It's not uncommon to hear reference to “unicorns” when discussing candidates for the role of Chief Information Security Officer (CISO). Indeed, if finding the perfect CISO for your organisation is comparable to the hunt for a mythical creature, it's little wonder that recruiters are frustrated, and organisations are often left to navigate security risks without directive leadership.
If you're already struggling in your search, Savanti can provide an Interim CISO to support you. Where budget is a constraint or you have limited security resources, a permanent CISO may not be the answer for you just now, but instead, an on-demand security leader, otherwise known as a virtual Chief Information Security Officer (vCISO) might be the perfect fit.
Maybe you've already started your search for a permanent CISO, so its worth taking some time to consider and prepare for the challenges you may encounter:
The changing cyber landscape
It's not surprising that candidates are considered rare since the requirements of the role are constantly evolving. Ever-increasing cyber security threats, new technologies and complex legal and regulatory landscapes require an adaptive and progressive leader to keep pace with the changes in the industry.
The requirements of the role have shifted away from being exclusively technical, to leading the business in strategic assessment of cyber risks and investment decisions. The broad scope of security is being reflected in CISOs moving out of technology departments and into organisational positions within the business.
Wide-ranging skills and experience
As the cyber landscape evolves, so too has the expected skillset for CISOs. Multidisciplinary skills are required to manage both technical & business controls and to clearly communicate security requirements to the Board. CISOs are required to have an almost mythical combination of hands-on technical experience, leadership capabilities, detailed knowledge of industry frameworks and best practices, as well as a long list of sought-after qualifications.
The pressure on candidate pool size is somewhat eased by increasing opportunities to progress from non-technical backgrounds, such as through governance, risk and compliance. However, it takes time for individuals to rise through the ranks and to gain the necessary expertise required. Similarly, many of the most desired security certifications, such as CISSP, are time-consuming to achieve. Whilst there is debate as to whether qualifications determine candidate suitability, for now, they remain central to job profiles.
Candidate pool size is a further challenge where specialist technology or industry knowledge is required, or where there is a requirement for security clearance, such as Security Check (SC) or Developed Vetting (DV) security clearance.
With such exclusive candidates, it's not surprising that cost is a major consideration in appointing a permanent CISO. There are significant variations in CISO roles, by organisational size, complexity and risk, but average full-time salaries are in the region of £125 – 160k per annum. Where agencies are used, the additional recruitment fees must be factored into headcount budget, which can be £30 - 40k + VAT.
Realistic lead times are long. The recruitment process for senior positions and specific skills and experience can be time-consuming. Search, assessment, through to offer can take 3-6 months, often followed by a 3-month notice period. Outcomes are not guaranteed, so it's realistic to plan for 9+ months to place someone into a CISO role.
Lead times are a particular consideration if the organisation is left with an unacceptable level of risk in the meantime, or if the requirement was triggered by an incident or recognition of a specific risk or exposure. In this instance, perhaps look into Savanti's Interim CISO or Virtual CISO consulting services to provide immediate support.
Be mindful that it may also take the newly appointed CISO 3-6 months to bed in and start adding value. We can support you by providing highly skilled and experienced consultants to either advise your new-in-post CISO to ensure that your security objectives are met during periods of transition.
Once successful, the recruiter’s work is done, but it's worth bearing in mind that tenures for CISOs can be short. Candidates are clearly in high demand and will often be headhunted by competitors. Some may enjoy the challenge of setting up or transforming an internal security capability, but then look to move on once achieved; others will simply find the pressures and the expectations of the role too much and burn out.
Is it worth the challenge?
Having the right security leadership for your organisation can transform your security capability and ensure security risks are effectively managed. Whilst your quest may not be straightforward, being realistic about your requirements, exploring mitigating actions or alternative staffing solutions, and planning ahead for the challenges will help to ensure you are better prepared.
Security leadership for your organisation
Savanti provides security-as-a-service which offers a dedicated but outsourced vCISO, which can be very effective. This expert will support your information security activities as a CISO would, but in a proportionate way, offering a tailored service specialising in the wide variety of threats that you face.