AKS - Fotolia

Manage Learn to apply best practices and optimize your operations.

How can enterprises improve security hiring?

Security hiring is tough and hiring a CISO is tougher. Expert Joseph Granneman reviews how CIOs can attract talented CISOs to an organization.

I am a CIO looking to hire a CISO for my company, but I am finding recruiting to be difficult. Our salary range for security hiring seems to be competitive, but what else can I do to compete for, attract and retain CISO talent?

Attracting a qualified CISO can be a difficult proposition. There is a steadily increasing demand for people to fill this position as more companies realize the importance of having strong information security management. Publicity around data breaches and mandatory compliance regulations continue to drive the demand for these information security executives. However, not all job opportunities are created equal, and CISO's are looking for several factors that will increase their chance of success in a new role. A CIO seeking a CISO can increase the appeal of the open position by tailoring it to accommodate these factors.

One of the first factors that CISOs will be looking for in a new position is how much influence and authority they will be granted. There is nothing more discouraging than working for a CIO that overrides important security decisions when they are under political pressure or trying to satisfy an alternative agenda. This can create job dissatisfaction as well as ethical and reputational concerns for the CISO. A CIO looking to hire a CISO must be willing to delegate the authority to make security decisions.

Another factor that a CISO will be looking for is the organization's commitment to fund the information security program. Too many companies hire a CISO under the misconception that it will solve all of their information security problems. Although this is a good start, the CISO needs resources in order to have an effective information security program, just like the CIO needs resources to have an effective IT program. The CIO should be ready to discuss what percentage of the IT budget is spent on security and if the current spending will be adequate in the future.

Finally, the most important factor for a CISO will be the type of relationship that he or she will have with the CIO. A good working relationship may actually trump other concerns that a CISO may have with a position. This relationship must allow for a debate of ideas while preserving mutual respect. Both positions are under extreme pressure to produce results, and they have a much greater chance of succeeding with each other's support. Any CISO would jump at the chance to have this type of working relationship with a CIO.

Attracting a qualified CISO is not an impossible task for a CIO. When security hiring, it's good to know the three factors that every CISO will be looking for in a potential opportunity: how much authority and influence the CIO will delegate to them, resources to actually perform the job effectively and, most important, a relationship with the CIO that is founded on mutual respect. A CISO position meeting all of these factors will have candidates beating down the door to get an interview.

Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)

Next Steps

CIOs face many challenges, including hiring IT staff, mobility and security.

This was last published in December 2014

Dig Deeper on Information security program management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.