Innovation Heroes: The heroic rise of the CISO
Why hiring and retaining a CISO is so difficult – yet essential to success

 In |

Reading Time: 2 minutes

A top-tier Chief Information Security Officer (CISO) could be the missing link in an organization’s security posture – that is, if they’re lucky enough to have one. This Cybersecurity Month, the gnawing question to ask is: how do transformational businesses find, hire, and retain a dependable, strategy-driven CISO?

On the latest episode of Innovation Heroes, an SHI podcast, host Ed McNamara meets with Michael Wilcox, Stratascale’s Vice President of the Office of the CISO, to hear about what Wilcox is learning from customers about their challenges in recruiting the business’ top security chief. Wilcox lays out the main hurdles, and offers some practical steps organizations can take to recharge their security posture, from the top down.

Wilcox outlines a variety of factors for why it’s so difficult to keep a CISO around. With an ongoing labor shortage, demand far outweighs supply when it comes to recruiting talent. But there is also the issue of finding the right candidate with the appropriate experience to be able to thrive in the role.

“The average tenure of a CISO right now is 18 to 26 months,” says Wilcox. “And I think part of that [relates to] the emerging threat landscape – CISOs need to stay abreast of all the mega trends in the security space, as well as all of the different technologies [related to those trends].”

The reality is security breaches are never a question of if but when. As Wilcox points out, how prepared organizations are for the next threat is as much about their control over technology as it is about having a strategic CISO who can lead a team into battle.

“How you respond to a breach is critical,” says Wilcox. “The world is watching when you have a breach, and so how you respond to that attack is very important, and that’s more than just technology control – you need to have a leadership team that pulls together with stakeholders, works with everyone who is affected. And for a CISO, this means that you have to have a prioritized and structured approach to identify the points of weakness that allowed the breach to happen in the first place and ensure out of the gate that they are promptly addressed.”

Listen to the full conversation now for more insights from Wilcox on how to hire the right CISO for the job, and how organizations can better prepare for those worst-case cyber scenarios.