How to Attract the Best Cybersecurity Talent
February 16, 2023 – Recruiting a chief information security officer (CISO) is crucial for any organization looking to protect itself from cyber threats executive recruiters say. The CISO is responsible for developing and implementing a comprehensive cybersecurity strategy, as well as overseeing a team of security professionals.
Finding the right CISO for your organization, however, can take time and effort as the demand for skilled cybersecurity professionals continues to outpace supply, according to a new report from Corsica Partners’ Andrea Rossi. “An experienced cybersecurity professional can also be a valuable asset in your recruiting process to ensure you find the right CISO for your organization,” said Mr. Rossi. To help you in your search, he provides some key and unique factors to consider when recruiting a CISO.
To be or not to be a CISO?
In today’s digital landscape, cybersecurity is a top concern for organizations of all sizes and industries. “A breach in security can result in significant financial losses and damage to a company’s reputation, putting sensitive customer and employee information at risk,” said Mr. Rossi. “This is why many organizations are now investing to hire a CISO to lead their cybersecurity efforts.”
If you do decide to hire a CISO, Mr. Rossi offers some key factors to consider during the recruiting process:
Technical expertise: The CISO must deeply understand cybersecurity technology and best practices. “This includes hands-on knowledge of network security, data protection, risk management, and also software development,” Mr. Rossi said. “Check twice if your selected CISO lacks practical, hands-on experience in a similar operating environment to yours. Experience with similar scale and complexity matters.”
Leadership skills: In addition to technical expertise, the CISO must also orchestrate the best people, process, products, and platform strategy while managing a team of security and non-security professionals. “The CISO must communicate effectively with technical and non-technical stakeholders and be able to inspire and motivate a team of people that are often not direct reports,” Mr. Rossi said. “Avoid the CISO-nerd, flashing an old world, long list of security certifications badge.”
Industry experience: Finding a CISO with experience in your industry can be helpful. However, Mr. Rossi notes that if you really want to push your organization forward and beyond the typical comfort zone, find a CISO from a more complex cybersecurity industry than yours. “Whenever possible, find a CISO that comes from a more cybersecurity-complex industry,” he said.
Andrea Rossi is the cybersecurity recruiting practice advisor for Corsica Partners. He is a leader in the identity and cybersecurity industries and a subject matter expert. Mr. Rossi served 20-plus years as a business executive and leader in the software industry. His experience includes start-ups and large, multi-national corporations as a result of successful company exits.
Cultural/expectation fit: As with any executive-level hire, it’s crucial to find a CISO who fits well with your organization’s culture and values. “This executive will be a key leadership team member, reporting to the CEO and perhaps even to the board of directors directly,” Mr. Rossi said. “Make sure the CISO can park their ego at the door and focus their confidence and experience on making your organization the priority, not their personal brand.”
Communication skills: Mr. Rossi notes that the CISO is the company spokesperson regarding the company’s security credibility and reputation. clients, business partners and regulatory agencies often submit inquiry to the CISO without much notice. “Make sure the CISO is a good communicator,” he said. “Test this skill during the hiring process.”
Related: The Hunt for Cyber Technology Leaders Heats Up as Risks Multiply
Following are some common mistakes organizations make when hiring a CISO:
Focusing solely on technical skills: “While technical expertise is important, it’s not the only factor to consider when hiring a CISO,” Mr. Rossi said. “Leadership skills, industry experience, and cultural fit are important qualities for a candidate.”
Not thoroughly evaluating candidates: It’s crucial to thoroughly evaluate potential CISOs, not only through interviews. “Don’t just rely on a candidate’s resume,” Mr. Rossi said. “Formal and informal, back channel reference checks and role-plays are essential to learn the ‘true spirit’ and capabilities of the candidates you vet. Add at least three reference checks and one role-play in the selection process. Indirect, back channel references can often reveal insights that are far more valuable than the typical prepared references.”
Hiring someone without cybersecurity experience: Mr. Rossi explains that it can happen when a company rushes to fill the position to tick the box or fulfill a time based objective, however, don’t do it as you will regret it later.
Failing to clearly define the CISO’s role and responsibilities: Before beginning the recruitment process, Mr. Rossi notes that it’s important to define the role and responsibilities of the CISO clearly. “This will help you attract and retain the right candidate,” he said. “Clarity of purpose and objectives is essential. Build a draft CISO org chart and discuss it with the candidates. Be open to adapting it. Test how the candidate responds to real-time planning, discussion and priority setting.”
Trusting your head hunter well beyond their limits: Your trusted head hunter knows your company inside and out but typically they may not possess the depth of cybersecurity experience required to effectively deliver the best, most credible candidate, according to Mr. Rossi. “While they might be exceptional in finding sound general-tech executives, they typically cannot spot the important evil in the cyber risk details,” he said. “Support your trusted head hunter with an additional, cybersecurity-savvy resource to consult during your selection process. Pick a cyber-specialized recruiter otherwise.”
Heightened Demand for Cybersecurity Leaders Keeps Executive Recruiters Busy
Increasingly, organizations of all sizes are awakening to the perils posed by cyberattacks. For years, many groups tried to ignore the problem, dismissing cybersecurity as a concern only for the biggest, most high-profile entities, be they government or corporate. These days, more groups are coming to understand how ruinous such intrusions could be and cyberattacks show no signs of abating.
There are several reasons why it’s important for a recruiter to have specific cyber skills when hiring a CISO. “A recruiter with specific cyber skills will have a thorough understanding of the cybersecurity industry, as well as the ability to evaluate a candidate’s technical expertise, leadership skills, industry experience, and cultural fit,” said Mr. Rossi. “A recruiter with cyber skills will likely have a network of contacts in the cybersecurity industry and the credibility to convince them to join your organization.”
Conclusions
There are many recruiters that “specialize” in CISO roles. Only true practitioners and subject matter experts, however. can discern and confirm the specific cyber skills required of an enterprise-level CISO, according to Mr. Rossi. “The subject matter expert’s knowledge and expertise can help you go beyond the standard vetting process,” he said. “The discipline to insist on deep, practical experience as part of your vetting process will ensure you are truly attracting the best talent and evaluating candidates’ skills and competencies properly to protect your organization with the leadership it needs to guard against cyber threats.”
Founded in 2006, Corsica Partners is an executive search, recruitment process outsourcing and growth advisory firm. Corsica Partners serves Fortune 500 brands and privately backed technology companies across the globe. Its partners are all former technology executives who spent decades building, growing and leading businesses. Corsica Partners’ search expertise extends from the boardroom to the back office, encompassing roles in the C-suite to building and scaling across business functions, including sales, marketing, finance, human resources, engineering, and product teams.
Related: Hiring Top Talent In Unprecedented Times
Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; and Stephen Sawicki, Managing Editor – Hunt Scanlon Media