Unlocking the DNA of Successful CISOs

What to Look For and What to Avoid

By Stephen A. Spagnuolo

The chief information security officer (CISO) remit is growing in importance each and every day. As digital information security over recent years has taken an increased priority position on the corporate agenda, so too has the rise in prominence of the CISO mandate within the organizational structure. The challenge is there are not sufficient numbers of talented CISOs available to address corporate recruiting needs. This supply and demand imbalance has put more pressure on hiring executives to ensure the best possible CISO candidate is selected for recruitment. This dilemma also increases the importance of building bench strength and succession planning in and around the corporate security areas. Given these factors, how can we safeguard that the right hiring and promotion decisions are being made to strengthen and bolster the information security function?

Things are changing quickly. Indeed there is ‘night and day’ difference in the CISO’s remit today versus just a few short years ago. As a result, some CISOs are simply ill-equipped to make the proverbial leap forward to successfully navigate in this new-era digital security environment. How then can we enhance the decision-making process when hiring a CISO? Might there be a blueprint to benchmark critical success factors, and by association identify ‘red flag’ trait areas?

ZRG Partners has recently concluded an in-depth study of the success factors of top CISOs. We looked across a wide sampling of various career backgrounds of top echelon chief information security officers operating in industry today. The purpose of the study was to analyze and determine the common professional strength traits of top performing CISOs. From this we could then construct a validated CISO DNA Scorecard, against which to assess senior and next-generation digital information security officer candidates . . . to better enable our client company executives to replicate success when hiring for this often hard-to-source/recruit position. ZRG assessed these information security leaders using our proprietary hi-tech Z Score process and then reverse-engineered the data-driven findings to glean the determining factors of success and (by inference) failure.

The study sample was comprised of highly-regarded, forward-thinking CISOs who agreed to participate in the project . . . from leading Fortune 500 companies, government agencies, startup/fast growth platforms and consulting firms. First we analyzed the findings for common traits of success among this CISO peer group; we then uncovered the red flag indicators that corporate management should avoid when considering hiring outside or promoting internal candidates to the CISO mandate.

The findings can be valuable for aspiring CISOs as well as corporate CEO/CFO/COO leaders, who are all hugely vested in getting this critical recruitment right. Corporate board directors also will want to reference our findings, given their fiduciary responsibility to ensure the utmost risk management processes and procedures are being properly and effectively deployed vis-à-vis recruiting the most qualified talent.

The findings were enlightening, and even surprising and counterintuitive. The information can aid companies by providing a data-drawn blueprint for what-to-look-for and what-to-avoid.

What to Look for in a CISO

We found that successful CISOs have common force-multiplier characteristics. These include:

  • They are smart, thoughtful and intellectually curious
  • They are excellent communicators
  • They tend to be analytical
  • They are energetic and able to multi-task and take action
  • They tend to be even-tempered and steady
  • They are comfortable operating both independently and collaboratively
  • They can be decisive and make decisions without delay

In addition . . . Top tier information security leaders are great at communicating vision, action and rationale in carrying out their day-to-day business. They possess a notable depth of general business acumen. They are also ‘customer oriented’ in driving creative solutions and delivering comprehensive results.

Among our findings, one particular quality outlier stood out that we did not necessarily expect. Across our sampling, successful CISOs universally trended toward ‘less accommodating.’ The data does not skew all the way to left margin ‘difficult.’ Rather it indicates . . . The most effective senior information security leaders are indeed trail blazers within their respective organizations. They have strong opinions they will hold true to in the face of questioning and scrutiny. They are not easily persuaded to abandon their gut instinct nor those plans they believe that make most sense.

What to Avoid in Hiring or Promoting a CISO

What are the personal landmines to avoid when considering a CISO candidate? Our study also extrapolated red flag trait indicators that would be areas of concern in a hiring or promotion scenario for a CISO project. Following is the short list of measurable areas for concern:

  • Someone who is overly methodical and single-task focused can struggle
  • Someone who is indecisive and uncomfortable making decisions quickly with available information will be extraordinarily challenged in achieving success
  • Someone who, in executing their day-to-day responsibilities, requires a high degree of management and oversight and more generally lacks an independent nature may be miscast in this new-era CISO mandate

Making Great Hiring Decisions for the CISO Position

How then can we use this information to make better hiring decisions? To begin any hiring process, the first critical step—even before applying these findings, in the case of a CISO recruitment—is to align the required career experiences, education and technical skills for the target position. Once these boxes are checked, we can then look at the soft skills and hidden traits in a top leader.

The CISO DNA Factors cited here can be measured and should be part of any effective CISO hiring process. ZRG Partners deploys PhD validated assessment tools to extract these qualities in our retained search methodology, and compares the results to our CISO DNA Scorecard, e.g. the “ideal CISO candidate profile.” This helps us and our clients get to know the respective candidates better, particularly in the often hard-to-assess softer areas, and greatly assists in vetting and sorting a slate of great candidate choices for our client.

Reference checking, when properly directed, can add valuable insights; but the process must dig into the success factors and red flags to enhance a successful recruitment outcome. The actual interview process itself can illuminate the requisite issues to effect a smart hiring decision, and therefore should be constructed accordingly to accomplish this objective.


There simply are not sufficient aggregate qualified CISOs (nor deputy CISOs) comprising the notional candidate pool who possess the professional wherewithal to meet today’s cyber threat challenges.

We now know the successful CISO is an impact player . . . someone who thinks strategically, effectively communicates laterally and vertically across the entire organization, understands the business operational life-cycle and associated balance sheet implications, and possesses a high level of executive presence.

Hence the exceptional information security leader in this new-era cyber threat environment is one who executes her/his mandate with a fundamental ‘business unit leader’ mindset. The professional who will meet and thrive amidst the vast information security challenges confronting businesses today and tomorrow possesses a dimensionally different professional profile than the information security officer from years past. To be sure, there are many dynamic, forward thinking CISOs currently in place.  But the supply-demand imbalance here is stark.

At ZRG Partners, as we execute CISO searches on behalf of our clients, we are increasingly sourcing impactful ‘alternate source’ short list candidates from the CIO/COO/CFO ranks of peer and next echelon competitor companies, to add depth and optionality to our candidate slates.

As a Firm we are committed to being part of the solution in cybersecurity. Our goal in publishing these groundbreaking findings is simply to better assist corporate leadership and boards gauge and benchmark senior and next-generation information security officer candidates; in turn so they can more effectively confront and tackle the myriad cyber threat risk issues facing their organization today and tomorrow.

As we all, across this vast and growing cybersecurity ecosystem, collectively face the mounting risks and real associated costs of the cyber menace to our information security bulwark, the CISO mandate will continue to grow dynamically in importance and impact. Locking in place the right information security leader cements an organization’s main thrust of cyber defense, enhances its overall risk management and mitigation process, and more generally strengthens and extends the executive/C-suite bench strength.

Print Version

Wall Street Journal