What savvy hiring execs look for in a CISO today

Few business challenges today are greater than serving as an enterprise CISO, with its demands to deliver cybersecurity perfection in an environment that rules such possibilities out. Today’s CISO must set security policy, with almost no authority to enforce it across business units. Moreover, the CISO must act as a diplomat to those business units and serve as explainer-in-chief to more senior executives, as well as the board of directors, many of whom have zero interest in listening to a security briefing.

Is it any wonder then why CISO job dissatisfaction is on the rise and many are clamoring to split the role?

And yet, there is arguably one task even more difficult than being an enterprise CISO: hiring an enterprise CISO.

Atefeh “Atti” Riazi is the CIO for media enterprise Hearst, which reported $12 billion in revenue last year. In her enterprise, the CISO reports into — and is hired by — the CIO. Riazi offers one of the more colorful yet accurate descriptions of the difficulties in hiring the modern enterprise CISO: “The CISO position requires someone somewhere between Mother Teresa and a kamikaze pilot.”

Anatomy of the evolving CISO role

A big part of the challenge is that enterprise CISOs today have multiple roles and many of those roles require sharply different skillsets, talents, and experiences. One way to view it is that CISOs have an internal umbrella role and an external umbrella role.

The CISO’s internal roleis easier to explain. It involves running the IT security department and making a wide range of cybersecurity decisions for the enterprise. It is a line-of-business (LOB) executive. The external roleis where a lot of CISOs run into trouble. That umbrella includes interacting and persuading every other LOB executive to embrace the CISO’s security policies. It also includes explaining policies — and apologizing for mishaps — to customers and clients. And it includes interacting with other senior executives, including the CIO, CFO, COO, Chief Counsel, Investor Relations, Compliance, and the CEO and board of directors. It also requires interfacing with cyber insurance company officials plus the SEC and just about anyone else who has an interest in the company’s cybersecurity policies. 

But for the hiring executive, this challenge gets much worse. That executive has to first determine the percentage breakdown for the CISO in terms of time spent dealing with internal versus external tasks. Most hiring executives want CISOs to spend the vast majority of their time (often up to 80%) on their external role. That means the CISO must hire many senior lieutenants to run the day-to-day operations of the IT security department. 

The skills question: A nearly impossible mix

Given that, what skills are required to be an ideal enterprise CISO today? CISO hopefuls must have sufficient mastery of all matters cybersecurity to make the right decisions and hire the right people. After all, they set the cybersecurity agenda. 

But for the external portion of the CISO role, the candidate must have magnificent persuasive and communications skills, as well as a deep understanding of the business and how every LOB functions. The CISO must also have enough mastery of cybersecurity details to be able to simplify a concept to explain to the board, but do so in a way that is precise and accurate, delivering all needed information in a compact, relatable way. 

Riazi’s CISO hiring priorities are leadership skills, the ability to persuade the board, and strong executive leadership on cybersecurity policies. “I don’t look for someone who has all the certs. For that, they can just hire the right people,” she says. “Resumes are just one small part of the process. I need to know how they understand risk.”

Unfortunately, many organizations solely view the CISO as a cybersecurity technology expert, ignoring the far greater diplomatic persuasion role.

On May 30, in the wake of the Change Healthcare catastrophe, US Senator Ron Wyden sent an official letter to the heads of the US Federal Trade Commission and the Securities and Exchange Commission in which he singled out United Health Group’s CISO, questioning the executive’s credentials to hold the job.

“One likely reason for UHG’s negligence, and the company’s failure to adopt industry-standard cyber defenses, is that the company’s top cybersecurity official appears to be unqualified for the job. [Name omitted] had not worked in a fulltime cybersecurity role before he was elevated to the top cybersecurity position at UHG in June, 2023, after working in other roles at UHG and Change Healthcare. Although [the CISO] has decades of experience in technology jobs, cybersecurity is a specialized field, requiring specific expertise,” the senator wrote. “Just as a heart surgeon should not be hired to perform brain surgery, the head of cybersecurity for the largest health care company in the world should not be someone’s first cybersecurity job.”

Right or wrong, the letter illustrates how many officials incorrectly see the CISO role as the head of the Security Operations Center or someone overseeing cryptographical strategy. It has evolved to be a far broader role and much of the value comes from persuasion skills. Technical skills are appropriate, but if the hiring executive must make tradeoffs when hiring a CISO, what trade-offs should be made?

