How to hire a good CISO: a short – but informative – guide

The deluge of cyberattacks hasn’t abated. Before we discuss what a CISO does and the different ways you can bring in CISO expertise into your organization, let’s take a quick at the current threat landscape.

As ever, we continue to be plummeted with scary news articles about companies suffering data breaches, ransomware attacks, dDoS attacks and vulnerability exploits.

It seems no industry is safe. We’ve read about attacks hitting hotels (Intercontinental), restaurants (Arby’s), telecommunications (VerifoneVerizon), healthcare (21st Century Oncology  – who’ve incidentally filed for bankruptcy since the attack), education (WSU) and retail (Brookes BrothersKmart).

When we read these types of stories, we naturally want to identify similarities with our own organization to help us gauge our own exposure to cyber threats. The question is simple: Should a similar threat pound on our own doors, will we hold them off?

We also want to underline any key differences. There is one bogus difference that is often cited as giving one a false sense of security. This is the argument that ‘We [insert firm name here] will not be hacked because we are not a global mega brand.

The media cover the big sensational stories of cybercrime. The vast majority focus attacks on big global grands or attacks involving millions of victims. You would be forgiven for thinking that attack agents only focus on the big guys out there, but it’s not true. While some cyber criminals specifically target big fish, the vast majority will go after the rest of us, simply because we are vulnerable (eg WannaCry).

This is just one reason why having a senior cyber expert, such as a CISO, on hand to help understand your true exposure to risk and ensure you are adequately protected from real threats can literally save a company from cyber nightmare.

What does a good CISO do?

Organizations don’t just want someone to add a layer of security on top of performance-enhancing strategies. They want a senior thought leader who not only understands the business opportunities for a specific organization, but has a proven track record for implementing the required security processes to ensure steady business continuity and growth.

There are many responsibilities that are passed on to the CISO, but let’s discuss the three most important roles for a CISO.

A good CISO is a cyber risk expert. A CISO’s prime responsibility is to ensure that the organization’s IT architecture is running at the appropriate risk level. They take into account confidentiality, integrity and accessibility of data and figure out how best to secure it in line with business objectives.

Once your overall security posture is assessed and benchmarks – via interviews as well as penetration tests, access control reviews, and vulnerability scans – your CISO should provide clear remediation recommendations most appropriate to that specific organization.

Second, a good CISO gets compliance. Your CISO should be able to confidently assure your business that it complies with all regulatory bodies that impact services and product offerings, be that HIPAA for healthcare, or PCI for retail industry, or GDPR for data processors.

Your CISO representative, familiar with all the regulations, should know how to speed through the glut of red tape involved in achieving compliance.

And finally, a good CISO will also make sure you have a solid plan in place should a cyber incident take place. This last component should not be overlooked. When a firm is under attack, there are literally hundreds of decisions to make in a very short amount of time, many of which have a drastic impact on how your business partners and customers work with you. Having a plan in place alleviates confusion, streamlines efforts and reduces the overall consequences of a cyber attack.

Options For Hiring A CISO?

When it comes to hiring a CISO, there are three options available to most organizations:

Option 1: Hire a full-time CISO
This option is suitable if you have the budget (full-time CISOs are expensive and highly sought after), head count, and know what exactly you are looking for.

We strongly recommend you use a trusted vetting service and industry recommendations. Look at past work experience and training certifications. Reach out to past employers to get a sense of a candidate where possible.

Where possible, establish a controlled cyber test scenarios for the interview candidates to comment upon to get a sense of quick decision making. Plus, get a feel for their business acumen – understanding risk should be directly tied to business objectives.

Option 2: Hiring an external CISO
This option is perfect for those companies who want CISO expertise on demand, without having to hire a full time employee.

The advantages of this approach are that you are bringing a vetted security consultant who has access to latest tools, training, research and approaches. CISOs that hail from reputable IT security consultancies have the added advantage of being part of a network of cybersecurity experts, which vastly increases their knowledge and reach on many topics, from compliance to risk assessments.

Plus, their exposure to many different network configurations and security architecture also works to broaden their understanding of security and risk. For the best advice, ensure the consultancy is fully independent (without any vendor or service affiliations) and well established.

Option 3: Wait for an incident before hiring a CISO
This is not a recommended approach. When hiring a CISO to clean up an urgent cyber mess, time is a key factor. Waiting until you have a cyber emergency on your hands to find and vet a CISO and then bringing them up to speed is, in our view, not a great use of time.
 
It can lead to mistakes.

For example, you’ve got to find a CISO quickly, and that often means skipping several vetting steps before offering unfettered access to your broken network. Plus, your chosen CISO will need time to understand your architecture, the security implementations and what you know about the attack.


TBG Security are experts in comprehensive IT securityrisk assessments and compliance services. We also provide the highest quality CISO on-demand services. We are a fully independent cybersecurity firm with 20 years experience providing cyber security consultancy and services across North America.

Get In Touch

Need more information? Have a specific question? We’re here to help.

Previous ArticleEU GDPR demystified: a straightforward checklist for US firms (PART THREE) Next ArticleWhen cheaper is not better: a quick guide to penetration tests