This white paper discusses the challenges of hiring the right Chief Information Security Officer (CISO) and provides recommendations to improve the hiring process. It notes that the CISO role is still evolving and most executives do not fully understand the role's responsibilities. It recommends that companies clarify the CISO role by making cybersecurity a board-level priority, assessing current security strengths and weaknesses, and evaluating organizational security culture to identify needed CISO skills. Taking these steps will help companies define CISO job requirements and find candidates best suited to their specific cybersecurity needs.

1. A SHEFFIELD HAWORTH WHITE PAPER
Why Hiring the Right CISO
is so Hard
And What You Can Do About It
ERIK MATSON,
Managing Director, Global Head of Insurance & Cyber Security Practices
matson@sheffieldhaworth.com | +1 (646) 597-7410
SCOTT SMITH,
Managing Director, Technology, Operations & Cyber Security Practices
ssmith@sheffieldhaworth.com | +1 (646) 597-7411
JOHN BUDRISS,
Executive Director, Technology, Data Science & Cyber Security Practices
budriss@sheffieldhaworth.com | +1 (646) 597-7431

2. With the brand and billions of dollars on the line, cyber
security has moved to the front burner for boards and
CEOs of financial services firms. One of their most critical
decisions? Choosing the right Chief Information Security
Officer (CISO). Here’s how to take the uncertainty out of
the decision.
The headlines bring word almost daily of major cyber-attacks. The weapons
grow more sophisticated while the vulnerabilities grow more numerous.
Today’s attackers include not only global super-criminals looking for financial
gain but also state sponsored groups intent on stealing intellectual property
and other strategic assets. For financial services firms, the stakes are high and
getting higher: potential business disruption, the compromising of customer
information, regulatory backlash, damage to the brand, and possible
destabilizing of the tightly interconnected global financial system itself.
www.sheffieldhaworth.com
2
Introduction

3. www.sheffieldhaworth.com
3
AShotin
theDark?Given the threats, it’s no surprise that demand for
outstanding CISOs far outstrips supply. But beyond
the challenge posed by short supply lurks an even
bigger hiring challenge: knowing how to choose the
right person for the job. Here’s why it’s so difficult:
The CISO role is relatively new and its definition
remains a moving target. As cyber-weapons grow
more sophisticated and the dangers greater, the
CISO role continues to evolve. In addition to technical
expertise, today’s CISOs must also have:
Gravitas and presence to influence people across
the firm
Change management skills to keep the organization
ahead of the bad guys
Superior relationship-building skills to work with
otherfirms,cloudservicesproviders,lawenforcement,
government, and cyber security associations and
watchdogs
The difficulty in defining the role is reflected in the
many different reporting structures in which it is
embedded. In some firms, the CISO reports directly
to the CEO or the board. In others, the CISO reports
to the COO, CIO, Chief Risk Officer, or Chief Security
Officer. In organizations that have been slow to adapt
to today’s new realities, the role hasn’t been separated
from the role of CIO, who must wear both hats.
Most hiring executives, including CEOs, lack a full
grasp of what is required in the CISO role. Do you
know what a zero day attack is? APTs? Metamorphic
malware? Polymorphic malware? All of these cyber
weapons have figured in successful attacks. Most
executives have no way of knowing whether a CISO
candidate has the experience to deal with them or
with all of the other ever changing and unknown
threats that could bring a company to its knees.
Should you look for a longtime corporate cyber
security professional? An IT generalist? A cyber
security consultant? Someone with a military or
intelligence background? Add these questions to
the challenge of defining the role and the difficulties
of this already difficult hiring decision multiply
exponentially.
Financial services firms are reluctant to share
information about cybersecurity. Some information
sharing does occur. The Financial Services Information
Sharing and Analysis Center (FS-ISAC), for example,
provides a central resource for cyber and physical
threat intelligence analysis and sharing. Nevertheless,
firms are understandably reluctant to admit that their
security has been breached, because it tarnishes the
brand. They also hesitate to share effective defense
strategies, because they regard them as a competitive
advantage. As a result, no uniform set of best practices
has emerged against which you could measure a
candidate’s knowledge and qualifications.
Many financial services firms don’t have a handle on
their security culture or needs. Is information security
second nature to employees at every level of your
organization? Or do many of them fail to follow even
the most basic security policies? Do various functions
work collaboratively with the information security
function or do they regard it as a nuisance or necessary
evil? Do top executives agree about the issues of
cybersecurity and how to address them?
Consider the discord and confusion Pricewater-
houseCoopers unearthed in its “2014 US State of
Cybercrime Survey.” Participants were asked what
the greatest obstacles were to improving their orga-
nization’s information security. CEOs identified lack
of capital funding. CFOs indicated a lack of leadership
from the CEO. CIOs and security executives cited a
lack of actionable vision or understanding within the
organization.
Why Hiring the Right CISO is so Hard ... And What You Can Do About It

4. www.sheffieldhaworth.com
4
Clarifying
theRole
andthe
Hiring
Decision.To overcome those considerable challenges, you must
bring the CISO role and your firm’s specific needs into
sharper focus. How? By taking these critical steps to
set the context for cybersecurity in your organization:
Make cyber security a board-level concern. Few
board responsibilities are as important as oversight
of risk management, especially for financial services
firms. If cyber security and its risks aren’t already of
prime concern to your board, they should be. The
board should not only treat it as regular agenda item
but hear regularly from the CISO.
The board’s role helps clarify the role of the CISO.
Directors must make sure that management is
addressing cyber security adequately and within
the bounds of risk tolerance the board has established.
The CISO is therefore no mere technician, but a
critical resource for the board, helping it understand
cyber risks in general and in the context of business
actions the firm is weighing. Candidates for the role
should therefore have business acumen as well as
security expertise.
Determine where you currently stand. Identify
your crown jewels: your most valuable information
assets, from customer and employee information to
intellectual property. Then conduct a no-holds-barred
exercise designed to expose your vulnerabilities. (The
exercise might be facilitated by third-party cyber
security experts, including certified ethical hackers).
Immediately—not months later—follow the exercise
with a candid review. Such exercises can be eye opening.
You may discover hitherto unknown weaknesses and,
in some cases, exceptional strength.
If security is notably weak, consider CISO candidates
who have experience turning around similarly weak
organizations. If your security is exceptionally strong,
you should seek a CISO who can keep you on the
cutting edge. The types of vulnerabilities that you
uncover can also figure in the CISO job profile. For
example, if you find that the greatest danger lies with
cloud services providers or other vendors, your CISO
should have experience with supplier management
and contracts.
Assess your security culture. The carelessness—
and sometimes the malevolence—of employees
can be the greatest threat to cyber security. How
do employees throughout your organization treat
security? What kind of security culture do their
actions, along with policies and processes, add up to?
If it’s a lax culture, where security is sometimes treated
lightly, your CISO will need change management and
influencing skills to fix it. If it’s a strong security culture,
you have the luxury of seeking a CISO who can focus
on more pressing vulnerabilities.
Engaging the board, determining where you currently
stand, and assessing the security culture across your
enterprise are large undertakings. But with so much
at stake, few firms can afford to do less. Talent will
continue to be scarce and threats will continue to
multiply. Firms that know precisely what they need
will waste less time looking in the wrong places and,
ultimately, better prepare themselves to fend off
ever more sophisticated attacks, protect their most
valuable assets, and win the enduring confidence of
customers and investors.
Why Hiring the Right CISO is so Hard ... And What You Can Do About It