CISO: High-Leverage Leadership Hiring Means Either Selecting For Talent Or Else Wasting Millions Of Dollars

Here's a safe bet: even though you know what your annual spend on vendor support is, and how much you spend on coffee machine pods, you don't know what it costs to back-fill one bad CISO hire.

Let's define terms. The term CISO "refers to the most senior security leader accountable for an organization's information security strategy, program execution, and risk management" (2026 Global CISO Leadership Report). According to the same report, the level down from CISO in typical organizations is Deputy CISO or "NextGen," "[L]eaders who translate CISO strategy into operational execution, combining strategic alignment with hands-on program leadership. They typically manage teams of 5 to 50+ security professionals within their areas of specialization." About a third of CISOs report to CTOs or a comparable title, which means that about two-thirds report to some other nontechnical executive or the Board (which is also nontechnical). 

Right off as per this report, a CISO is an executive, not a functional manager and definitely not the 'senior-doer.' 

A "bad CISO hire" is an executive who fails to provide executive strategy, coordination, and -- not or --leadership to the cybersecurity team so that they can adequately secure systems and intellectual property in alignment with the organization's risk tolerance. Possibly additionally, a bad CISO hire is an executive who can't collaborate with other executive leaders/the Board.

Again according to the same report, an average CISO's total compensation is $686K in a private company, $814K in a public company.

When a company makes a hire for any position, there is a risk that new hire will fail. We've covered this multiple times. It's unknown how much more likely a CISO is to fail v. the CFO or other executives, but fail they do. And when an investor is looking at the talent roster in a prospective investment opportunity, CISOs are an area where being a known quantity is better than hoping the person works out. In short, you might have to replace the CISO.

For someone who will make about $686K to $814K, there is a tremendous and obvious business imperative to get that selection right. Not only are business operations at stake, but the Conference Board estimates that the cost for replacing a hire is 4.5-times total compensation. That's the cost of staff time spent on the separation process, legal costs, costs to compensate an acting less-senior leader, recruiting costs, vetting candidates, etc.

Let's do some math. If the CISO makes $686,000 and the multiple is 4.5, then the turnover cost is $3.087MM.

Say that a different way. One CISO replacement is costing the organization about three million and eighty-seven thousand dollars, and then you're paying a new CISO and hoping they don't fail.

Be honest when you think of the answer to this question: did you know that it cost that much or even anything close to that?

Your CISO selection process is suboptimal and a money-flushing exercise if you don't use the best possible talent assessment process.

"Best possible" CISO selection process is not a resume review to determine whether the person went to the right 'elite' university or worked at your competitor or has an MBA. "Best possible" CISO selection process is not promoting the next-most senior deputy or doing a one-on-one interview with the CEO.

"Best possible" CISO selection means you assess every single candidate, yes every one of them, using a talent-based assessment. Then you identify your most talented two to four candidates. And only then can you do all the other secondary stuff (resume review, CEO grip & grin, etc.). 

Engaging in suboptimal practices means you are wasting money and time and you're setting everyone up for failure. External investors might also engage external counsel to review your suboptimal work.

You must engage in a talent-based, optimal executive assessment practice for your CISO hire. It is the only way to minimize hiring risk while maximizing CISO performance. A suboptimal approach does exactly the opposite risk/reward balance.

Creating an executive talent culture creates value. Thus, we'll continue to discuss optimal talent-based CISO hiring practices.

Ask us how you can get your next CISO hire right before people ask you uncomfortable questions about why you flushed about $3.1 million down the drain.

(image credit: Epolk, CC BY-SA 4.0 <https://creativecommons.org/licenses/by-sa/4.0>, via Wikimedia Commons)