With the increasing importance of the role of the Chief Information Security Officer, the expectations of hiring companies are also increasing. These are the most important qualities and skills that HR managers need to look for. […]
Are you looking for your next job as a CISO, preferably with more salary, better social benefits and more responsibility and respect at work? Then you need to know what skills and qualities potential employers expect from their CISOs in order to maximize your chances of getting the dream job. Here are the six most important qualities that companies look for in a CISO, according to recruiters.
Previous experience as a CISO
Today’s employers expect new CISOs to bring a wealth of skills to their position. According to Burke Autrey, partner and CEO of the IT talent agency Fortium Partners, companies are looking for experienced candidates who have already “worked several times in different companies as CISO”. In her previous positions, her responsibilities included “governance, compliance, monitoring/threat detection and incident response as a leader,” he says. Such CISOs have also gained experience in managing “budgets, human resources, interaction with other executives and the board, as well as cooperation with law enforcement agencies and insurance companies”.
“Our clients are looking for previous experiences with security breaches and how they dealt with them, where they may have overlooked something, how they reacted to it and how they strengthened the defenses of their companies,” agrees Michael Piacente, managing partner and co-founder of the recruitment consultancy Hitch Partners. At the same time, many smaller companies are willing to give security experts their first CISO jobs, provided they have the necessary skills.
Product safety expertise
“Without a doubt, the most important skill is a thorough knowledge of application and product safety,” says Piacente. “This is the ability to work with product development and engineering teams at a very deep technical level.“
This is especially true for technology companies. “Most of our customers are among the demanding, pioneering software companies where product and application security compliance, customer empowerment, and hiring new employees are key to the success of their platform,” says Piacente. “In your world, security is not just a necessity or a checkbox, but a function of your actual platform.“
The ability to anticipate risks
Another indispensable skill is knowledge of governance, risk management and compliance. “Companies want a CISO who understands the intricacies of a company on the way to certifications such as ISO, SOC2 or FedRAMP [engl.] understand,” says Piacente. “An aspiring CISO must have gone through these processes to understand the intricacies of what the company needs and what it doesn’t.“
In general, companies want CISOs that can work on the basis of a philosophy of forward-looking risk reduction, says Piacente. “Such CISOs know what problems are looming on the horizon in terms of product safety, regulatory compliance and possible threats.
Ability to build trust with customers and partners
Aspiring CISOs also need to be able to demonstrate that they can help the company’s sales and marketing teams build confidence in the safety of their products and services. For example, CISOs may be asked to fill out questionnaires that customers or partners send to review the company’s security procedures. “Many of our customers are software companies looking for CISOs capable of managing a company’s IT operations, including applications, business technology, infrastructure – everything,” says Piacente.
“While CISOs have traditionally been associated with a certain level of customer and partner support, this part of the CISO remit has increased rapidly and gained intensity over the past three years. About 80% of our searches involve some form of customer and partner support. We expect this trend to continue, as the CISO function will become an important driving force and collaborator throughout the company.
Certificates, MBAs, General Knowledge in Computer Science
Many employers take appropriate certifications into account when hiring CISOs. According to Autrey, traditional CISOs with a technical/engineering background have often earned security-specific certifications such as CISSP (Certified Information Systems Security Professional), CISA (Certified Information Systems Auditor) or CISM (Certified Information Security Manager).
However, as the role of the CISO continues to evolve, risk-based and hybrid technical/risk-based security leaders are judged more on their experience, leadership, and boardroom skills than on their technical knowledge and certifications. Many CISOs consider the content of the certifications to be a good continuing education, even if they do not receive the certification. Employers should discuss certifications and advanced training as an element of a well-trained CISO.
When it comes to general degrees/certificates, “computer science is undoubtedly the most important element that employers look for in most CISOs,” says Piacente. “With our customers, many of the CISOs they hired started out as software developers and engineers, so they have a computer science background.“
Piacente notes that the CISOs of the cloud-based software companies with which his company cooperates, as a rule, have a deeper education in the field of software engineering or a corresponding technical/development background. “As far as certification is concerned, I can also understand this logic,” he says. “However, in the last five years, there has not been a single search in which we have mediated a CISO, a fixed requirement for any kind of certification. In the cloud-native area, this simply does not have a high priority, but with other CISO patterns it certainly makes sense.“
Many employers also want their CISOs to have a Master in Business Administration (MBA). “It may be surprising, but the reason that employers require an MBA from their CISOs is the upgrading of the role of the CISO in the last three to five years, where he plays a greater role in general business matters and reports to the management,” notes Piacente. “Although an MBA is not decisive for being hired as a CISO, it is certainly helpful.
Interpersonal and social skills
Since CISOs need to work constructively with others in the company, employers are looking for people with solid interpersonal and social skills. This means that they “remain calm under pressure, do not question their authority and are able to translate the threats and consequences into business language,” says Autrey.
Today’s CISOs also need an important personality trait: empathy. “This means empathy with your internal organization, your external partners and potential customers,” says Piacente. “You also need to understand that not everyone understands security as you yourself do, and you need to be able to talk to these people, using terms that you understand.“
In addition, employers want their CISOs to be able to set realistic plans, goals and deadlines for their departments, and to be able to explain all this in clear, non-technical terms. “The audience with which the CISO has to work is extremely diverse, ranging from sales, marketing, the General Council and the Legal department to finance,” says Piacente. “If you try to build a wall around the company without taking into account the needs of others, your colleagues will not respect that. Rather, they will try to circumvent them. However, if you work with them to develop cybersecurity solutions that allow them to do their job while taking less risk, then success is inevitable.“