This is Part 3 of a 3-part series from our newest ebook titled, "The CEO's Guide to Hiring a CISO".
The digital frontier is constantly evolving, and with it, the Chief Information Security Officer (CISO) role becomes increasingly critical. As CEOs, selecting a CISO can be pivotal for your organization's cybersecurity posture. In this third part of our guide, we explore the nuanced process of selecting the right CISO for your business.
Recognizing the need for a CISO is the first step in this journey. Whether due to the departure of a current CISO, a significant change in regulatory requirements, or the realization that your cybersecurity leadership is lacking, identifying the root cause is crucial. This awareness will shape your search and the specifications of the role.
Here are four steps you can use as a guide for selecting a CISO:
There are several organizational situations that drive the need for a CISO:
These situations underscore the importance of having a competent and dedicated CISO to navigate the complexities of modern cybersecurity challenges and regulatory environments.
Before considering the experience, spend, and availability required to hire an interim, fractional, virtual, or full-time CISO, there are a few areas that the leadership team needs to establish for common ground:
The ideal CISO should bring a rich tapestry of experience, ideally with previous CISO roles or significant leadership in technical or risk management. By seeking a technology leader with the demonstrated ability to scale a security program, your organization will be able to adapt to ever-changing technology and regulatory requirements. The ideal fit would be to match that CISO´s experience with your organization's sector and size.
However, understanding the financial commitment is equally important – from competitive compensation to the overall cybersecurity budget. Another consideration could be to evaluate what, if any, non-monetary compensation your organization may be prepared to offer. Lastly, consider the availability of candidates who have the experience and can address current cybersecurity priorities effectively.
With an understanding of what is driving the need for a new CISO, a CEO must consider the following:
The ideal candidate would have prior CISO experience or C-level experience in a Technical or Risk management role. Such requirements may include, although are not limited to:
The ability to be conversant about cybersecurity priorities and track current trends and issues is also a critical priority as the cyber landscape changes each year.
What an organization can afford or is willing to pay for the CISO role can significantly impact the CISO they can attract. It can also signal how the organization perceives the CISO role. While it is instinctive for most organizations to default to full-time employment, CEOs should be aware of alternative approaches to solving for technology leadership that offer on-demand, as-a-service models providing full-time, part-time, short-term, and long-term engagement that maximize experience within the three dimensions discussed above. The right amount of technology leadership spend is that amount of money that will attract the most experienced leader the organization can afford - including through fractional and interim assignments.
The overall budget for cybersecurity programs can range from 5% to 15% of the total IT budget in larger organizations. Note that if an organization has not invested any budget line item in its cybersecurity initiatives, it should expect a larger budget in the first two years to align with best practices.
An organization's needs driving the hiring of a CISO may impact the number of possible candidates based on their availability in two areas:
The previous two sections encouraged CEOs to think holistically about the organizational need driving the selection of a new CISO and reflect on the required experience, spend, and availability before selecting a hiring approach. While executive search remains the most familiar hiring approach, knowing all options empowers CEOs to make the best choice for their organization's short- and longer-term needs. This section reviews the Executive Search and Leadership-as-a-Service approaches to finding a CISO.
Retained executive search firms take a consultative approach to understand an organization considering a search to fill an executive role. The consulting process ensures that each client receives their full attention to craft search priorities and a search strategy that considers their unique needs for the role and the leader. A reputable firm will often understand the organization's culture, explore the reasons for the vacancy or new role, and become aware of any HR guidelines for the candidate. They may also develop insight into the personalities, work styles, and preferences of the CEO and the intended role's peers and spend time crafting a detailed job description and candidate profile specific to the client's organization. Successive interviews and feedback lead to selecting a preferred candidate who, hopefully, accepts the offer and transitions into the new role as a full-time employee.
