of the lack of awareness from the firm about what a CISO does. In this situation the promoted employee pushes for this title change to help them land a 'true' CISO position in their next role."
Things I wish I knew earlier...
For those hoping to make it to CISO, particularly those working at the security operations coalface, rapidly getting to grips with broader business strategy and priorities is critical.
The Stack asked several CISOs what advice they’d give their younger self – or security professionals coming through and with an eye on CISO.
Paul Baird, Chief Technology Security Officer at security firm Qualys told us that looking back, he wished had “had better business awareness before making it to C-level. As I was coming up through the ranks, mostly in engineering-related roles, every decision was pretty simple: it was either a yes, no or ones or zeros.
"Later on I learnt that when you’re operating at a more senior level, you have to consider the wider impact of your decisions on the organisation as a whole, so it’s a lot more complicated. Within those decisions, there can also come conflict between teams or your C-level peers as everyone is fighting for their own priorities. You need to learn how to hold your ground and voice your needs as a department head, but also have the awareness and humility to know when to back down because it’s the right outcome for the organisation overall.”
George Gerchow, Chief Security Officer at Sumo Logic adds that being highly visible during the good times is also critical for a CISO. As he puts it to The Stack: “This tends to go completely against a technical person’s natural personality, but the ability to speak up and evangelize themselves within the wider business [is a critical ability]. All too often the security team makes a lot of noise when things are wrong, but they disappear when things are going well and other areas of the business just begin to associate them with that negativity.”
Follow The Stack on LinkedIn
For those eying a new CISO role, understanding just how much backing they are likely to get is critical. Former Department of Energy CISO Gil Vega, now at Veeam, earlier drove that home, noting how Veeam had set the role as a genuine C-suite one: something that's not always the case. ("I am part of the CEOs leadership team, and the executive team, and that allows me to provide a lot of input and guidance on the company’s strategic plans; where we’re going to spend money, where we’re going to invest, where we’re going to open new business.")
JumpCloud CISO Fred Wilmot agrees that having a clear idea of what you want from your CISO is critical and potential recruits will be paying close attention to the maturity of the environment they are entering: "I think there is always a question of ‘What are you getting yourself into?’ when you come to a new company as an executive. I always try to get a sense of what the company’s threat surface looks like, speak with internal and external teams, board members, and stakeholders" he says, adding: "One of the most critical requirements is the business commitment to security; where does the CISO report in the organization? How is security perceived across the organisation?"
What about the one skill that makes a C-level IT/security professional successful that is perhaps not directly related to their job role? "No question" says Wilmot. "Soft skills. I cannot tell you the number of conversations I have had where doing the right thing for the business meets both of the objectives for two different reasons, and a conversation helps see these are aligned. In remote-only workforces, this is fundamental to understanding first and seeking to be understood second. All other things flow from this ability to empathize, understand, collaborate, and build rapport."
Companies hiring a CISO should also take the opportunity to think carefully about the CISO-board relationship -- not just in terms of regular reporting by the CISO to the board, but indeed the composition of that board.
Fresh research this month by executive search firm Marlin Hawk found that although cybersecurity has emerged as a key priority for many corporate boards; representation of CISOs at the board-level is incredibly, with just 1% of boards including an executive that has spent the majority of their career as a CISO.
This matters more and more. As SASIG's Martin Smith MBE earlier told us: "Ultimately, the responsibility [for cybersecurity] rests with the board. It has a responsibility to understand the problem. Just imagine if boards said “Oh, I don’t really understand computers – we’re going to leave that up to the CIO”, or, “I don’t really understand money, so I’m gonna leave that to the CFO” or “I don’t really understand people management, so I’ll leave that to the head of HR”. No! The board has a fiduciary responsibility to understand all of this. That’s why they’re at the board level! All boards have a fiduciary duty properly to understand cybersecurity.
"By the same measure, if the board doesn’t understand cybersecurity because they see it as too difficult or unimportant, that’s simply because it hasn’t been explained to them properly. People at board level are really bright, that’s why and how they got there. If they don’t understand something then somebody in the chain hasn’t explained it to them properly: in this context that’s the CISO. That’s why soft skills are so important.”
So first stop CISO, next stop, board. And if you're an ambitious information security professional, start thinking about how you can hone those soft skills as well as your technical ones.
If you're banging your head against a brick wall, meanwhile, know when to walk away, if you have the luxury of being able to do so. As Veeam's Gil Vega earlier told us: "In companies where the culture is imperfect you need to try and find someone that can understand your point of view; someone influential that can help the company understand what it is you’re managing through. Quite frankly — and I’ve told this to other CISOs that I’ve mentored — where you can’t get the the worm to turn, then perhaps look for other opportunities. Because it takes two to tango. If people are unwilling to hear your concerns or you’re being set up to fail, then it may not be the best professional place for you.”