Head of Security

Running an Effective Discovery Process

A company searching for a CISO/Head of Security must decide not only where the new hire will report, but also what the scope and expectations of the role will be. These complex decisions are crucial to the company’s success. With so much at stake, how does a company ensure that all of their interviewers and influencers are on the same page?

We’ve developed a unique spin on the discovery process called “Interviewing the Interviewers” or ITI. Our team spends a day or two onsite, meeting with the interviewers and influencers and getting a sense of their perceived evaluation criteria and thoughts on the process. We ask a custom set of questions that relate to the originally spec’d position we were offered (if it exists) and/or what we were told by the hiring leader. The entire ITI process is meant to be swift, personal and intrusive.

After the interviews, we present our findings to the executive sponsor of the search with the goal of establishing a common language and understanding. In the security space, we hear a variety of terms that ultimately describe the same concepts. AppSec and Security Operations are two great examples; we’ve seen at least five different definitions of these terms from client to client and function to function. Our findings eventually become the basis of a thoughtfully constructed position description.

We’ve found that the ITI method is an effective way to discover the true meaning of the client’s target and the best cultural match. Here’s why:

  • Face-to-face time with interviewers and influencers helps us become familiar with everyone’s roles, motivations, and styles while allowing the team to get to know us. While many executives have worked with search firms, most have not worked side-by-side with a search partner. Understanding our value improves the search.

  • Interviewers and influencers get a chance to have their voices, thoughts and perspectives heard. We are able to get each individual’s definition of the role and the evaluation criteria/priorities without influence from others. This is the key element to getting buy-in and calibration.

  • We learn about the client’s environment using an internal lens which allows us to see the client in their natural habitat. We are able to observe the office environment and culture and make it part of the story. We ask questions to get a sense of the vibe, employee interaction, client organization, and meeting structure.

  • We hear the company’s pitch from a number of people who will interview our candidates. Since most of our candidates are gainfully employed, our clients need to make their pitch crisp and enticing. If the individual, or company as a whole, is not a strong pitcher than we want to identify this upfront. From there, we evaluate who should be pitching to the candidates and when he or she should appear in the process.

  • Most importantly, the ITI method gives us data to present to the hiring sponsor(s) to determine whether they can overcome obstacles or beliefs that may challenge the success of the search process. In the end, it is all about executive sponsorship. If we do not have the necessary air cover and ability to influence mindset then the search is likely to be unsuccessful. We could run the risk of simply finding and presenting a collection of candidates without much advising. When this (rarely) occurs, as an esteemed search legend says, we “Fetch versus Search”. And the results can be drastically different.

Whether it is the ITI method or something different, a strong discovery process from a search partner or internal recruiting function is an absolute. This process sets the stage for how the company will act when faced with difficult alignment questions, scope definitions, evaluation expectations, and overall qualification priorities and ultimately determines the success of the CISO/Head of Security role.

Where Does the Modern CISO/Head of Security Fit in Your Organization?

Technology has become an essential component for most modern businesses. Because of that, technology leadership requires a place in the org structure that enables it to impact and improve the whole company. If a CISO/Head of Security is placed into the wrong structure, the results can be poor or possibly detrimental.

The ever-evolving CISO/Head of Security role is still searching for a permanent home within many organizations. The discussion around where this key position will reside has been front-of-mind for most of our clients and a hot topic within our community.

To provide some relevant data we can break down our current project portfolio.   Today in our current portfolio of CISO/Head of Security search projects, there are almost as many different reporting structures as there are searches.  We have 7 open search projects, and 6 different C-level leaders that the hire would be reporting to, ranging from CEO, COO, CFO, CPO, CIO to CTO/SVP Engineering.

So, where does this strategic and critical position belong in your company's structure? We’ve seen that opinions tend to vary based on the answers to these five questions:

  • What does the company’s historical security structure look like, and how successful has it been?
  • What level of impact will the Head of Security be expected to have within the company?
  • What is the maturity level of the security program and compliance efforts within the company?
  • How does the company build, deliver, and sell their product or service?
  • What are the external optics of the company’s product/services security posture?  What will clients need to see and say about the structure the company deploys for their Head of Security function?

Let’s use an upstart SaaS cloud-first product company as an example. The company starts with security being an important component of the engineering or PD organization because they began building everything in AWS, Azure or GCP.  When the company’s attack surface becomes large and complex enough to warrant hiring their first Head of Security, they could go a few directions. They might decide to expand the existing Sec Eng/Ops function, or they might create a separate security function and pull SecOps out of Engineering altogether.

But let’s say that the company is coming from a more traditional shrink-wrapped software delivery model with professional services. They have a functioning and more traditional IT structure, which might warrant the Head of Security sitting within the CIO’s organization. Simple enough, right?  

Then what happens when that same company migrates their entire product suite to a cloud delivery model using public cloud infrastructure?  At that point, the security function might split in two (InfoSec/Compliance + SecOps/DevOps) or DevOps might be rolled under Security Ops. Another possibility is that the GC takes Compliance and everything else security related falls under Product or Eng. The point is - there are a dozen different, completely justified, ways to go.

All said this is a transformative and exciting time to be a leader in the Security space. For CISO/Head of Security candidates out there, it will take patience and diligent discovery to determine if the roles being presented to you will enable your growth and impact in your next company. For companies looking to make this important hire, it will take patience, lots of data, and perhaps several tough conversations within your company to get it right. You might even choose to listen to your search partner. ☺

Especially on a topic with so many different opinions, we’d love to hear yours.  What do you and your company think the right structure should be?  Please complete this short anonymous survey. We’ll discuss our findings on in a future post.