I’m an Executive-level Security headhunter. That means I spend a lot of my week doing two things: talking to CISOs or those people ready to be CISOs, and talking to companies that are in the market for a Security leader.
My experience is that companies looking for a Security leader fall into three categories: 1) Companies that know their risk tolerance and have an informed handle on what they want a Security Program to accomplish. 2) Companies that think they know, but are a little unsure and need an interview process with different levels of candidates to help make a decision. 3) Companies that are spooked by the breach headlines, aren’t sure what they need, but know that they should probably figure it out in a hurry. All three options present a great opportunity to find the right Security leader. If you’re a company that’s in the market for a Security leader, start by determining which category you’re in. Then, consider these DOs and DON’Ts.
DON’T list all of the skills that a fully-functioning Security Program requires and cram it into a job description. If a description, for example, says that you need a Security leader to report to the Board and “remediate,” you just played a hand that says you are looking for a one-man- Security-band who’s willing to do everything. Experienced leaders run from this one.
DON’T post a Security Leader position on a job board. First, it’s a time killer because you’re going to get 400-500 resumes (a lot of people think they can be a CISO). Second, it’s almost always the case that the right candidate isn’t sitting around perusing job boards. Security leaders are busy, and well-paid. They tend to be passively open to new opportunities and have to be sold to even consider something new.
DON’T be too quick to take a hard line on salary. Nowhere is the free market more on display than in Security leadership. Get ready for some sticker shock because Security leaders that have built a successful Program tend to get paid. After an interview process, you might decide that you need this type of candidate and are willing to adjust salary expectations accordingly.
DON’T ask early in a first interview what the candidate’s plan would be to secure your company. He/she doesn’t know your risk tolerance, your budget or anything about your current efforts. The goal is to have a productive back and forth about what you want to build in a Security culture and the candidate’s philosophy toward how Security can help the overall business. If the vibe is right, you’re onto something.
DO consider what you need to protect. This will determine how much industry specific Security knowledge your company needs. Many Security leadership and background skills are transferable across industry, but there are caveats. IoT and Supply Chain Security are unique animals requiring experience. Banking and Financial Services are interesting because of the regulations. Since regulations hit Financial Services first, I’ve found that this type of Security background can be handy for Healthcare companies.
DO look at a candidate’s staying power. A Security Program build or re-tool is a 4-6 year job. If you see a Security leader that’s jumped to the next shiny gig every couple of years, just walk away.
DO consider your company culture. Do you want a younger Security hotshot or a leader who’s experience has caused some gray hair? It’s an important determination. When a company doesn’t know, the search always takes longer because I need to submit two very different candidates right off the bat and see which way the wind blows. Once that determination is made, the search can begin in earnest.
DO prepare for a different type of interview process than you have ever participated in before. Security isn’t accounting. The stakes are high and so is the liability – for you, your customers and the career of your chosen Security leader. The right candidate is going to pound you with questions and he/she will look to be comfortable with the answers, or at least the budget, time and backing necessary to execute. Security leaders are, by nature, cautious. I rarely see a candidate willing to “take a flier” without all the facts.
Hiring a Security leader is an adventure, regardless of the status of your company’s Security posture and risk tolerance. The goal is to remove the clutter early, identify the right candidates quickly, and structure a productive interview process. These DOs and DON’Ts will help put your company on the right track.