Using Retained Search as a Risk Reduction Measure for CISOs

Few technology disciplines have seen as much career management change as cyber security. Born as a sleepy technical focus in the 1980’s, the closest an early security professional would come to the C-Suite would be if some senior manager lost a badge. Since then, however, the profession has begun transforming into an essential component of every organization. In some cases, the Chief Information Security Officer now serves as a valued member of the senior executive team. But with this new role for enterprise security professionals comes the requirement to learn new skills in recruiting team members, training new staff, and managing one’s own career. I recently had the privilege to sit down with my New Jersey neighbor and good friend Joyce Brocaglia to learn more about retained search and career management in cyber security.

EA: Joyce, you’ve been involved in the cyber security industry for nearly three decades in your role as Founder and CEO of Alta Associates. You are certainly in the best position to explain how retained search works for an enterprise.

JB: Retained search is a partnership between the executive search firm, enterprise security team, and their HR business partner. At Alta Associates, we are brought in to partner with an organization that is either looking to hire their first time CISO, elevate the status of their current cybersecurity or risk leader, or build a world class team. With our deep subject matter knowledge, we begin searches by educating the organization on the current competitive landscape, including the market value of candidate’s compensation. We can also provide feedback and guidance on where a candidate or role should be placed on the organizational chart, as well as how to develop the job description and create a successful interview process. Because we have been specializing in recruiting information security teams for so many years, our deep trusted network allows us to be an effective partner. Also, our recruiters have spent years of their careers specifically focused on cybersecurity. They are all subject matter experts who understand the nuances of the roles, the particular industry specialties, and the culture of various organizations. We believe that such knowledge, coupled with their deep trusted relationships, make Alta second to none when it comes to delivering top talent. We begin our partnership with clients by initiating a launch call with the hiring manager, key stakeholders, and HR partners. From that call, we finalize the job description, create an outreach strategy for candidates, and set a timeline of weekly follow-up calls where we present resumes, gain feedback, or create offers. Throughout this process, the client works with a relationship manager and team of recruiters who have done an extensive search and in-depth candidate interviews. By the time an offer is made, the client is confident that they have done their due diligence in interviewing the best and brightest for the role.

EA: Do you see any trends in cyber security search? For example, is it getting easier or harder to find competent, trained professionals for clients?

JB: It’s getting harder, and all the research supports that conclusion. In the past five years, the demand for Infosec professionals has grown over three and a half times faster than other tech roles. Job postings were up 74% and an (ISC)2 workforce study showed that 62% of respondents said their organization had too few Infosec professionals. This is true up and down the line, in terms of experience and expertise, but is even more intense for senior positions. The role of the CISO is becoming more and more complex. Not only do CISO’s have to be technically competent, they have to understand the regulatory, privacy and risk implications and impacts to their organizations. As if that’s not enough, they have to have the business acumen and communication skills to convey technical solutions to the board, audit committees, and key stakeholders. It takes experienced and knowledgeable recruiters to discern those qualities.

EA: What are the advantages of bringing executives in from the outside? Does this have drawbacks?

JB: The advantages are numerous, including the fresh perspective, optimism, and diversity of skills that executives bring from positions held outside the hiring organization. It cannot be underscored how critical such diversity of background can be to create innovative programs. Research shows that eclectic groups of people with different backgrounds, gender, ethnicity and training are more productive and innovative. The drawbacks associated with recruiting executives from the outside relate to the investment of time and energy that must be allocated to the process. That’s why it’s important for hiring managers to take control of the process, not leave it up to the HR team, which is typically already overburdened and lacks an understanding of the nuances of the roles and the competitiveness of the market. It’s imperative for hiring managers to make recruiting a priority on their calendar and partner with a specialty search firm that can drive and manage the hiring process. Staffing and recruiting are not outsourced functions that allow hiring managers to remove themselves from the process.

EA: I know you are passionate about empowering women in cyber security. What are you doing to improve the posture and presence of women at all levels?

JB: As you know, in 2002 I founded the Executive Women’s Forum (EWF) on Information Security, Risk Management & Privacy. Today we are the largest member organization dedicated to engaging, developing, and advancing women leaders in our field. The EWF hosts events and programs throughout the United States, including regional meetings, networking dinners, and informal gatherings. EWF membership includes women at all phases of their careers, from staff positions through the C-suite, and our programs are developed to uniquely help them at each stage. We are probably best known for our annual conference that gathers over 400 women thought leaders in our industry together. Our 14th Annual National Conference is entitled “Balancing Risk & Opportunity: Transforming Cybersecurity, Risk & Privacy Beyond the Enterprise.” To give you an idea of our programs, we have a mentoring initiative for staff women. We provide a Leadership Journey, which is a comprehensive leadership development program for middle managers. And we sponsor a Women of Influence Round Table for our most senior ranking members. Over the past decade and a half, I have also seen great strides taken by men in the field who are recognizing the importance of diversity of thought and are taking positive steps forward in their efforts to hire and develop women on their teams. These men have to act as role models and encourage their peers to do the same.

EA: How do cyber security professionals find a search firm if they are interested in making a personal career change?

JB: They should work with an executive recruiting team they feel comfortable with. Years of experience and past performance should be taken into account when establishing a relationship, but there must also be a personal, human connection. People do business with people they trust. Time and again our clients and candidates tell us how much they appreciate the time that we take in understanding their needs and goals and how diligently we work on their behalf to meet their personal objectives. We really enjoy our work and the people we work with, and we take our responsibility in bettering people’s careers, teams, and the industry as a whole very seriously.