HOW TO SLAM DUNK YOUR CISO JOB DESCRIPTION
Let’s agree that writing job descriptions is a huge pain. The copy/paste method is so much easier than spending the time getting multiple parties involved in the decision process, and then writing something solid and comprehensive. But there’s one job description that is REALLY worth the time it takes to get it right: your Security leader. I promise you – if you spend the time on the front end, this will save you so much grief. Here’s how to do it.
1. Sell, sell, sell! Security leaders are hard to find and they have to be sold on your company. Consider taking the standard method of writing a job description and turning it on its head. Good candidates like it when they see copy that’s well-thought out and creative. Why not start with a brief on your company, its growth trajectory, market positioning, goals, and charitable/community efforts? A great job description isn’t a list, it’s a story. Providing context for your company is a great way to start.
2. What is Security to your company? This is when you hone in on what you need in your Security leader. It’s important to balance what type of CISO you want, vs. where your company stands in Security. Synopsys recently released their CISO Report with a very interesting look at the CISO “tribes” – here’s a link – http://bit.ly/2nABHvg. Does your company view Security as an Enabler, a Technology, Compliance, or a Cost Center? Paint a picture of where your company stands in Security and where you want to go. If you do this well, Security leaders that aren’t interested will opt out before the interview process, saving you valuable time.
3. Does the Title and Reporting Structure align with the responsibilities of the role? This is the point in a Security leader job description where seasoned prospects can tell if your Security philosophy lines up with reality. Keep in mind that the Security leader’s job touches every part of the business. If you want your leader to deal with tech and compliance and stay out of the way of big decisions and the Board, you can get away with a Director or Manager title. If you want Security to be a key business driver and expect your leader to report to the CEO and the Board, the CISO/CSO title will be critical.
4. Carefully match the desired qualifications with the responsibilities. Security leaders run the gamut from the deeply technical with applications backgrounds to lawyers with compliance expertise. The goal here is to create a realistic balance that doesn’t choke your pipeline to nothing, and doesn’t invite a cattle call of candidates from all walks of the Security spectrum. One of the best resources in all of Security – a document that I use every day, is the SANS CISO Mindmap – http://bit.ly/2nHxsNH. It’s an excellent resource in considering the responsibilities of a Security leader. Use this to match qualifications with responsibilities and you’ll be ahead of the game.
Security leaders are a careful bunch and they respond well to opportunities where the philosophy is in line with reporting structures, responsibilities and qualifications. Attracting the right candidate is much easier if you spend the time on the front end to get it right.