CISOs are distinguished by their ability to define a vision, secure support for that vision with the board and the C-suite, marshal the resources and talent required to translate that vision into reality, and engage the broader employee population to become champions for information security.
CIO: How do companies compete for, attract and retain top CISO talent?
MC: Exceptional talent in the CISO space is scarce. To attract the best candidates, companies must consider these tactics:
- Sell the vision for the role - CISOs will gravitate towards unique opportunities that stretch their capabilities and demonstrate impact against meaningful objectives. A clear vision that articulates this opportunity is essential.
- Ensure direct engagement of the CEO in the recruitment process - A strong message of strategic commitment must come directly from the CEO, who should play a vital role in the final assessment and recruitment of the finalist candidate.
- Prepare to pay for top talent - Scarcity is leading to rising pay for CISOs, with an annual cash compensation range of $400,000 to $600,000. Leading executives at top firms now often command annual compensation packages of more than $1 million.
CIO: How are CISOs positioned for success? Are there specific support resources and environments that are better-suited to helping CISOs and their teams be successful?
MC: To be effective, cybersecurity must exist as a broad organizational priority that engages all employees. The following factors are critical for success:
- Reporting Attitude - At minimum, the CISO must be a prominent member of the chief information officer's, chief risk officer's or general counsel's leadership team.
- Board and C-Suite Exposure - CISOs must maintain a consistent presence with the board and executive committee. Lacking this presence, CISOs will lack the influence and connectivity needed to ensure a forward-looking approach.
- Distributed Deployment - Cybersecurity readiness does not result from an isolated group, but rather a continued presence in the business units served by the CISO. Additionally, business unit-specific cybersecurity teams must maintain strong ties to company leadership for the entire operation to be effective.
Sign up for CIO Asia eNewsletters.