CISO job search: What to look (and look out) for

The first thing a CISO should remember when considering a new position is that C-level security professionals are a valuable commodity. That means take your time and be picky so you don’t land the wrong job. Or, as the world’s first CISO Steve Katz says, “Don’t go shopping when you’re hungry.”

That’s because CISO jobs are abundant but not equal. A quick search on LinkedIn, for example, turns up more than 1,000 open CISO-related positions, most of which appear to be at the executive level. Indeed.com, on the other hand, claims more than 4,000 positions on a search, but many of those titles are not C-level roles, and some aren’t even managers.

This a key distinction CISOs should understand when considering a new job, according experts. Is it a true C-level role with buy-in from the board and a direct or indirect line to the CEO? Or is it an overblown title for a lesser role? It might be a trophy job where the company just needs the body to meet regulatory requirements.

Does the role lack C-level status?

“One of the first things I ask is, ‘Who does the CISO report to?’ because understanding where the CISO position sits in the organization tells me how invested the hiring company is in security,” says George Viegas, CISO at Chapman University, a top-ranked private university in Orange, California. “If the CISO reports to the CEO, that is huge and indicates that the job is actually C-level with support from the top. If the CISO role reports to finance or risk or compliance, it tells me I’d be some level removed from top leadership.”

According to a Forester report released late in 2020, only 13% of CISOs are considered C-suite. If candidates are looking for challenging C-level jobs with the influence and support they need, reporting to the CEO is ideal, while reporting to the CIO with a line to the CEO is most common.

“If you are told during the hiring process that you don’t need to worry about presenting to the board because your boss will do that, that’s a red flag. It can mean the first time you see the board is to give them bad news. That’s never a good time to meet the board,” says Diana Kelley, former cybersecurity field CTO at Microsoft and co-founder of the SecurityCurve analyst firm.

Katz puts it this way: “If you haven’t developed that credibility and something goes bump in the night, and it will, you’re going to get kicked to the curb.” He recalls an example from a few years ago where the opposite happened because the CISO had those critical relationships with executive leadership before the company was hit with Petya encrypting ransomware. In that case, the CISO kept his job while the CIO lost his. “He [the CISO] developed credibility with the C-suite and the board and was incredibly transparent with them from the very beginning.”

A poorly-defined CISO job description 

Also, look for hidden meanings in the job description. For example, Viegas, who’s on his sixth CISO job, says to watch for keywords, like ‘hands-on’ vs ‘strategic’ or ‘compliance’ vs ‘leadership.’ “’Hands-on’ could indicate limited or no resources and likely a small company offering a glorified security administrator role. Strategic indicates a higher-level role. A heavy focus on compliance could mean they’re just trying to check a box for regulators,” he explains.

How the job description is written and structured also tells a lot about a company. Is the organization looking for an unreasonable level of skills, for example asking for every certification under the sun along with 15 to 20 years in an executive CISO role? Adds Kelley, “Poorly defined job descriptions may list way too much for one person to do, or they can reveal a lack of understanding about what a CISO does, meaning the expectations will be off. It may also show lack of support as well as a confused or chaotic working environment.” 

Why are they hiring a CISO?

There are a variety of reasons for hiring a new CISO. Sometimes it’s due to a breach and the previous CISO left or was fired over it. Some have never had a CISO before. Ideally, the company is looking for a strategic partner to take them to the next level.  

“Many of our clients are retaining Alta because they are elevating a position or creating a new role. So even though they may have a CISO in place, they realize what got them to here isn’t going to get them where they want to be,” explains Joyce Brocaglia, founder and CEO of security executive search firm, Alta Associates. “These organizations are usually looking for a higher-level executive leader who can convey security and risk issues in terms that make sense to the business. They also typically want us to find someone who has a more holistic approach to risk, a collaborative leadership style, and sees cybersecurity as a business enabler.”

It’s also important to know about who you’re replacing. Is there a string of CISO’s coming and going? Or have they never had a CISO before? If not, is there realistic budget and a security department? If the company has a revolving CISO door, it may indicate the company is hard to work for and has unreasonable expectations, Kelley suggests. Or it could mean the company is still immature and doesn’t understand the strategic, C-level nature of the job.

Looking for a CISO at the next level, with executive skills may be one reason that the company is not trying to hire from within, but that’s another red flag to look out for, Viegas says. It could mean good talent is being overlooked, or that there are no managers and directors in the organization to promote—indicating lack of support for the role.

Who’s on the security team?

If the CISO reports to the CIO, Viegas also recommends looking up the CIO’s track record to know if they’re a good cultural match and if the CIO sees the CISO as a strategic partner. Then drill into the size of staff and find out if there’s room for growth relative to the organization size and mission. “If the team has three members, do they have budget for several more? Are there managers and directors reporting up to the CISO?” 

Cultural misfit is one of the least talked-about but most important red flags when considering a new job, Brocaglia says. “On paper most job descriptions look alike, but every company’s culture is different. Expectations are different, leadership needs are different, and the levels of collaboration are different. Skills are easy to find. It’s the cultural fit that’s difficult.”

The interview process is also a good indicator of cultural fit—or lack thereof. For example, Kelley describes interviews where six different people have explained the job six ways. Some may have a savior complex where they feel the CISO is responsible for everything, or HR seems disorganized and chaotic. “If HR is messed up, usually the company is,” she adds. 

What are they paying?

Katz, who coaches CISOs, likes to organize job satisfaction into what he calls the “six c’s”: challenge, commitment, chemistry, culture, clarity and commute. If all those line up, then comes compensation. Katz says packages for true C-level CISOs ranges from $250,000 to $2 million depending on the size, maturity and complexity of the organization and the options included in the package.

Kelley’s advice is to check how that compensation is packaged. For example, is it heavy on bonus and stock grants but low on monthly pay? Are the performance requirements for the bonus achievable? At what intervals do grants vest?

Also important, can the CISO get a golden bullet clause in the contract that these incentives don’t disappear in case the CISO’s head rolls over a breach or political misstep inside the company, she says. “If the company went through a recent breach and the CISO was sacrificed as a scapegoat to the media and lost their job, that’s a potential glimpse into your future at that organization.”