Understanding CISOs for recruiters and headhunters v2

Chief Information Security Officers (CISOs) are continuing to rise to prominence with the emergence of more and more cyber threats to businesses and governments alike. However, when recruiting for a CISO it is important to really understand the skills set and level of seniority you’re looking for as CISOs come from diverse backgrounds, different focuses and broad levels of seniority. For the purpose of this article we will look at the ‘CISO vertical’ and the ‘CISO horizontal’ backgrounds, skills and focuses as this is critical for recruiters and headhunters to perform an accurate suitability assessment, thereby maximising the likelihood in identifying the right candidate the first time.

CISO’s don’t come as a ‘one-size-fits-all’. This is initially apparent in the diverse range of incomes commanded by CISOs, depending on Industry, scale, location/market/demand, focus and culture. Remuneration packages can typically range from circa USD$100K per annum for Small to Medium Enterprises (SME) or smaller scale operations, to potentially over USD$1M for Multi-National Conglomerates (MNC) or large remits. This clearly indicates that not all CISOs are the same. Therefore, it’s important that we look ‘under the bonnet’ by examining CISO ‘verticals’ and ‘horizontals’ as the first step in understanding CISO skills, seniority and culture that is required.

‘Vertical’ skills refer to industry expertise or background of the CISO. Let’s look at a few examples. Common vertical or industry expertise includes: (i) banking and financial services; (ii) mining and resources; (iii) pharmaceuticals; (iv) oil and gas; and (v) healthcare, all of which are different verticals or industries. CISOs working in these verticals have a focus on a specific industry, building knowledge of industry specific processes and regulations, and often facing off to the industry regulator regarding all cyber security and cyber resilience related matters.

‘Horizontal’ skills refer to the domain expertise or background of the CISO. Let’s look at a few examples. The most common horizontal or domain expertise of CISOs is typically in technology related disciplines, including: (i) software development; (ii) network operations; (iii) hardware design; (iv) applications or network architecture; and (v) technology project management. CISOs with technology backgrounds and focus are generally referred to as “Technical CISOs” and are best suited to technology facing leadership roles. However, there is an emerging trend of CISO backgrounds broadening to include legal and compliance, behavioural psychology, law enforcement and intelligence analysis. CISOs with non-technology backgrounds and focus are generally referred to as “Business CISOs” and are best suited business facing leadership roles.

In summary, considering CISO vertical and horizontal backgrounds and expertise, as well as years of experience and industry influence is a great starting point in determining: (i) the vertical; i.e. required industry focus; and (ii) the horizontal; i.e. whether it’s a Technical or Business CISO your client needs. You may also want to gauge your potential CISOs preference, as well as your client’s need for “building” versus “running” cyber capability. Additionally, understand the leadership style of the CISO that your client needs and take steps to assess the leadership style of potential candidates by speaking with them and asking them to give you various examples of how they’ve handled potentially sensitive or difficult situations or how they’ve influenced at a senior level if that’s what’s required. There’s no point in looking for a Business CISO who likes to build cyber capability, when your client needs a Technical CISO to run the security operations centre (SOC) and cyber incident response. Take the time to know your CISO.

Finally, and perhaps most importantly, when searching for CISOs, avoid pitfalls such as keywords searches on LinkedIn. This is not ‘due diligence’. Take the time to ensure the potential candidate fits the required vertical and horizontal skills profile ‘on paper’ prior to contacting them to assess other ‘fit factors’. Also, avoid is using auto-generated email to contact potential senior candidates when you’ve found an initial match. Senior hires including CISOs will respond far more positively to personal contact, rather than auto-generated email. Take the time to write an email or call and be prepared to explain why you think their profile is a good fit for the role you want to put them forward for. Don’t expect them to do this for you. Good luck with your search for the right CISO!