Eighteen (18) Strategic Skills to Look for When Hiring a CISO.

The Job role of a CISO (Chief Information Security Office), is not only demanding, but requires the expertise of a personnel who has spent fifteen years and above in the industry. This experience is to guarantee their prowess and ability in ensuring the protection of information, and data security of an organization, while safeguarding, and providing optimum services, and timely manner in disaster recovery, of the organization.

In addition to these experience when hiring a CISO, the hiring team has to be on the lookout for a CISO personnel with the following skillset:

What-to-lookout-for-when-hiring-A-CISO-by-Fixitgearware-Security.png
 “The CISO intended to be hired, must posses good leadership skills…” Image-source: FixitGearWare

 THE EIGHTEEN SKILLS A PERFECT CISO SHOULD HAVE:

  1.  Human Interaction and Communication:

    The CISO is responsible for handling all cybersecurity departments in your organization. Therefore, when hiring a CISO, ensure that intended hiring do not only have good leadership skills, but also acquired experience in interacting with lesser team members (e.g. all criteria of interpersonal communication skills).

  2.  Statistical Experience in Managing an organization overall security program:

    Since they would be responsible for managing the organization’s security program, you want to ensure that on books (appraisal & experience) from past employments, they are able to live up to expectations. This statistical experience includes their Red Team Skills, Blue Team Skills, Information Security Skills, Managerial Skills etc.

  3.  Experience in Human Risk Management:

    The CISO would be responsible for hiring the fitting piece on the chess board (organization). It is important that they have good experience in hiring and screening the right persons, that would fit into the appropriate department, providing manuals and employee guides, while ensuring that these employees are regularly trained through various information security breach, while providing avenue for feedback. etc.

  4. Experience in Inventory, Asset Classification, and Management:

    Taking inventory of assets, and creating a concept of which these assets are to be classified is a major role the CISO would be involved in. The CISO would also be responsible for security controls that would be placed on these assets, while ensuring that these assets are regularly audited and accounted for. Therefore, a deep knowledge on inventory Management is a necessity, when hiring a CISO. 

  5.  Knowledge on Security Operations:

    All security operations of a business in real-time, are part of the Job role of a CISO.  This role includes analysis of threats, technological and asset monitoring, and Achilles hills (firewalls) put emplace to serve as security countermeasures. The CISO must have a proven record which signifies that indeed they have been exposed to such security operation challenges, as similar cases would be faced when employed by your organization.

  6. Understanding on Information Security Strategy:

    The CISO must be able to demonstrate proactiveness and hardcore skillset in devising strategies in securing your organization way ahead of future threats. This should involve citing past projects they have been able to manage its security breaches and incidents, while forecasting future security breach and implementing adequate security way ahead.

  7.  Experience in Identity Access Management:

    The CISO must have the skillset in access and asset management, demonstrating this based on what the business requires (citing Medical and Fintech Industry as example, these two industry requires different IAM policies). When demonstrating their skillset, the CISO should be able to describe how IAM, Authentication, and Authorization would be implemented in the organization’s assets.

  8.  Knowledge on Data Encryption and Data loss Prevention:

    Your intended CISO, should be able to demonstrate their knowledge on various technologies to ensure data safety through encryption. In addition to this, the CISO to be hired, should be able to demonstrate their knowledge on Data Loss Prevention through the implementation of policies, procedures, and advanced technology with the capabilities of halting any intellectual property theft or sensitive data leak.

  9. Deep Understanding ON Fraud Prevention:

    Often times, the CISO may experience situations where they have to deal with Fraud Prevention. This situation arises from the fact that an employee who was terminated may decide to go rogue, and perform heinous act, other situations can be due to the nature of services (e.g. e-commerce business) provided by your organization.Although most times, this will fall under the inspection of the fraud department, the intending CISO to be hired, should be able to demonstrate an in-depth knowledge on various ways in implementing technologies that are capable of preventing any fraud related activities. 

