How to Hire a CISO as Scrutiny Intensifies

by Jerry Bessette of Cyber Defense Labs and Bridget Choi

The role of the chief information security officer (CISO) in 2024  is evolving. With budgetary limitations, an increasingly complex threat environment, generative artificial intelligence (AI) tools, new regulatory mandates, a growing attack surface to secure, and a growing impact to the functioning of a business, a CISO has a crucial role within an organization. Expectations around the CISO role have expanded from a security and technology leadership role to one that is more akin to executive-level management of a broad business risk.

Recently, CISO’s performance has also come under scrutiny. One glaring example occurred on May 30, 2024, when US Senator Ron Wyden of Oregon wrote a letter to the Federal Trade Commission and the Securities and Exchange Commission asking the agencies to probe UnitedHealth Group for "negligent cybersecurity practices." He specifically criticized its CISO stating:

“(O)ne likely reason for UHG’s negligence, and the company’s failure to adopt industry-standard cyber defenses, is that the company’s top cybersecurity official appears to be unqualified for the job. [name omitted] UHG’s chief information security officer (CISO), had not worked in a full-time cybersecurity role before he was elevated to the top cybersecurity position at UHG in June 2023, after working in other roles at UHG and Change Healthcare. Although [name omitted] has decades of experience in technology jobs, cybersecurity is a specialized field, requiring specific expertise. Just as a heart surgeon should not be hired to perform brain surgery, the head of cybersecurity for the largest health care company in the world should not be someone’s first cybersecurity job.”

The role of a CISO in managing risk has never been more important, and the risk to a CISO in performing the role has never been more fraught. Given the complexity of the role, the multidisciplinary background needed, and outside scrutiny applied in the instance of a cyber incident, a hiring committee should consider:

• What are the qualifications of an appropriate candidate for the CISO role? 

• When do I retain a virtual CISO (vCISO)? 

• What role does insurance have in attracting and retaining CISO talent?

In this article, we seek to answer these questions.

What Are the Responsibilities of a CISO?

The term “CISO” only dates to the 1990s, when information security was emerging in response to widespread internet adoption in businesses—in lockstep with the proliferation of the cyber threat landscape. The role began as one designed to manage the technical aspects of information security. It expanded to include risk management, compliance, and incident response and resilience—as well as collaborations with business unit leaders, marketing, sales finance, and legal.

A CISO is now typically a senior-level role within an organization. A CISO’s responsibilities can be difficult to define as they vary by industry and company, but they can be responsible for establishing, maintaining, and implementing the enterprise strategy for information, cyber, and technology security.

Moving beyond a solely technical role, many CISOs are also expected to lead high-level discussions about security strategy and help internal business leaders understand trends and risks that impact the organization. In many organizations, a CISO may weigh in on technology risk, manage the remote workforce, oversee cybersecurity reporting controls and compliance, and manage security operations.

How to Find the Right CISO for Your Organization

The role of the CISO does not require specific educational qualifications like an attorney, accountant, or heart surgeon. However, most CISOs typically possess a combination of a technical education degree, cyber and information security certifications, and relevant work experience. They should also exhibit an executive leadership skill set.

Some key skills for a CISO include:

• Leadership: A CISO may lead a large security operation in the organization (including dealing with a scarcity of talent) or manage an outside security provider (where control is more limited). Good leadership skills and experience are essential.  

• Strategic Thinking: CISOs must have a long-term vision for cybersecurity and be able to build a road map for continued adaptation of an organization. They must understand the organization's goals, budget, and risks, and develop a comprehensive cybersecurity strategy aligned with business objectives. 

• Risk Management: Understanding and managing the risk of harm is a key attribute to a successful CISO. They must also have the ability to recognize the need for an outside assessment of the risk profile and test the team assumptions. 

• Technical Expertise: While CISOs may not be hands-on with technical tasks, they should have a solid technical foundation in cybersecurity to oversee security operations effectively. This includes understanding various security technologies, industry standards, and emerging threats. The importance of experience within the industry sector cannot be overstated. 

• Communication: Effective communication skills are crucial for CISOs. It’s essential for a CISO to distill complex cybersecurity and technological concepts to both technical and non-technical stakeholders, including executives, board members, and employees.  

• Collaboration and Relationship Building: CISOs cannot operate in a vacuum. They must be able to work with other business units to address cross-functional issues, as well as compliance, audit, business continuity, disaster recovery, and finance concerns.  

• Broad Business Acumen: CISOs should have a strong understanding of the organization's business operations, industry landscape, and regulatory environment. This enables them to align cybersecurity strategies with business goals, effectively manage budgets, and navigate compliance requirements. 

• Creative Problem Solving: CISOs encounter complex cybersecurity challenges that require analytical and problem-solving skills. They must be able to assess situations, identify root causes, and develop innovative solutions to address security issues effectively. 

• Growth Mindset and Adaptability: The cybersecurity landscape is ever-changing, with new threats and technologies emerging regularly as well as new reporting and privacy regulations. CISOs should be adaptable and willing to continuously learn and update their knowledge to stay ahead of evolving threats and industry trends. 