Larger search firms have specialized practices for specific roles, and some search firms specialize entirely in roles within a particular domain, such as Finance, Technology, Human Resources, etc. Fees for retained executive search services typically amount to one-third (33%) of the candidate's first-year cash compensation, including the base salary, signing bonus, and any other projected bonuses. The fee is paid in equal installments upon the start of the search, 60 days into the search, and following the acceptance of an offer by a candidate. For a CISO, this acquisition cost amounts to approximately 7% of cash compensation over the average tenure of 4.6 years (as of 2019). It does not include the cost of equity compensation, benefits, severance, and ongoing employment costs. The time to conduct a search varies but averages between 3 to 9 months from the start of the search to the candidate's start date, during which the client is usually without leadership in the role.
Leadership-as-a-Service (LaaS) is a managed service that allows an organization to engage vetted, world-class executive leaders in as little as a few days to 2 weeks. Technology Leadership-as-a-ServiceR (TLaaSTM) is the LaaS concept applied exclusively to the CIO, CISO, and CISO roles. In most cases, executives of firms offering Leadership-as-a-Service have decades of experience in the role they are offering. Combined with the tens or hundreds of executives serving their clients in those roles, they are also experts on the role. Role-based expertise and a ready supply of available executives can dramatically reduce the time needed to fill a vacancy or apply senior talent to an important initiative. Technology leaders in a TLaaS model enjoy association with tens or hundreds of other technology leaders incentivized to help one another serve clients in ways that no single technology leader can achieve alone - employed or not.
TLaaS may be appropriate when an objective review of the organizational needs, required experience, spend, and availability allows for a CISO in an interim or fractional role. TLaaS may also offer a CISO in a situational leadership capacity to facilitate an important initiative such as an assessment, transformation, or consolidation for a specific outcome.
In contrast to up-front fees for executive search, Leadership-as-a-Service embeds fees for the leader in the monthly cost. Fees only last as long as the leader provides the needed value and can increase or decrease in response to the natural rhythm of innovation and stability over time. Models vary, but a general rule of thumb is that Leadership-as-a-Service costs, on average, about 20% more than the base salary of an equivalent leader in a full-time role. However, the cost of a CISO for 2-3 days per week with more experience across all three dimensions without hiring risk may be similar to, or less than, the combined acquisition, ongoing, and severance cost of a full-time, employed, possibly less-experienced, CISO with the associated hiring risk.
After considering the organizational need driving the selection of a new CISO, reflecting on the required experience, spend, and availability, and reviewing the two approaches to hiring a CISO, the CEO will need to choose a hiring approach and make a final selection of a CISO. The good news is that either approach can produce equally qualified and effective CISOs. The right choice for a given organization, in a particular situation, at a given time will influence the hiring approach and final CISO selection. The Executive Search and Leadership-as-a-Service options are covered below.
The retained executive search model may be the obvious choice if the organization:
There are over 5,000 search firms in the United States and 20,000 or more worldwide, so there is no shortage of choices. The more specialized the firm, or a practice within a firm, is toward the CISO role and possibly even the CISO role within a given industry, the more likely the firm will be familiar with qualified CISOs when the firm reaches out to discuss the role. Demonstrated experience completing CISO searches with references to satisfied clients is a must. The search process is long, involving many hours of discussing the role, the profile, the candidates, and the offer strategy. Finding senior leaders and associates of the firm that match the organization's values and are enjoyable to work with can make the entire process more pleasant.
The search process emphasizes crafting a specific profile that will be most successful in the role at a given organization. Great care is taken to get input from multiple sources to arrive at a composite profile representing the perfect candidate. Finding the ideal candidate is a great goal, but the CISO role is relatively static across organizations and industries at any given time. Don't get creative in defining the role. A great CISO knows how to be a CISO and is a living profile. Value candidate experience and tenure most.
The highest predictor of success in a CISO role is past success in a CISO role and is likely not unique to the organization. When evaluating CISO candidates, consider the following observations:
Assume leadership in prior organizations acted rationally, keeping successful CISOs longer and exiting unsuccessful CISOs sooner. Also, assume CISOs acted rationally, staying longer in circumstances where they could be successful and leaving those where they could not. There are exceptions, of course, but assuming rational behavior is a good start.
The success of a CISO of any given organization is highly dependent on factors outside of their control. What worked in one organization at a specific time, with certain people under particular circumstances, may not work in another where all those factors are different. Adaptability is necessary to succeed anywhere, but some organizations contribute more to the failure of the CISO role than the CISO themselves. Not all such claims by candidates are excuses.
