Light Dark
April 20, 2017 By David Strom 2 min read
CISO

One of the most critical hires of any IT-related job is usually the chief information security officer (CISO) or chief information officer (CIO). But the decision to hire these executives is one CEOs and boards of directors typically do not want to make. This decision is often made during a crisis of some kind. It could result from a knee-jerk reaction to a major security breach or a new CEO’s desire to clean house and set a new strategic path.

On his blog, Froud on Fraud, David Froud referred to the CISO as the “chief impending sacrifice officer.” The reason for the snarky interpretation of the acronym is simple: Too often companies are looking for a quick fix to their security policies and want a new CISO to come in and sort things out. This doesn’t bode well for the CISO, who usually ends up “paying the price” by eventually being fired for not meeting expectations. It doesn’t help that CISOs can sometimes lose sight of corporate business objectives and speak a different language than their corporate superiors.

Listen to the podcast: Directors Are From Mars, CISOs Are From Venus

Breaking Down the Search for a CISO

The hiring decision is really a two-pronged process. First, the enterprise needs to find the right person for the job, and that person must decide whether the job is right for him or her. “By far the biggest challenge for organizations in hiring a CISO is doing it for the right reason(s),” Froud wrote. “Unfortunately, the reason, 99 times out of 100, is a necessity.” The time to really understand this is now, during normal operations — not during a security breach or other IT crisis.

The first step is to think of this hire not as the person, but as the function needed within the organization. That can be difficult because CEOs and boards of directors typically aren’t used to thinking about these functional areas and prioritizing which specific projects need the most help.

In another post, Froud categorized companies into three different focus areas: planning, execution and optimization. Depending on where a company’s security program is in this continuum, the focus areas require very different kinds of CISO in terms of skills and personality. The planner, for example, is good at getting a program started, writing an initial security governance charter and selling it to the executive suite. But he or she may not be prepared to ingrain security into company culture over the long term.

Bringing Big Ideas to Life

Once you know the kind of CISO you need, the next step is matching the right skills to refine your selection set. This might mean working with a series of different people as you move from planning to implementation.

The search for a CISO is not about hiring the right person. Rather, Froud wrote, “it’s about committing to an idea and doing whatever it takes to bring that idea to life.” CEOs and boards of directors facing the tough task of hiring a CISO should remember this excellent advice.

 |  |  |  |  |  | 
David Strom
Security Evangelist

More from CISO
October 27, 2023

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature