Alta Associates
Specialists in executive recruitment for over 20 years.
8 Bartles Corner Road, Flemington, NJ 08822 • P: 908.806.8442 • info@altaassociates.com
Expert Advice
Joyce Brocaglia is the executive career advisor for CSO magazine. The following questions and answers are featured on CSO's online magazine (www.csoonline.com).
Back to Expert Advice Question List
What is the best way to find an enterprise CSO candidate?
When companies search for a chief security officer, they typically use three methods.
- Post the position internally and interview current employees who they feel may possess some of the required skills.
- Utilize the personal and professional network of the executive management team.
- Retain an executive recruiting firm to perform the search.
The least effective method is to promote someone from within. The responsibility of an enterprise CSO encompasses technology, business, privacy, regulatory, compliance and executive management skills. It is unlikely that you will find someone within an existing organization who has the breadth and depth of knowledge as well as the skills necessary to implement and manage a strategic security initiative.
Networking is a somewhat effective method for finding a CSO as long as time is not an issue. Companies have utilized their management team, public accounting firms and on-site consultants to source potential candidates. This may be problematic for two reasons: First it is a scattered effort by individuals who have other more pressing priorities. Second these individuals have a vested interest in the anticipated reciprocity of the candidate they introduce. Although it is possible to find a good candidate, this method is much more time consuming, and requires a tremendous amount of screening.
In my opinion, the most effective way to identify a successful candidate is to retain an executive search firm that has a demonstrated track record of placing CSOs. [Editor’s Note: Ms. Brocaglia is founder and CEO of Alta Associates, Inc., an executive recruiting firm specializing in information security.] Many companies make the error of utilizing a big name firm that has performed other technology searches. These firms tend to have much longer ramp-up times, less industry-specific networks and often less flexibility in their fee structures.
Identify a search firm that specializes in information security. Ask them qualifying questions such as: How long have you specialized in the field? How many searches have you conducted at this level? What is your success ratio and time frame? Have your searches been focused on specific industry sectors? Ensure that they are well respected by the information security community. You can do this by determining whether they participate in industry events, associations and forums. Most importantly check client and candidate references. It is paramount that you spend the necessary time introducing them to your management team, corporate philosophy and structure. Select the firm that provides you with the highest level of confidence. Once they have a solid understanding of your requirements they will be able to provide a focused, well managed and effective search.