Practice Spotlight: Talking with Kelly Doyle, from Heller Search's Cybersecurity Practice

The Heller Report sat down with Kelly Doyle, in the firm’s Cybersecurity Practice to learn more about this critical role. 

What are the skills that the best CISOs have?

Kelly Doyle: In my experience recruiting CISOs I’ve found that the most effective ones have a rare blend of skills: they need to be able to discuss security investments at a board level and in financial terms. They need to be strong cross enterprise leaders, who can use influence to improve employee security behaviors. They need to be strong team leaders, and they need some technical depth. The best CISOs are great communicators – and even better storytellers. They use interpersonal skills to make colleagues understand risks and see possibilities. They ensure that the entire company has bought in to creating a culture of security. It’s a tough list of skills, as I discussed in a recent article. 

How important is it for a prospective CISO to have led through a major security incident?

Companies are always looking for leaders who have a broad range of experiences. This is no different for a CISO. CISOs who have dealt with a security incident learn crisis management, clear communication, and team leadership, and they can use their experience to preempt a future attack, or at least reduce the impact.  

Of course, not having firsthand experience of a breach does not mean that a CISO is unqualified. A first-time CISO I placed gave me great insight on this: new CISOs should make sure they’re connected to mentors, former bosses, and networking groups. Having people to lean on and learn from in the moment is equally as important.

These networks are important even if you have security incident management experience. Each breach will be different, due to changing technologies and business environment. Just because one breach went a certain way, with one set of challenges and solutions, does not mean that a CISO can use the exact same approach with the next.

Which industries should be considering hiring CISOs – that don’t now?

All companies, large and small, public and private, should have strong cybersecurity leadership.  Across industries, companies are investing more and more in digital technologies, and every new digital technology brings with it a risk. Every new system that stores and provides access to data invites risk. As a company’s ability to innovate grows, so should their ability to reduce the security risk that comes with that innovation.

Since more corporate boards are appointing CISO, this seems like a new career opportunity for experienced cyber leaders. How can CISOs get on boards?

First, understand that most CEOs do not want to share their own CISOs time and attention with another company. This is why many CISOs on boards have retired from their security leadership day job. Second, boards need their members to satisfy more than one leadership competency.  So, be sure your board bio emphasizes more than “security,” including leadership, transformation, digital strategies, or talent development.  Finally, while we in executive search love our board searches, boards are often populated through networking, so let people in your network know of your interest and availability in board work.

Your team at Heller Search recruits CISOs for a wide array of client companies.  How should candidates get connected to you?

I am always interested in meeting new security talent, so please send me a note (with your resume) and a quick note about your career interests. But more broadly, when you get recruiter calls, even if the role they are pitching is not right for you, build that relationship and stay in touch. When a colleague is placed by a recruiter, ask for a referral. Know the major CISO search firms (in addition to Heller Search) to be sure you have as much exposure to opportunities as possible. And finally, be sure your resume emphasizes investments, ROI, and business impact – not just technology.