The rise of the Security 2IC?
It’s a common requirement of CIO’s to desire a security leader who can cover all bases. Someone who can truly lead (from experience) in case of an incident/breach/outage. Someone who has deep technical skills. Someone who has executive presence and can deliver the board or audit committee the key information they need in a timely manner. Someone who is well connected and known on the security industry speaking circuit. Someone who is a thought leader. Someone who can advise on cloud-first but with the legacy ‘on-prem’ technology in mind. And so on. What I have found is that there is a prioritisation to be had and most CIO’s are open to sacrificing some of these skills and traits for the few key non-negotiables that will serve their organisation in the near term in order to fill the role.
But what I have also found is that the candidate shortlist will often uncover a couple of strong candidates that if you mooshed them together would create the ideal security leader. Person A might be a pentester by trade, has risen through the ranks of experience and skill, became a team manager, then moved to consulting and in the process put their arms around broader risk assessments, increasing their breadth of skills. Person B has come from a law enforcement background with strong investigation and leadership skills, moved into corporate in governance and compliance, has the same curious nature as person A and with a confidence about them that provides authenticity and authority. Both these leaders individually could have the ability to be a CISO given their backgrounds (I know it’s a long bow given the limited career info I have suggested but stay with me). Often, there are gaps in their individual knowledge and experience that cause concerns for the hiring manager. But together…these two could, in theory, cover all bases.
Now I can hear you saying…”one security leader costs me ‘x’ dollars and was impossible to find and now you’re suggesting I hire another one?” Not necessarily. What I’m suggesting is that there are a few reasons you might want to identify a 2IC for your CISO or Head-of:
1. You might make a CISO hiring decision based on the complementary skillset you can leverage from a potential 2IC from your current team.
2. Succession planning for a role that is a risk to leave empty. Nothing new here.
3. Mentoring. Both leaders can learn from one another despite the likelihood that one is more senior than the other, mentoring is still effective. Mistakes will be made, learnings will be had, growth will occur.
4. Together, they can support the team better with their varied subject matter expertise.
5. And possibly the most important one - In a market that is experiencing a ‘skills crisis’, the more people who are exposed to the expectations on a CISO or Head-of the better. This 2IC can be groomed to not only succeed their current boss but could be a great candidate for other organisations who are crying out for quality leaders for their most senior security role – be it a Head-of, a CISO or a CSO.
A 2IC who is let into the world of the CISO to observe, gain experience about the expectations of the organisation, understand the ways of managing up and be clear on decisions made (and why they are made) can increase their skills and contribution exponentially. They are better prepared for acting in the role should the need arise and are equipped with knowledge that allows them to make better decisions in their role. What I’m suggesting is not necessarily new but is not always possible in security given the lean nature of our teams. Despite this, I’m seeing more and more opportunities for 2IC roles given the demands on CISO’s, the plethora of differing security backgrounds and the demands of organisations and CIOs for a suite of skills from their security leadership..
As a CIO, could you see value in the identification or hiring of a complementary 2IC to round out the skills of your CISO or Head of Information Security?