When considering a new CISO role, what are your red flags and green flags? (For instance, what signs do you look for to indicate the organization values the security function/your role in the business?)
Sort By:
Oldest
Director of IT4 months ago
One of the ways to check whether an organisation values the security function is to see where in the organisation the CISO role sits and whom the CISO reports in to. A red flag would be if the role reports into the Head of IT / IT Director then security is possibly just seen as an IT focused role and not a business enabling role. If the position is within or reports into the C-Suite (CEO/CIO etc.) then it shows that at least it is recognised as an important business role. The Job description and salary band should also give you a feel for whether the organisation truly understand the CISO role or whether they are simply asking for a CISO for the sake of it or to say they have a CISO in place. CISO in Insurance (except health)4 months ago
As mentioned, reporting lines are fundamental for understanding how a company perceives a CISO role. Moreover, you must know if a regulatory body or a group structure mandates the reporting lines. For me, the most crucial part is the conversations I have with the other executives during the interview period. These conversations allow you to understand or, at a very high level, what they think about security. Lastly, always ask for a conversation with the CEO.
Senior VP & CISO4 months ago
Reporting lines (CIO versus CEO, CLO, etc.) Who does the CISO report to?Who presents information security to Board? How often? Full board or committee?
Headcount and budget numbers
Results of audits, pen tests, etc.
Group Director of Information Security in Banking4 months ago
Apart from the most obvious red flag and as mentioned by other peers in terms of reporting lines, i.e. embedded within IT or independent of it, the other 2 red flags would be;1. Does the role's job functionalities combine operational and governance aspects within?
Rationale: Responsibility of Operating security technologies (DDoS, DLP, VAs, Secure engineering principles etc.) should not be merged with laying down policies and ensuring their compliance. If both are combined, then the role will most often find itself in the mode of firefighting incidents/crisis rather than strategic alignment with business or establishing root causes of the recurring issues.
2. Is there a major reliance on external consultants vs inhouse skillsets of team?
Rationale: if you are inheriting/replacing an earlier CISO, have a good hard look at existing team members and their skillsets. In the upcoming digital age, you need to 'hit the ground running' and the whole team will need to be ready to run along. Old school skillsets of managing firewalls, WAF or SOC correlations will need to be quickly replaced with metrics for securing cloud accounts and subscriptions, securing IaC, embedding vulnerability assessments within CI/CD pipelines or DLP technologies for supporting organisation's use case specific LLMs. If the team your inherit is mostly old school or highly reliant on external consultants to do the job, you may want to highlight the need of reskilling them or plan for their replacement in short term. reducing dependency on external consultants is essential for showing budget optimisation which may be desired by the executive management.
SVP, Associate CIO & Chief Technology Officer4 months ago
I tried to break down the red and green flags related to a new CISO role. Company culture plays a huge part in this.Red Flags and Green Flags for a New CISO Role
When considering a new CISO role, assessing the organization's security posture and culture is crucial. Here are some red flags and green flags that I looked for:
Red Flags:
- Lack of Security Awareness: If the organization doesn't prioritize security awareness training for employees, it indicates a lack of understanding of its importance.
- Insufficient Budget and Resources: A limited security budget and inadequate staffing can hinder your ability to implement effective security measures.
- Micromanagement and Lack of Autonomy: If the role comes with excessive micromanagement and limited decision-making power, it can be difficult to implement necessary changes.
- Resistance to Change: An organization that is resistant to adopting new security technologies and practices can create a challenging environment for a CISO.
- Unrealistic Expectations: Unrealistic expectations regarding the speed and scope of security improvements can set you up for failure.
- High Turnover Rate in Security Team: A high turnover rate in the security team can indicate underlying issues with the organization's security culture or leadership.
- Disregard for Security Recommendations: If leadership consistently ignores or downplays security recommendations, it suggests a lack of commitment to security.
- Focus on Cost-Cutting over Security: Prioritizing cost-cutting over essential security measures can compromise the organization's security posture.
Green Flags:
- Strong Security Culture: A strong security culture is evident in employee awareness, regular security training, and a commitment to security best practices.
- Adequate Budget and Resources: A dedicated security budget and sufficient staffing demonstrate the organization's commitment to security.
- Supportive Leadership: Leadership that actively supports security initiatives and empowers the CISO to make decisions is a positive sign.
- Openness to Change: An organization willing to adopt new security technologies and practices is more likely to embrace a proactive security approach.
- Realistic Expectations: Realistic expectations regarding the time and resources needed for security improvements demonstrate a mature understanding of cybersecurity.
- Low Turnover Rate in Security Team: A stable security team with low turnover indicates a positive work environment and strong leadership.
- Consideration of Security Recommendations: Leadership that actively considers and implements security recommendations demonstrates a commitment to risk mitigation.
- Balance Between Cost and Security: An organization that balances cost considerations with essential security measures shows a responsible approach to risk management.
Additional Considerations:
Review the organization's security policies and procedures.
Meet with key stakeholders, including the CEO, CFO, and board of directors, to understand their security priorities.
Assess the organization's risk profile and threat landscape.
Evaluate the maturity of the organization's security program.
A strong security culture and supportive leadership are essential for success in any CISO role.