The average tenure of a CISO in 2023 was only 18 months - much shorter than their C-Suite counterparts (source: Enterprisers Project). In addition, Gartner predicts that half of all CISOs will be changing jobs by 2025. Thus, even though CISOs remain in high demand, organizations cannot eliminate all hiring risks. Select the most experienced candidate available at the time and emphasize being an organization that can contribute to CISO success and commit to early detection of, and fast response to, a poor fit (e.g., fail fast).
If the analysis above fails to suggest a definite choice between Executive Search or Leadership-as-a-Service, or the potential to immediately engage a world-class, full- or part-time CISO with little hiring risk is attractive, Leadership-as-a-Service is a compelling choice.
There are far fewer individuals and Leadership-as-a-Service firms offering fractional and interim CISO services than there are search firms, so finding one may prove more challenging than engaging one.
Among the referrals or search results, value the number and breadth of individuals available to provide CISO services. A single individual can be an excellent choice if they are available and interested in the work. A larger firm with tens or hundreds of resources will provide more choice, is more likely to have experience specific to a given industry or situation, can more readily offer additional or different resources as needed, and increases the effectiveness of any given CISO through a vibrant community of fellow technology leaders. A firm with many resources indicates that its business model is attractive to the CISO and that there are enough clients to keep them as busy as they want.
With a short list of individuals or providers, visit their website, check LinkedIn, and contact their leaders via chat or email to start the conversation. Get a feel for their experience, connections, and the quality of their online presence. A successful provider will offer education online, respond quickly, and be ready and willing to help solve the need for a CISO or advise on alternative solutions.
An initial discussion with a leader with extensive experience helping organizations evaluate and select fractional and interim CISOs will uncover specific requirements and prompt deeper dialog about the CISOs that will produce the best fit among available resources.
Based on the organization's preferences and the number of resources fitting the request, the provider presents one to three technology leaders with associated biographies and experience. Some situations may prompt a proposal covering the understanding of the situation, the approach to solving the need, and a discussion of the proposed people.
If a proposed CISO is acceptable, an agreement between the organizations is signed. The new CISO may start as soon as the CISO and client can arrange a mutually agreeable date.
Most fractional and interim CISO providers will be able to get started very quickly, often providing viable candidates within hours to days and beginning within one to two weeks if speed is essential.
Once the fractional or interim CISO starts, they start doing what CISOs do - assuming responsibility and accountability to support the organization. Generally, they operate like any CISO - attending leadership and Board meetings, providing status updates, managing the technology organization, interacting with customers and vendors, and carrying out the responsibilities and priorities of the CISO role. Interim roles are full-time and expected to be available just as any executive would be. Fractional roles are part-time and expected to be available on a regular, agreed-upon schedule and as-needed on a best-efforts basis. Fees are usually invoiced monthly or twice monthly. Larger firms have sufficient resources for ongoing contact with the firm's leaders as necessary and administrative support for resolving issues and smooth operation. Fractional and interim roles can be short-term or extended for years when there is a good fit and the organization believes the value proposition meets its needs.
As mentioned above, even if the organization has chosen Technology Leadership-as-a-Service to solve their technology leadership needs for a particular time or situation, Executive Search is often used to find a full-time employee. Most providers have good relationships with search firms and can make a referral when needed.
Executive Search and Leadership-as-a-Service are not entirely mutually exclusive. Executive search is almost always part of the interim CISO process and can be a part of the fractional CISO relationship when it's time to transition to a full-time employee. The fractional or interim CISO can be one of the most objective and qualified participants in the search:
Even if the organization has started an executive search and has not engaged a fractional or interim CISO from a Leadership-as-a-Service provider, it's not too late! Doing so will take some pressure off the organization to make a quick decision, provide reassuring coverage for the role while the search is ongoing, and, as explained above, can contribute positively to the search and transition after selection.
Download the full e-book: The CEO's Guide to Hiring a CISO
Contributors: Burke Autrey (CEO), Walt Czerminsiki (Partner), Tim Mather (Partner), Bill Alfveby (Partner).