Menu Close

How to hire a CISO – for HR and IT executives

Hiring a CISO is like hiring the top general for an army just before a war.

Some generals stay in history as the greatest military leaders of all time, leading their armies from victory to victory and putting any attacker to shame.

Others cause loss after loss.

In this article, we will expand on the key hiring factors for any CISO – part-time, full-time, virtual or a service.

In the end, you should be looking for their ability to execute, their past performance, their past victories, and successes. But don’t omit their losses – it is important how they recover from them.

Clarify your requirements

What are your security needs? Does your company have a history of improving its defenses year over year, or is this the first time you start focusing on the topic?

If the answer is the latter, you have no experience working with security experts and don’t know how to select the best among them. Use this article as your guide.

Your most important requirements should revolve around your tech stack, or in other words, around the way your business operates from an IT point of view.

If your servers are all in your own datacenter or they are all on premises, you need someone with such experience.

If your tech team has built your business entirely in the cloud and you rely on serverless architecture, you need someone with an entirely separate set of skills.

 Don’t let the CTO select your CISO

Your CTO might be a key stakeholder in the CISO hiring decision making process but should not be the one making the hiring decision or the one to whom your CISO will report.

CISOs should report to the CEO, not to the CTO. If you place the CISO under your CTO or under your technical director, whatever their title may be, you will not have a CISO – just a technical expert doing the bidding of your IT team.

There is an inherent conflict between IT and Security and this conflict must be controlled and maintained. You must not let IT control Security, as then the conflict will disappear and any security decisions will be based on what your IT team wants, not on what is more secure or best for the company.  


On Key

Related Posts



Imagine you own a house and want to add an additional floor. First you have to review and strengthen the foundations. This service builds cybersecurity foundations to facilitate growth in a resilient, timely manner.

This service will also provide the company with a cybersecurity risk assessment and improvement plan but with significantly more support from a senior consultant to help the company embed improvements in a continuous, timely manner


The dreaded car MOT is looming. It’s the unforeseen wear & tear that results in some necessary annual maintenance. Our cybersecurity review will highlight what needs to be done as your engineers.

In addition to the context gathering stage and security footprinting service, a senior consultant will perform a risk assessment to understand the company’s cyber risks and provide recommendations. They will also be available to undertake monthly calls for answering questions, providing guidance and checking on whether risks are reducing.


You’re embarking on a more active lifestyle, chosen to go on a diet and get in shape. Think of this service as the cybersecurity equivalent of the personal trainer, helping you along the way.

After an initial context gathering stage, a junior security consultant will be available once per month to answer questions and provide recommendations based on company goals and activities. A cybersecurity footprinting service will allow the company to continuously monitor its external security posture.

Add Your Heading Text Here

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Add Your Heading Text Here

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.