• Ethics: As recent examples have underscored, CISOs must adhere to high ethical standards and demonstrate integrity in handling sensitive information and making security decisions. They must have the ability balance data protection compliance with costs and, sometimes, the drive for innovation.

What Is a Virtual CISO?

Some organizations may consider a virtual chief information security officer, or vCISO. A vCISO is a cybersecurity expert contracted by an organization to manage its IT security and compliance programs. VCISOs can provide the same level of expertise and guidance as an in-house CISO, but on a remote, on-demand basis. They can be a cost-effective solution for organizations that want to benefit from a seasoned professional's expertise without the resource requirements of a full-time hire.

When to Retain a vCISO

A vCISO can be a great option for companies, large and small. Small- to medium-size companies may not need a CISO 40 hours a week or may not want to incur the cost of a full-time CISO. These organizations can purchase the amount of time needed to perform certain functions. Retaining a vCISO offers the benefit of having a CISO, while providing savings. Another advantage is that a vCISO has diverse experience from multiple environments, as most support multiple organizations.

A vCISO can also be used in large organizations that already employ a full-time CISO. In this case, the vCISO is used for specific projects or initiatives, such as a movement to the cloud or network segmentation, while the full-time CISO is fully engaged in the high priority day-to-day operations of securing the organization. With the digital transformation and companies offering remote and hybrid work, CISOs may find it advantageous to supplement their expertise with a vCISO who has experience with cloud and application security or managing the security risks associated with emerging technologies like automation and machine learning.

When retaining a vCISO, first determine the candidate’s training and certifications. We strongly recommend hiring a vCISO who has previously served as a full-time CISO for a similar type of company. It’s also important to understand how many clients the candidate supports as a vCISO and how your organization would be prioritized against the other clients. Lastly, inquire about the support the vCISO would have from their company to back them up or provide surge support if needed.

What Is the Role of Insurance in Attracting and Retaining the Right Talent?

In January 2024, a joint IANS/Artico survey of 663 CISOs in Canada and the US found that 75% were open to changing jobs, an increase from 64% a year earlier. It also found the number of CISOs satisfied with their job and company fell from 74% to 64% over the same period. Many CISOs are concerned about personal legal exposure stemming from the role, and they will demand protection for personal liability. Without adequate protection from a comprehensive directors and officers (D&O) insurance that includes coverage for CISO personal liability, it will be difficult for companies to retain talent. And liability will continue to be an issue as CISO performance continues to be scrutinized and as enterprises continue to have impactful cyber incidents.

D&O insurance policies cover the company and its directors and officers for personal liability for shareholder litigation—or securities regulator investigations into acts within the role of a director or officer.

While a CISO has the term “officer” in their title and has responsibility for a broad business risk, CISOs aren’t always considered an officer of the company. Officers are named in an organization charter or corporate bylaws—not just appointed by title. We recommend reviewing your D&O policy with your broker to determine whether the policy coverages are adequate for the risk and responsive to the role of a CISO. The protections offered by a comprehensive D&O policy are imperative in retaining top CISO talent.

Cyber insurance is also a key asset to the CISO and a point of inquiry for any CISO talent. The State of the CISO report demonstrates that across the board, CISOs are having to do more with less. Cyber insurance is not just a risk transfer mechanism, but a modern policy also paired with active cybersecurity support. Many carriers now have threat intelligence embedded in their teams, advanced attack surface management services as part of the services offered with the policy, security operation centers available in house and available at a steep discount, tabletop exercises, and in-house digital forensic consultants. As risk evolves, so has the creativity in risk management of the insurance carriers. Any CISO with a limited budget will want to be involved in the insurance procurement process and use the discounts and tools as part of their security program.

Cyber insurance also is a key element to any disaster recovery and business continuity planning. Cybersecurity business continuity planning is when businesses build processes and technical contingencies to minimize the impact of cyber disruptions on operations, finances, and reputation. Having a comprehensive cyber policy that covers business interruption and contingent business interruption is an element of a comprehensive plan and an important asset for any CISO.   With a comprehensive policy the CISO can ensure that even if all the technical contingencies fail that the business can stay afloat even when operations are halted.

Lastly, cyber insurance provides a point of validation from the insurance market on the controls and cyber security posture in place, which can be a catalyst or cudgel for any CISO to use. The insurance application process is a self-assessment crafted to identify and assess the potential for cyber threats, vulnerabilities, and risks to critical assets and systems. The CISO can use the application as another look at the entity’s posture and make the argument for more budget or to speed up the security road map or alternatively justify the spend with favorable coverage term and lower premium.

Key Takeaways

As the role and scrutiny of the CISO continues to grow, it is important to retain the right person to manage such a large business risk. Our key takeaways when it comes to hiring and retaining CISOs are:

• Make sure the CISO candidate has the right mix of technical and business skills and relevant industry class experience.