Hiring a CISO is like hiring the top general for an army just before a war.
Some generals stay in history as the greatest military leaders of all time, leading their armies from victory to victory and putting any attacker to shame.
Others cause loss after loss.
In this article, we will expand on the key hiring factors for any CISO – part-time, full-time, virtual or a service.
In the end, you should be looking for their ability to execute, their past performance, their past victories, and successes. But don’t omit their losses – it is important how they recover from them.
Clarify your requirements
What are your security needs? Does your company have a history of improving its defenses year over year, or is this the first time you start focusing on the topic?
If the answer is the latter, you have no experience working with security experts and don’t know how to select the best among them. Use this article as your guide.
Your most important requirements should revolve around your tech stack, or in other words, around the way your business operates from an IT point of view.
If your servers are all in your own datacenter or they are all on premises, you need someone with such experience.
If your tech team has built your business entirely in the cloud and you rely on serverless architecture, you need someone with an entirely separate set of skills.
Don’t let the CTO select your CISO
Your CTO might be a key stakeholder in the CISO hiring decision making process but should not be the one making the hiring decision or the one to whom your CISO will report.
CISOs should report to the CEO, not to the CTO. If you place the CISO under your CTO or under your technical director, whatever their title may be, you will not have a CISO – just a technical expert doing the bidding of your IT team.
There is an inherent conflict between IT and Security and this conflict must be controlled and maintained. You must not let IT control Security, as then the conflict will disappear and any security decisions will be based on what your IT team wants, not on what is more secure or best for the company.