The role of the chief information security officer (CISO) has changed dramatically in the last decade. No longer merely a digital sheriff called on to protect the firm’s data valuables, the CISO is expected to act as a full strategic partner with the rest of the C-suite. The upgrading of the role is a natural response to the extensive technological, societal, economic, and geopolitical developments over the same time period. For many organizations, information – whether customer records, intellectual property, or strategic planning – is now their most valuable asset. As those assets have become more valuable, they have also become less secure because of the increase in the number and the sophistication of attackers, as well as the vulnerabilities inherent in an increasingly networked society.
The bottom line is that, although the CISO rarely reports directly to the chief executive officer, he or she must have the qualities expected at the CEO-1 level. Organizations endeavoring to fill the CISO role must ensure that their recruitment strategies and candidate evaluation processes keep pace with these greater expectations, lest those organizations increase their risk of unmet security goals, shorter CISO tenures, and the associated costs. This is in addition to the difficulty of maintaining a consistent security culture in the shadow of frequently changing information-security leaders.
Taking a holistic view of CISO candidates
Our observation at Egon Zehnder has been that when looking for their next CISO, organizations can benefit by taking a broader view of the required qualities and capabilities. Effective candidate evaluation can be achieved by dividing a candidate’s career into its past, present, and future components and evaluating each element with the appropriate perspective. A consolidation of the three elements provides a holistic view of the CISO candidate that corresponds with the multi-faceted nature of the role today.
The past: What has the candidate done?
A candidate’s credentials, work history, and track record have always been a central part of the evaluation process, and for good reason. This component includes examining the types of organizations in which the candidate has worked, their size and complexity, and which markets they served, and then seeing what the candidate accomplished in each role, what transformations the candidate has led, and the security record of the organizations under the candidate’s watch. These findings provide the raw material, basic facts, and context for measuring the fit between the candidate and role. Although the CISO role has grown significantly beyond its technical roots, the technical expertise indicated by work history are essential “table stakes” for a candidate to warrant further consideration.
The present: What can the candidate do?
Until about a decade or so ago, exploring a candidate’s work history generally constituted the bulk of the assessment process. Then the realization emerged that what a candidate had done so far is a mere subset of what a candidate could do, because one’s work experience can never be so broad as to capture everything of which someone is capable. Looking at competencies is a way of taking an inventory of an executive’s full leadership toolbox. The key is to evaluate for the right competencies given the demands of the position. In our experience, five competencies are particularly important when evaluating CISO candidates. They are listed here in order from the most common to the most elusive:
- Results orientation: The successful candidate must be able to move quickly to get the right things done. Audits are responded to in a timely fashion, the board of directors is clear on the impact of information security investments, and core data assets are well protected.
- Strategic orientation: As mentioned earlier, the CISO must be a strategically oriented partner with critical thinking skills. He or she must process disparate information and generate valuable insight regarding external issues such as shifts in threats and countermeasures and internal matters such as business implications of information security policies and protocols.
- Transformational leadership: Regardless of the context into which the new CISO is taking the helm – after a major breach, under the glare of heightened board scrutiny, or with an acquisition that must be integrated – he or she will need to transform systems to address current challenges, creating a vision others buy into and moving the organization forward while keeping day-to-day operations running smoothly.
- Relationship management: The CISO must be able to lead in a matrixed environment, working diplomatically with a range of constituencies with different perspectives on information security, including the board, the CEO, the CFO, the COO, and general counsel. In addition to managing internal relationships, the CISO must also leverage external networks that include peers at other organizations, Internet service providers, third-party security solution vendors, and law enforcement and intelligence agencies. The CISO must have the gravitas and influence necessary to communicate effectively with each of these internal and external groups in a range of conditions, from off-site strategy sessions to emergency response.
- Team leadership: Most organizations focus all their attention on filling the CISO position, leaving relatively little energy for establishing a pipeline of internal talent. This is understandable but shortsighted. Identifying and developing internal information security leadership talent is critical to the long-term success of the function and should be considered part of the CISO’s role.
The future: How will the candidate adapt to change and unforeseen developments?
Looking at competencies provides a more complete view of a candidate’s abilities than examining just professional history. But competency-based assessment has its own limitations in that it assumes the future will be more or less like the past or present. It does not measure a person’s ability to respond to fundamental changes such as those brought about by the current waves of digital transformation. Someone who looks highly qualified on paper and presents well thus can fall short of expectations as conditions become highly complex and ambiguous. Also, looking at only experience and competencies means the organization risks overlooking candidates who may seem underprepared today but with sufficient support would be best suited for the future.
