I would suggest you carefully review the regulatory guidance to ensure you (and the appropriate executive management and board committees) are clear on what the functions, roles and responsibilities of the Info Security Officer are. Keep in mind any comments/criticisms provided by your requlator requiring attention. Then, you should be able to develop and prioritize a "to do" list of actions to be taken by the ISO. At this point, you can assess who in your organization is best qualified to execute on what needs to be done. Again, this assessment should be taking place at an executive management level with input and participation from the appropriate board committee. If no one is qualified, then you need to hire someone. Forget selecting based soley on title or position.