“We’ve gotten to the point where nobody is sufficiently qualified to be a CISO. We are asking these people to be experts in cybersecurity, information technology, data privacy, AI, governance, risk, compliance, and business. Although they are rarely lawyers, we want them to be able to interpret and comply with myriad frameworks, industry standards, state, federal, and international regulations,” says Brian Levine, managing director at Ernst & Young overseeing cybersecurity. “Although we do not leave them with sufficient time to read, we want them to keep up with technology that is changing on a daily basis. Although they are technology experts, we also need them to be stellar managers — to be able to manage global vendors, employees, contractors, counsel, executives, and board members. CISOs are doing their best, but nobody can really live up to these standards.” 

Cybersecurity consultant Michael Hasse also sees this problem as being all-but-unsolvable. He has seen some companies overly relying on certificates at the cost of deep field experience. 

“This leads to cybersecurity ‘experts’ who can regurgitate answers to pass tests but don’t actually have a real understanding of what they’re doing,” Hasse says. “It’s like somebody who’s driven their Honda Civic to work every day for a while with no accidents and thinks they’re a great driver, with no concept of what it takes to drive a big rig, or a Formula One car, or a train.”

Mike Scott, CISO of Immuta who previously spent seven years as CISO for Wendy’s, says the dual internal/external roles of a CISO today means that the hiring executive must look for as much diversity of experiences on a resume as possible. That might mean working in a lot of different departments or perhaps different industries, different geographies, and so on. 

“Understanding how every business [LOB] works and what their challenges are is critical,” Scott says, adding that the DevSecOps experience of being embedded in a business unit is an absolute plus. “It’s very foolish to have CISOs not wanting to understand the business as a whole.”

Balance and fit

Candidates seeking a CISO position today should be prepared to explain how they would persuade an LOB colleague to get on board with their enterprise security agenda.

One powerful technique, several experts say, is to notfocus on cybersecurity but to learn the LOB executive’s bonus compensation plan prior to meeting with them. Not the numbers, but the goals and objectives, and perhaps the percentages. Then the CISO can go into that meeting talking about the LOB chief’s objectives and then make a case as to why the CISO’s security proposal will help them make their bonus. That is the key to understanding everything you need to know about that executive’s priorities.

One of the trickier skills to evaluate when hiring is the candidate’s ability to explain complex concepts to the board, other senior management, regulators, and customers in such a way that the precision is not lost. 

Immuta’s Scott advises hiring executives to ask CISO candidates to explain a particular concept and then ask them to explain it to a board member with little cybersecurity background and then to a regulator and so on. It’s an important skill and it is also one that is almost impossible to fake in an interview. 

Scott spoke of his experience hiring a talented and experienced security engineer only to later discover that this engineer “was not able to sell a solution or even take a beating from a customer.” 

Why? Because the engineer’s expertise meant he was used to being the person in the room who understood the technology the best. “They have always been the expert and they couldn’t understand why people — board members, CFOs, regulators, etc. — don’t just believe them,” Scott says. “I told the engineer, ‘You have to get them to understand why you have the best answers. How can you take a concept and make sure that everyone gets it?’”

Morey Haber, chief security advisor for BeyondTrust, agrees that CISOs must be tested on customer-facing communication skills. “Some of my peers are good in front of everybody else, but when they are faced with a customer, they break down,” Haber says. 

Haber also suggests that hiring executives ask CISO candidates to not only list ways they improved businesses with cybersecurity, but to see whether they explain it using business terms or security terms. 

Various experts interviewed for this story questioned the value of certification programs, especially for enterprise CISOs. “I don’t believe in certs,” Haber says. “Some 20 to 25 years of experience outweighs anything you can put on paper.”

Still, for many hiring execs, technical acumen remains a vital part of the sought-after CISO mix. One of the key challenges, however, for the hiring executive is striking the proper balance — for their enterprise — between cybersecurity knowledge and being a good security ambassador. 

“In recent years, we’ve seen a dramatic shift toward more business-centric CISOs. I’ve observed several large companies appoint CISOs with little to no security or technical background, resulting in an ‘MBA CISO role’ with fewer technical requirements,” says veteran cybersecurity consultant Dave Venable.

Although “the ambassador skillset is hugely important in leading and building an effective security program — often lacking in the early years of the CISO title — it is remiss to neglect the underlying understanding of technical security today,” he adds.