In Egon Zehnder’s examination of the assessments of thousands of senior executives, we discovered that those who flourished in the face of volatility, complexity, uncertainty, and ambiguity shared four traits, which collectively we call potential. The four elements of potential are the following:
- Curiosity: A penchant for seeking out new experiences, knowledge, and candid feedback, as well as an openness to learning and change
- Insight: The ability to gather and make sense of information to suggest previously unseen opportunities and threats
- Engagement: A knack for using emotion and logic for communicating a persuasive vision and connecting with people
- Determination: The resilience to fight for difficult goals despite challenges and to bounce back from adversity.
The elements of potential add an extra dimension to what is learned from a competency-based evaluation in the same way that examining competencies provides much more depth than merely looking at work history. None of these elements are sufficient on their own for identifying how a given candidate will respond to the unfolding challenges of the CISO role, but in combination they produce a vivid, and in our experience, highly accurate, portrait and predictor. These added dimensions are particularly important because of how much the CISO role has changed in the last several years. Few CISOs have established track records acting as the sort of strategic leaders—rather than technical managers—that the role requires today. The attributes of potential add another element to help identify who is likely to successfully navigate this leap.
But the above framework is only that – the quality of its output depends on the quality of the input. Without a concerted effort, reliable input can be difficult to obtain in CISO evaluations because of the tendency of data-security function to move quickly from crisis to crisis, leaving little concrete evidence of who did what when. The key to obtaining the needed level of detail is in-depth interviews with multiple informed references. Doing so requires the ability to tap an extensive professional network.
Because of the number of factors being weighed, it is important to not merely collect observations for each quality being examined but to place the candidate on a scale based on average performance in the industry. Some organizations also complement candidate and reference interviews with psychometric testing to provide another layer of objective input for the evaluation process.
Positioning the role
The market for top-tier CISOs is now highly competitive. Information security has become a high-profile corporate concern, and the bar has been raised on the pool of qualified candidates. By one estimate there were 2,700 CISO job openings in the United States in June 2015. So even if organizations are able to effectively evaluate candidates against current and future requirements, they must also be prepared from the start to actively sell the opportunity to an audience that is naturally skeptical. In our experience, every CISO candidate asks four overarching questions when evaluating an opportunity:
- “Who is my sponsor and how much influence does he or she have?” This is likely to be the first question on the CISO candidate’s mind, and he or she is thinking about this issue in at least two specific ways. First, although the CISO is likely to have some interaction with the board and C-suite, there will still be many conversations that affect the information security function to which the CISO will not be privy. As a result, the CISO will have to rely his or her supervisor to act as an effective intermediary in advocating for resources and policy initiatives and in educating the board and CEO on information security issues as they unfold. Second, when the CISO needs to take an unpopular position to strengthen an organization’s information security profile, he or she has to know there will be support in high places.
- “How deep is the organization’s commitment to information security?” This is more than a question of staff and budget allocation, although those elements are certainly important. The CISO wants to know that the C-suite and the board appreciate the complexity and uncertainty at the core of the information security function and the need for making everyone in the organization, top to bottom, responsible for security. For the CISO to be successful, he or she must be empowered to act and be armed with the necessary resources to deploy both in times of normalcy and crisis. Although the CISO expects organizations to have high standards, he or she will avoid enterprises who reflexively cycle through security teams.
- “What key performance indicators will I be measured against?” Given that every large organization must assume that it is continually under cyberattack, it follows that security breaches are a matter of not “if” but “when.” Therefore, it is not realistic for a company to hold its CISO to a “one strike and you’re out” performance benchmark. The conversation about expectations is just as important as the ones about resources, reporting lines, and compensation.
- “Where will I be in five years?” Those who lead the information security function are like other functional leaders in their range of career ambitions. For some, the opportunity to lead the function at a quality organization is the goal; others, however, are looking ahead to a CIO role or even a broader role in organizational leadership. It is important to understand each candidate’s desires against what the organization can offer. Remember that the CISO’s reporting relationship will be one factor that frames this issue in his or her mind.
Long gone are the days when an argument had to be made regarding the strategic importance of information security. In most organizations, the CISO role now has the weight and sophistication its responsibilities require. Organizations can assess the state of their CISO recruitment and assessment strategies by asking themselves the following four questions:
- Have we identified the CISO’s full range of strategic responsibilities and the competencies needed to be successful?
- Do we have a consistent methodology for evaluating a candidate against those responsibilities?
- Have we reviewed the CISO reporting relationship against the information security context of the organization to ensure that the CISO is adequately empowered to accomplish the organization’s information security goals?
- Do we have an adequate professional development program in place to support the CISO and his or her team to help them meet the standards demanded by the function’s heightened importance?
From the answers to these questions, organizations can then begin to make the necessary adjustments to ensure they have the approach and tools to identify and attract the information security talent that can perform at the level the position now requires.
This article is based on Chapter 46 from the book Navigating the Digital Age — The Definitive Cybersecurity Guide for Directors and Officers published by the New York Stock Exchange Group and Palo Alto Networks. With kind permission to post on www.egonzehnder.com.