Unlocking Cyber Talent: How to Engage and Recruit Leading CISOs
The Conversation Boards Keep Having
I have watched this play out more times than I care to count. A board contacts me, frustrated. They have been searching for a CISO for months. The role has been open, recruitment firms are engaged, and the shortlist keeps collapsing.
The explanation I hear is always the same: “We cannot find anyone qualified.”
After 25 years of advising boards and executive teams across multiple sectors, I can tell you with certainty – that is rarely the actual problem.
The Market Has the Talent. Your Organisation May Not Have the Governance.
Experienced cybersecurity leaders are not in short supply. What is in short supply are organisations that serious security professionals actually want to join.
A qualified CISO conducts due diligence before accepting any role. They study who sits on the interview panel. They ask, directly, what happened to the person who held the role before them. They read the board pack – not to admire the formatting, but to see whether cyber risk receives fifteen minutes at the end of a four-hour meeting, wedged between Any Other Business and lunch.
They can read the signs. And when governance has been borrowed from the previous role holder rather than embedded into the organisation’s structure, they walk away.
What Boards Are Actually Building – Without Realising It
When a CISO is hired into an environment where accountability is concentrated in a single person, something quietly corrosive takes hold. The CISO absorbs the liability. They cannot get budgets approved through proper channels. Security recommendations are overridden informally – in corridors and side conversations – rather than being challenged and debated in the boardroom, where they belong.
That is not a governance model. That is risk management theatre.
The Structural Problem No One Names
The deeper issue is that many boards have architected their cyber governance around a single individual rather than distributing accountability appropriately across the board and executive team.
When that individual leaves – whether through resignation, dismissal, or burnout – the organisation’s cyber governance capability effectively disappears with them.
And that tells me something important: if your entire security governance framework depends on one person being present, that governance never truly existed in the first place.
The CISO Vacancy Is Not Your Primary Problem
I say this directly to every board I work with in this situation: filling the vacancy is not the priority. Understanding why it exists – and why it keeps existing – is.
Boards that repeatedly struggle to retain or attract CISO leadership are, in most cases, experiencing the downstream consequence of a governance design failure. The role has been positioned as the organisation’s entire cybersecurity capability, rather than as a leadership function that sits within a broader accountability framework.
Fix the structure first. Then the right people will want to join it.
Three Questions Every Board Should Answer Before Hiring
Before your next CISO search begins, I would encourage every board to address the following honestly:
- Where does cyber accountability formally sit at board level? If no individual director owns it, accountability exists nowhere.
- What decision rights does the CISO actually hold? Can they escalate material risks directly to the board without going through a filter?
- What happened to the last CISO? The answer to that question will tell a candidate everything they need to know about whether the role is viable.
These are not HR questions. They are governance questions, and they belong in the boardroom.
What Cybersecurity Leaders Are Actually Evaluating
If you are a CISO or senior security leader assessing a new role, what you are really assessing is the organisation’s governance maturity.
Look at how the board discusses cyber risk. Does it appear in board papers as a standing strategic item, or is it buried within operational reporting? Is there a named director with accountability, or is cyber risk treated as a diffuse responsibility that belongs to everyone and therefore to no one?
The organisations worth joining are those where the board understands that cybersecurity is a governance issue before it is a technical one. Those organisations tend to retain security leaders. They also tend not to end up in the news.
The Real Test of Cyber Governance
The measure of sound cyber governance is not whether your organisation has a CISO. It is whether your organisation’s security posture would remain coherent if that person resigned tomorrow.
If the answer is no – if the governance disappears when the individual does – then what you have built is not a governance framework. It is a dependency.
Boards that understand this build differently. They embed accountability into roles, committees, and reporting lines rather than into personalities. They attract better candidates. They experience fewer crises. And when incidents do occur – as they will – they are far better positioned to respond with clarity rather than confusion.
Cybersecurity leadership is not primarily a technical discipline. It is a governance discipline. The boards that have understood this are, in my experience, the ones that never struggle to find their next CISO.
Much of what I have observed over 25 years – including why so many organisations remain structurally vulnerable long before any attacker arrives – informs the thinking behind Cyber Insecurity. The patterns I describe in that book begin not in the server room, but in the boardroom.
Dr Kiran Kewalramani is a cybersecurity adviser with over 25 years of experience working with boards, executive teams, and risk leaders across the private and public sectors.
Share This Post
Why are boards struggling to hire CISOs?
Why do experienced CISOs avoid certain organisations?
What governance failures push security leaders away?
Subscribe To Our Newsletter
Get updates and learn from the best
More To Explore
Documents Don’t Protect Customers: The Liability Exposure Boards Are Carrying
Most boards govern cyber risk with untested documents, not tested decision architectures. When AI-generated scams move faster than approval processes, that gap becomes personal director
Most Boards Have an Incident Response Plan They’ve Never Actually Tested
The NSW Treasury insider breach didn’t start with a hacker — it started with a staff member, valid credentials, and access controls a board had already approved. Over 5,600 sensitive documents moved across multiple departments before monitoring flagged anything. Most incident response plans are built for external attackers, leaving no framework for the harder question: when does a trusted employee doing normal work at abnormal scale become a security incident? Until boards treat insider preparedness as a design problem rather than a policy they sign off once, they’ll keep being surprised by threats already inside the building.
