DORA programme leads: what to look for in a CISO hire

# DORA programme leads: what to look for in a CISO hire

The Digital Operational Resilience Act (DORA) reshaped what a CISO actually does inside an EU regulated entity. The role is now half-security, half-programme management - and most CISO candidates can only do one of the two well.

What DORA actually demands from your CISO

• **ICT risk management framework** that the regulator will probe in detail.
• **Incident classification + reporting** within strict windows (major ICT-related incidents within 4 hours).
• **Operational resilience testing** (TLPT - threat-led penetration testing) coordinated with the regulator.
• **Third-party ICT risk** management with contractual remediation rights, exit plans, and concentration risk monitoring (Article 28+).
• **Information sharing** through formal channels.

If your CISO candidate can only talk threat detection and red team, they will miss the entire DORA half of the job.

What we look for at KICKFIND

1. **Real DORA / NIS2 programme work** - not just a slide referencing the regulation. 2. **Engineering credibility.** Not a slide-deck CISO. Production teams have to listen to them. 3. **Third-party risk depth.** They can structure exit plans and rights-to-audit clauses. 4. **Incident response under regulator clock.** They have notified, reported and survived. 5. **Board comms ability.** They can defend a budget and a risk appetite to the audit committee.

Three screening questions that filter fast

• *"Walk us through your DORA readiness work in your current role. What's the gap between certification and reality?"*
• *"Describe your last major incident. What was the regulatory consequence, and what changed in the runbook after?"*
• *"How do you structure a DORA Article 28+ third-party risk programme inside an EU regulated entity?"*

Hiring a CISO

KICKFIND only submits CISO candidates with real EU regulator-facing experience. [Submit a hiring brief](/submit-hiring-brief) and we'll calibrate within one business day.