If you’re in your 40’s or 50’s, you probably remember a TV series called The Twilight Zone (Millennials, think Netflix Black Mirror). Every show was its own stand-alone story that took viewers into an alternate reality where things got weird in a hurry, followed by twists and turns culminating in a surprise ending. I headhunt in executive-level Security positions. I’ve grown accustomed to one thing – when it comes to finding and negotiating CISO/CSO positions, the process is unique and there are a lot of surprise endings. Here are a few tips for navigating the unknown:
1. Flexibility can win a great hire. I’m a firm believer that in executive search, the devil is in the details. That starts with a VERY well written job description (see my previous article) which includes the title, reporting structure, thorough job description, solid sales pitch on the company, and experience level. A Security leader job description is difficult, because it’s a job that has tentacles into every aspect of the business. Your CISO will probably run point on Security Operations – prevention, detection and response, Risk Management, Governance, Education, Legal and Regulatory, Business Enablement, Identity and Access Management, and leadership chops are a must. But it gets a little murky after that, and flexibility can be greatly rewarded. Why? The person you will hire has no formal educational training for this role, because it didn’t exist. What he or she learned came through hard-earned experience, trial and error and good mentoring. Industry experience can also be tricky. Several industries have Security skills that are transferable because the regulatory frameworks are fairly similar.
2. Be open to candidates with massive salary differences and not-so-defined titles. It’s not uncommon for me to submit candidates for the same roll with as much as an $80K salary difference! Plus, current titles for candidates can run the gamut. Security is still a young industry and companies value Security very differently. I talk to candidates daily that are in smaller and mid-size towns with Director titles and 60% of the salaries of other CISOs that can run circles around their much higher paid peers. Make no mistake, in Security, there are diamonds in those un-searched hills and valleys – as long as you keep an open mind.
3. Significant dialogue and negotiation is the norm. The standard client response to my point above is, “Awesome! I want to lower my salary projection from $210K to $165K. Go find me one of those!” I hate to be the bearer of bad news, but…Security people are tribal, and boy do they talk. That highly experienced Security person that took a Leadership role seven years ago in Columbus on a cut rate salary when nobody really knew what a Security leader was worth? That person who scratched and clawed for budget, grew in trust with the Board, and built a Security program to be proud of on elbow grease and smarts? He/she knows full well how underpaid they are. Plus, Security professionals are notoriously careful (it’s kind of the gig). These candidates know their worth and they are ready to cash in. Also, be prepared for the interview process with Security leader candidates to be a highly back-and-forth dialogue. Given the liability at stake for both company and candidate, expect a constructive process where both parties feel comfortable with the role and the compensation package. It can take some time, but it’s worth it.
The process of finding your Security leader can be a little unruly. Set your expectations on a search that’s a bit of an adventure. It will pay off.