Time to Hire a CISO… Where to Start?


By Joe Supervielle, Marketing Communications Consultant, The McCormick Group

Figurative goons and mythical mid-level IT heroes aside, cybersecurity threats are real. They constantly weigh on organizations and their CEOs. Protecting data of customers and employees, financials, and intellectual property is a serious task.

“Countless dollars and the company’s reputation is a stake”, said Deborah Page, a CSO-listed security principal who heads the technology executive search practice for The McCormick Group. “Until recently many companies have dumped the task on their IT department/ Chief Information Officer. Now CEOs understand they need a dedicated security executive to develop a formal digital and cybersecurity strategy to protect that data. But they don’t know where to start.”

Page stressed to be proactive and hire now, not reactive, waiting until after there is a breach or IT crisis. Still, creating a new Chief Information Security Officer role and determining who can fill it is uncharted territory for many.

“CEOs and I joke that a CISO does a lot more than remind employees not to use their dog’s name as their password,” Page said. “They need to be a business partner with a holistic approach.”

In addition to technical expertise, there are soft-skills and managerial acumen critical for success:

  • Clearly, communicate with the C-Suite and Board to gain support among all key strategic leaders.
  • Make a full assessment of current capabilities – and vulnerabilities.
  • Architect a cybersecurity strategy that addresses those concerns.
  • Execute efficiently as a decision maker. Choices between purchasing products vs services, outsourcing the grunt work vs building an internal team, and balancing assets vs cost is crucial to long-term success.
  • Coordinate between senior management, general counsel, and media relations to develop a response plan before a cyber incident happens.

Once there is an outline on what you need a CISO to accomplish it is easier to define, search for, and evaluate the best candidates.

But it’s not over. Making an enticing offer in a field that’s big on demand and short on talent is another challenge.

“Even after you know what you need and find the person that can do it, there’s still a hurdle to ensure the compensation is fair and accurate based on the marketplace and skillset”, Page said. “The supply/demand favors the candidates, and they know it. I talk to top cyber experts every day. Beyond compensation, they’ll only consider making a move if the hiring company demonstrates they are fully committed and will empower them to get the job done.”

When a CISO steps in with the executive presence to see the big picture and the technical knowledge to execute the details, the burden on the CEO and IT department is eased.

The data is secure.

“As secure as it can be. It’s not like you implement one solution and think you’re set. Cyber threats continue to evolve. Your new CISO will be there to make sure defense and response capabilities evolve too,” Page concluded.

No goons needed.

Deborah Page can be reached at dpage@tmg-dc.com for a conversation on how to plan your CISO search.

About the Author
Joe Supervielle is a marketing communications consultant, currently working with The McCormick Group’s technology executive search practice.
He can be reached at jsupervielle@tmg-dc.com.