Can’t Find a Chief Security Officer?
By Guest Contributor: Mark Silver, MBA
We’ve all heard the stories: cybersecurity is increasingly important, but there is a skills shortage. I’m not convinced that is true. It depends on what you are looking for and where you are looking for it.
If you are looking for a *perfect* fit, then yes, there is a shortage. If you work for Industry “A” (pick any industry) and you reach out to a recruiter and say: “I need a CISO, so here are my three closest competitors. Get me one of those CISOs.” Then by definition, you have limited your pool of candidates. Now you have a shortage.
You struggle to solve: you either need to find a new security executive, or replace the one you have. In either case, why is the best strategy to look for the same thing you already have? Isn’t that the definition of insanity? Continue to do the same things, but expect different results.
Harvard Business Review, in its September-October 2019 issue in the article “Experience Doesn’t Predict a New Hire’s Success,” stated that there was a “very weak relationship between prehire experience and performance, both in training and on the job. We also found zero correlation between work experience with earlier employers and retention, or the likelihood that a person would stick with his or her new organization.”
When asked why this might be the case, the authors stated that employers needed “to consider that experience in one organization might not help—and might even hurt—performance in another if they don’t operate the same way or have similar cultures." Unfortunately, the research focused on frontline workers, and so it would be difficult to empirically prove a similar relationship at the executive level.
Despite this, employers need to define the problem they need to solve and then determine what are the skills, attitude and experience needed to solve that problem. This is a *skills* issue, not a knowledge issue.
For example, if your business operates within a complex regulatory environment with a complex risk landscape and is a matrixed organization, the best candidate is the one with the skills and experience in working in that kind of environment. Not the one who has the knowledge of working in your industry, or the one who knows about applications x, y and z. Providing that a candidate has the ability learn about a particular application, regulation, or policy, having the skills necessary to operate effectively is far more important.
It’s like teaching a teenager to drive a vehicle: we don’t ban them from driving just because they don’t have the knowledge when they are starting out. Providing they have the hand-eye coordination necessary, we teach them the road rules and then let them practice. We let them become familiar with the roads, how the vehicle travels, stopping distances, etc. With practice and knowledge, they become better.
Expand your search horizon beyond the “perfect” fit, and explore candidates with the talents, skills, and experience to solve your problems. Who knows: you may find fabulous talent outside your three closest competitors, and maybe even outside your industry.
About the Author: Mark Silver, MBA, is a former Fortune 20 CXO and has more than 20 years’ experience in technology, digital security and risk. He has held global roles as a Chief Information Officer, Chief Security Officer (physical and digital security), Chief Risk Officer, Chief Compliance Officer and Group Auditor. He currently works as an executive coach and consultant advising security, risk and technology executives.
Author's Note: I published this on LinkedIn, October 9, 2018. I updated it August 30, 2019, to include research from Harvard Business Review: Experience Doesn’t Predict a New Hire’s Success, Retrieved 1:50 PM Aug 30, 2019 from https://hbr.org/2019/09/experience-doesnt-predict-a-new-hires-success.