AKS - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What should you look for in candidates for a CISO position?

The CISO position can be tough to fill, especially when enterprises set high expectations for the candidates. Expert Mike O. Villegas discusses key CISO qualifications.

I'm in HR and my company is looking to hire a chief information security officer (CISO). I'm curious about what...

qualities and backgrounds beyond technology we should look for in candidates. Are there specific types of executive roles that can give a potential CISO the proper enterprise experience? Should a business degree be a requirement to give better standing with the other c-levels?

Hiring a CISO is a laudable goal. It implies executive management realizes the value of having an executive level position for information security. The CISO is an executive who provides expert guidance to other c-level executives on matters of risk, compliance and information protection from a strategic and tactical business objectives perspective. Security practitioners are typically technical in nature but do not generally have access to c-level executives, so the CISO position can help fill in this gap.

A security professional could potentially grow into the position; however the Peter Principle -- the theory that a candidate for a job is more likely to be judged based on their performance in their current position rather than their actual qualifications for the job they applied for -- is generally the reason internal upward mobility to the CISO position has had limited success. So what qualities, experience and educational background should a prospective CISO have?

Ideally, a CISO should have a combination of business and technical skills that allow for competent contributions and guidance with both IT and executive management. A successful CISO will be able to incisively translate technical challenges and strategies into business terms. Some specific recommended qualifications for a CISO include:

  • Degree in accounting or MBA, degree in CIS or Information Security;
  • CPA, CISSP, CISM, CISA, PMP certifications;
  • CFE, CEH, GPEN, CRISC specialized certifications;
  • Ten years minimum experience as a CISO, information security engineer, or security consultant. Big 4 senior managers or partners from the systems assurance would be an added plus; and
  • ISSA, ISACA, (ISC)2, OWASP, or CISO forums memberships.

As difficult as it may appear to find an individual with this background, these are the qualifications that can make or break their success in the role.

A candidate for a CISO position needs to be incisive, diplomatic and confident. They should have high technical acumen and be passionate about information security, but not so quixotic or dogmatic that it would call their credibility into question.

CISOs need to understand business, especially the business culture, goals and strategies of the enterprise. They need to build a work environment in which the employees share -- or at least support -- their passion for information security. They must be able to make decisions and not kowtow to executives.

Finally, CISOs should be independent thinkers who are able to lead by example and not just manage by objectives.

There are many great candidates with these qualities and qualifications in the market today; it's just a matter of finding the right one.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Check out some expert advice on how CISOs can succeed at security leadership and what the benefits of having a CISO are to an enterprise

Learn about how the rise of the CISO is shaking up the c-suite

This was last published in October 2015

Dig Deeper on Information security program management