Robby Stevens 02 Aug 2018 8 min read

4 Traits to Look for in a CISO Candidate

Knowing when it’s the time to secure an executive level information security position for your financial institution boils down to two things: the timing within your organization and the availability of a qualified candidate. The first of these components is far easier to establish than the other, so let’s tackle it now.


Security is Becoming a Top Priority

It’s high past time for a security professional to have a seat at the executive table; data breaches seem to be happening every day, and these breaches are costing companies an average of $3.86 million. The industry is reacting, integrating security as part of their company culture on an unprecedented level. First off, yes, this is great; improving your security is important to satisfying the expectations your customers have that you will keep their information safe.


The trouble is, the infrastructure of most organizations is not designed to shoulder bolstered security policies. IT managers (those of you out there reading this will understand) are being saddled with extra responsibilities of maintaining an effective cybersecurity program and communicating with executives.



CISO Expectations and Background Qualifications

If your security staff seems stretched rather thin as of late, there’s a pretty good chance your organization is ready to hire a Chief Information Security Officer. Their role is to bridge the gap between the processes on the ground-level with the overall business strategy composed at the C-level.


1. Expect Your CISO Candidate to Add Value to your Business

Hiring a CISO is no small investment; the average salary for an in-house specialist sits right around $200k and can be as expensive as $400k depending on where you’re headquartered. Possibly the biggest consideration when faced with footing such a bill is how can this individual add value to your business. First and foremost, your CISO prospect must view your financial institution as a business. Their primary role is to bolster your security program at the best possible price, giving your company the best possible ROI on additions to your cybersecurity program. So search for someone who has this business-objective perspective as well as an unparalleled understanding of designing and implementing security policy that can lower the risk of a breach.


2. Effective Communicator

It’s no real surprise that communication skills are a necessity in any position, but the requirement for a CISOs communication skills are somewhat unique. The world of cybersecurity is filled with jargon approachable to only select experts. As the bridge between the technical world and the executive office, a CISO must be able to communicate these complex technical terms into a manageable dialogue for decision makers and board members. This bridge of communication extends farther than that as well. One of the biggest benefits of a CISO is they become the single point of contact for all security issues. Streamlining this process is effective for both sides of the coin: as an IT manager, you can voice concerns and issues to someone who has actual decision making power; as a CEO, you can receive insight to your security and compliance policies from the individual heading who heads the entire operation and is in the loop of business practice.


3. Balance of Risk and Compliance Using Software Tools

An adequate CISO candidate must express an understanding of the balance between compliance and risk. If there’s one thing we learned from the overwhelming number of data breaches in 2016 and 2017, it’s that just because you’re compliant, it doesn’t mean you’re secure. Sure, the two overlap plenty, and a CISO can identify those instances to avoid duplication of effort––but their role goes deeper than that.


Cybersecurity is far too complex these days to be handled without some sort of GRC software tool. Hiring someone with a proficient understanding of an IT security software management tool gives your organization a huge leg-up to streamlining the efforts of security and risk with your cybersecurity compliance efforts.


It’s only with a thorough understanding of both components of your cybersecurity program that will keep you out of the headlines.


4. Certifications and Experience

Because of the multifaceted nature of the job, your CISO candidate needs to be as dynamic as possible. This means hiring someone with a degree outside of computer programing is not a bad thing; experience in the business management world is just as important. That being said, since the job is so technical, look to hire someone with a minimum of ten years of cybersecurity-related experience that is complemented also with a managerial position.


Certifications are usually a perfect indicator of both experience and expertise. The CISSP (Certified Information Systems Security Professional) is the gold-standard for qualifying a candidate, but it’s not the only certification you should look for. Keep your eyes open for someone with multiple certifications (the most important being the CISM, CRISC, and the CISA). Remember, any sort of studying and learning is going to be useful; seeking someone with these credentials as a criteria will give you a better indication of their competence levels.

Hiring a CISO that not only fits your needs and expectations, but also blends well with your company is not an easy task. The process, from seeking candidates to hire date is generally a one to two-year process. Luckily, this does not need to be an in-house position. Rivial understands the qualifications of a CISO and is here to help in any way possible. Feel free to contact us or visit our website to learn more about our Virtual CISO services.