Entering the recruitment process as a CISO is a different challenge. They’re wary of gimmicky, marketing led jobs and brownfield sites, with no mandate for change. Katz, now owner of Security Risk Solutions LLC, says CISOs must first decide if they can step into an increasingly strategic role. Do they want to side-line their hard-earned technical skills in favor of developing softer skills “they have never been taught?”
If the answer is yes, and the role appears to be both interesting and challenging, Katz says applicants should consider the company and culture before commute and compensation. He adds they should ask if the role tactical, technical or strategic and if they can cope with a role likely to be up to 50 percent marketing and evangelism. He urges applicants to leverage connections, such as system integrators, to find out more on the firm. “Do your research,” he urges.
This view resonates with Seranova’s Clark, who says that “due diligence” is key to finding the right role, even if you find unwanted answers. That said, the direct CEO reporting line was critical, too, in signing on the dotted line. “It was the primary factor for me. Personally, I was not looking for a CISO role when approached by Seranova.”
“Security must be independent to be successful. One thing CISOs applauded me [on this role] was that the executive was ready to give them attention, the empowerment to make decisions and drive strategy,” adds Triant.
Argyle, a first CISO in two jobs at “very different stages of maturity,” believes this mandate and supported investment was critical in both jobs, while Brocaglia admits such jobs may only appeal to certain characters. “The first time CISO role is a very attractive position for a professional who is interested in building,” she says.
“If they are willing to roll up their sleeves and not worry about the size of their staff but rather the size of their influence and impact, they are better suited for the roles. For many cybersecurity executives, a first-time CISO role gives them an opportunity to move from being a second or third in command in a larger organization to finally running the show,” says Brocaglia
The road ahead for the CISO
What should a CISO know stepping into a first-time job, and what issues will they likely face? Clark tentatively admits that resources can be an issue, from compliance and governance down to managing security operations centers (SOCs) and data centers and understanding the nitty gritty technical details, such as AWS security components.
To succeed, he says, it comes down to knowing what you signed up for. “You have to be all-in - if you’re not all, in find somewhere where you are. For me, I am looking for an organisation not only where there’s a culture fit but where it's about iteratively getting better,” says Clark.
Sign up for CIO Asia eNewsletters.