CISO search for critical infrastructure: OT expertise as dealbreaker

The previous CISO departed after a reorganisation and the position had been open for 5 months. The profile was extremely complex: the CISO needed experience with both IT and OT/ICS security, NIS2 compliance for critical infrastructure, board-level communication in Dutch and German, and at least 10 years of leadership experience in a regulated environment.

Three traditional executive search firms had each searched for 8-12 weeks without finding a suitable candidate. The problem: they had no network in the niche where IT security leadership and OT/ICS expertise converge. The Board of Directors demanded that the position be filled within 2 months, as the NIS2 deadline was approaching and the organisation lacked adequate governance without a CISO.

MVPermanent conducted a targeted executive search, specifically focused on the intersection of IT security leadership and OT/ICS. We approached 23 potential candidates from our network of senior security leaders with experience in energy, water and industrial sectors. Each candidate was evaluated against a scorecard with 14 criteria, from SCADA security to board reporting.

The difference lay in our sector expertise: we understood that a CISO in the energy sector must not only be a security strategist, but also someone who understands the operational reality of a control room. We organised an assessment with a case study based on a realistic OT incident scenario. The final candidate scored in the top 3 of all CISO profiles we have ever assessed.