Light Dark
April 20, 2017 By David Strom 2 min read
CISO

One of the most critical hires of any IT-related job is usually the chief information security officer (CISO) or chief information officer (CIO). But the decision to hire these executives is one CEOs and boards of directors typically do not want to make. This decision is often made during a crisis of some kind. It could result from a knee-jerk reaction to a major security breach or a new CEO’s desire to clean house and set a new strategic path.

On his blog, Froud on Fraud, David Froud referred to the CISO as the “chief impending sacrifice officer.” The reason for the snarky interpretation of the acronym is simple: Too often companies are looking for a quick fix to their security policies and want a new CISO to come in and sort things out. This doesn’t bode well for the CISO, who usually ends up “paying the price” by eventually being fired for not meeting expectations. It doesn’t help that CISOs can sometimes lose sight of corporate business objectives and speak a different language than their corporate superiors.

Listen to the podcast: Directors Are From Mars, CISOs Are From Venus

Breaking Down the Search for a CISO

The hiring decision is really a two-pronged process. First, the enterprise needs to find the right person for the job, and that person must decide whether the job is right for him or her. “By far the biggest challenge for organizations in hiring a CISO is doing it for the right reason(s),” Froud wrote. “Unfortunately, the reason, 99 times out of 100, is a necessity.” The time to really understand this is now, during normal operations — not during a security breach or other IT crisis.

The first step is to think of this hire not as the person, but as the function needed within the organization. That can be difficult because CEOs and boards of directors typically aren’t used to thinking about these functional areas and prioritizing which specific projects need the most help.

In another post, Froud categorized companies into three different focus areas: planning, execution and optimization. Depending on where a company’s security program is in this continuum, the focus areas require very different kinds of CISO in terms of skills and personality. The planner, for example, is good at getting a program started, writing an initial security governance charter and selling it to the executive suite. But he or she may not be prepared to ingrain security into company culture over the long term.

Bringing Big Ideas to Life

Once you know the kind of CISO you need, the next step is matching the right skills to refine your selection set. This might mean working with a series of different people as you move from planning to implementation.

The search for a CISO is not about hiring the right person. Rather, Froud wrote, “it’s about committing to an idea and doing whatever it takes to bring that idea to life.” CEOs and boards of directors facing the tough task of hiring a CISO should remember this excellent advice.

 |  |  |  |  |  | 
David Strom
Security Evangelist

More from CISO
February 3, 2025

CISOs drive the intersection between cyber maturity and business continuity

4 min read - The modern corporate landscape is marked by rapid digital change, heightened cybersecurity threats and an evolving regulatory environment. At the nexus of these pressures sits the chief information security officer (CISO), a role that has gained newfound influence and responsibility.The recent Deloitte Global Future of Cyber Survey underscores this shift, revealing that “being more cyber mature does not make organizations immune to threats; it makes them more resilient when they occur, enabling critical business continuity.” High-cyber-maturity organizations increasingly integrate cybersecurity…

December 30, 2024

CISO vs. CEO: Making a case for cybersecurity investments

4 min read - Ask CISOs why they think there is a cyber skills shortage in their organization, what keeps them up at night or what the most important issue facing the industry is — at some point, even if not the first response, they will bring up budgets.For example, at RSA Conference 2024, a roundtable discussion about issues facing the cybersecurity industry, one CISO stated bluntly that budgets — or lack thereof — are the biggest problem. At a time when everything is…

December 13, 2024

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature