CISO: You Can Believe It's Out There

All selection situations, and the hunt for a new CISO is no different, involve believing in a perfect candidate. The One. Our New Superstar. The Key To Our Success. Truly Exceptional.

Your CISO from that previous campaign was out there. You believed. You found that truly exceptional person.

Remember when the previous incumbent was that person? May have been, what, a few years ago, right? Whatever happened to that person?

We've written about this person many times before, such as here. Let's clear this up right now: at the time yes this person was The One on Day 1. That was a good call on the part of the hiring team.

Let's dig deeper: speaking entirely dispassionately, that person was relatively the best candidate, compared to other candidates, and was willing to accept your job offer. That's raining on your parade as a hiring team but it's accurate. 

How have things changed since then?

Recently The Wall Street Journal (behind paywall) wrote that "Record CEO turnover at U.S. public companies has put the biggest class of incoming chief executives in years at the helm of massive enterprises—and the newcomers are younger and less experienced than before." Rationale? "Younger makes sense to me, given the changes in the world," said Cindie Jamison, a longtime turnaround executive who sits on boards including Darden Restaurants and International Flavors & Fragrances. "Things are shifting and changing very dramatically and permanently and you want people who've been in the trenches facing these decisions."

Let's turn from the obvious -- sorry -- ageism involved and look at what else can we learn from this statement and previous hiring practices.

First, the nature of cybersecurity, and thus cybersecurity leadership, has probably changed faster than any other aspect of organizations over the past five to ten years. Key questions: How have certification processes maintained pace? How does the talent needed today differ from what was needed yesterday, and how will it change tomorrow? (A caveat is that employees still click on the phishing scam link.)

Second, because of the pace of change due to AI and organized gangs, and likely ongoing changes in talent requirements, assessment processes that you're used to -- résumé reviews, unstructured interviews, grip & grin with the CEO -- simply are irrelevant to what you need your new hires to do.

Third, acceleration in the cyberthreat space is coupled with increasingly breadth of the threat surface, the assets that need security. This is a multi-disciplinary problem, not a server farm issue.

It's time to go back to the talent assessment process. Your previous The One on Day 1 from, maybe, 2020 is going to differ from The One on Day 1 of 2026 because of AI, COVID-19, changes in social media, shifts in armed conflict theaters affecting staff, increasing sophistication of cyber-attacks, increasing coordination between private sector and US government cybersecurity staffs, and changing threat surfaces. When you assess this candidate now you need to do something different, not what's comfortable from back then.

Your new The One on Day 1 now needs to deliver new and more outcomes. Your new The One on Day 1 now needs to interact better and be a business partner with other lines of business. Your new The One on Day 1 now needs to be an expert on vendors and vendor management.

Your new The One on Day 1 is out there. How will you find them?

You can still kick the tires on certifications and your CISO candidate still needs to make good small talk with the CEO but the talented candidate is going to do something that wasn't required before, specifically, that person now needs to demonstrate talent in areas that deliver on all that's required of them now and in the future. Fortunately your assessment options over that span are current relative to the challenges that person will face. 

That's where we add value. Pythia Cyber now has assessments leveraging current talent models and AI-based reviews of updated cybersecurity talent at all levels -- cyber-defender, manager, and CISO/C-suite.

Your new CISO is out there. Believe.

Ask us how you can believe that the CISO you're looking for is close at hand.

(image attribution: Johan Kaufmann, CC BY-SA 4.0 <https://creativecommons.org/licenses/by-sa/4.0>, via Wikimedia Commons)