  10. Capable of leading and outlining Incident Response Strategies:

    The intended CISO, should be able to demonstrate his/her ability to not only create an incident response plan, but also maintain these strategies. This includes media and damage control procedures, team responsible in interacting with law enforcement, reporting the incident and proactive steps taken to resolve the issue. While this is not limited to these, the plan instituted should also cover the technical aspect of an incident response plan.

  11. Understand the full expectations regarding initiating a Disaster Recovery Plan, and Instituting Business Continuity:

    The intended CISO to be hired, should be able to demonstrate the technical approach, in responding to a disastrous situation, managing service disruptions, and ensuring that business continues when a service outage or disruption occurs.In addition to this, the intended CISO, should be able to demonstrate how to test these contingency plans, to ensure that they are fully functional, and pragmatic.

  12. Must Possess a Deep Knowledge on various Regulatory Compliance:

    Part of the Job description of a CISO, is to ensure that the organisation does not breach any cybersecurity laws, and regulatory bodies. Therefore, it is expected that the CISO should be deeply exposed to these various cybersecurity laws for example HIPAA, Sarbanes Oxyley, PCI-DSS, FISMA, GDPR, and local regulations.Furthermore, the CISO to be hired, must list the steps, to ensure that these compliances are not only met, but adhered to by the organization they are handling, if they are eventually hired.

  13.   Demonstrate the ability to lead an Investigation Team:

    Often times a CISO would be faced with the challenge of dealing with an Information Security Incident, it is important that when hiring a CISO for your organisation, you the hiring team, should be on the lookout for an expert that understands and has the experience of leading the right investigation team, when an incident occurs.

  14. Exposed to various Modern Physical Security Practices and Technology:

    As cyber criminals craft various ways of infiltrating an organization, not being lax with an insider communication working hand-in-hand with external threat actors is one good security practise. In order to ensure not only the safety of the information and data of the of your organization,  it is important to also monitor on-premises movement going on in the organization environment and workspace.

    To achieve this, requires not only perimeter security, but also sophisticated and advanced technology capable of reading human movements and interaction. When employing a CISO, ensure that the intended candidate, does not only understand the importance of physical security, but also have an updated knowledge of modern physical security technologies and security hardware’s.

  15. Able to Design Your Organization’s Security Architecture:

    When hiring a CISO, ensure the intended candidate, understands in detail an organization security infrastructures, and how these infrastructures are implemented in various network topologies. This is due to the fact that the CISO would be responsible in deciding where, why, and the way various security counter measures are to be used and implemented in the network topology, DMZs, airgap etc.

  16. Understands Various Deep State and Geopolitical Risks:

    A CISO personnel has to ensure that any geopolitical risk, which may impact security or compromise the organization data are swiftly addressed. This includes a deep understanding of not procuring or consulting vendors from countries rumoured to be involved in some conspiracy theories or have been politically sanctioned globally due to their involvement in some threat violence, or terrorist groups.

    While the intended CISO to be hired, must demonstrate that they do understand these geopolitical risks, it is also important that the hiring team, do not seek to hire CISO personnels from these countries involved in any Geopolitical terrorist related crimes or conspiracy theories.

  17.   Able to Audit your Organizations System Administrators:

    The intended CISO to be hired must be able to demonstrate that they understand the key roles of a system administrator, and not just understand them, but also ensure that they are able to implement ways in keeping the logs and actions by the system administrators they would be working with, in a manner that is auditable.

  18.  Able to Demonstrate Knowledge on Various Cybersecurity Insurance and Compliance:

    When hiring a new CISO, ensure that the personnel being considered for this role is able to demonstrate their skills in ensuring that the  company meets every security requirements, and that there are good insurance policies put in place in the eventuality of an incident. These insurance policies should not only be affordable but be able to provide coverage for incidents if eventually they occur, and the company is able to make claims to resolve these incidents.

While there could be other checklist or additional strategies to lookout for when hiring a CISO (Chief Information Security Officer), at FixitGearWare Security, we believe these are the most important skillsets, that are essential in having the right candidate to head the Information and Data Security of your organization. Thanks for the read.

 

 

Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”

5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments