CISO: A Terminal Position

Thank you to Helen Patton for sharing her article on our site.

This can be read on Medium as well.

CISO: A Terminal Position

What Happens When You’re Done Being CISO

A couple of months ago, my position as CISO was eliminated. The company still had a CISO (more than one, in fact), and they decided to downsize my security team, and so no longer needed a person with the title of “CISO” in that part of the business. So there I was, working out what came next (and in a hurry). The answer was not simple…

When faced with choosing the next thing after CISO, a person has a few options:

Find another CISO role. This is the most obvious. Once a CISO, always a CISO. Perhaps it means being a CISO in a new industry, or for a bigger (or smaller) organization, or in a new location. The essential job (running a security program to defend an organization) remains the same. Recruiters, in particular, are very comfortable sourcing CISOs for other CISO jobs. Just like people looking to get their first cybersecurity job, it’s hard to get a CISO role, but once in it, you can jump from CISO role to CISO role in a game of ever more demanding musical chairs. It’s getting a CISO role in the first place that is very challenging. Right now, even the CISO job market is pretty sluggish for people with a CISO title. There are a few positions opening up, but competition for those roles is intense, and the most senior of CISO positions are well guarded by executive recruiting firms. It’s all about who you know, and timing…

Find another tech leadership role. Most CISOs I know want to stay in a security leadership position, but an increasing number of folks are starting to see that the thing they love about being a security leader is being a leader first… so they’re willing to consider other technology leadership roles (CTO, CIO, etc. etc.) as a logical next step. Some even blend roles (CTO AND CISO, for example) as a way of sliding into an adjacent leadership discipline. Some really smart security leaders are choosing to bypass the CISO title altogether, and go straight from being a security director (but not a CISO) to a CTO or CIO role, avoiding the job burnout that goes along with most CISO positions. It’s not always obvious for a CEO or other hiring manager that a security leader could be a good candidate for a CIO/CTO role — so bridging that cognitive divide is a challenge for job seekers.

Find a non-operational security leadership role. This often involves moving into the sales/marketing/consulting kind of spaces. Become a security partner in a Big Four accounting firm, or a field CISO supporting a security sales team, or working as a virtual CISO (vCISO) advising customers or vendors. You won’t have a team reporting to you (usually), and there will be travel involved (typically). With today’s tight financial market, we’re seeing these jobs dry up a bit too.

Start your own security firm. Different than a security startup (more on that later), in this scenario you become your own boss, providing security consulting services to the client of your choosing. Some start vCISO companies, some simply charge for their expertise on an hourly basis. It helps to have an industry profile to make this a success.

Join or lead an industry organization. There are plenty of organizations working to improve security for everyone. ISACs, foundations, think tanks, etc. etc. Join as an executive director, or a fellow, or a consulting partner, and you can continue to share your expertise with the community. These jobs don’t pay a CISO-level compensation package, so folks who consider this are either doing it because salary is less of an issue and they’re ready to “give back”, or they’ve run out of other options (usually the former).

Become an Start Up advisor. VC firms and start ups are often looking for experienced security leaders to offer guidance. One appointment usually isn’t where it stops — people advise multiple start-ups or VC firms. It doesn’t pay a lot of up front compensation, but could pay off in the long run if you’re paid in equity and they become a unicorn?

Consider being a board director. If you can get a public board position it may come with salaries and benefits. However, it’s easier said than done to get a position, and despite the SEC suggesting that boards should include cyber expertise in it’s membership, the board seat flood gates are not opening up.

Many people beginning their cybersecurity career aspire to be CISOs. This is terrific. But being a CISO is a terminal position. That means that once you are a CISO, there are few, if any, higher/bigger security roles to take that aren’t CISO roles. C-suite members rarely see the CISO as a C-suite candidate; boards of directors think CISOs are a one-trick pony, not worthy of a full board seat; and few of the other options pay enough to meet the compensation expectations of a CISO. Aspire to be a security leader or CISO, but be careful not to pidgeon-hole yourself into a terminal role.

Avoiding the Pidgeon-Hole

In 2021 April Rinne wrote an HBR article titled “Why You Should Build a “Career Portfolio” (Not a “Career Path”)”. The audience for this piece was early- and mid-careeer people, but this concept could easily apply to CISOs.

If you are (or want to be) a CISO, and always a CISO, then great. But if you think there will come a time when you are done being a CISO, start thinking about your portfolio, and networks, now. Don’t wait for your time as a CISO to be up before you start planning for what comes next.

Consider what you want your next steps to be, and start working on the skills and relationships you will need to get you there. Think of your career portfolio — what makes you you, and how will you describe it to people so you can land your next gig? How will you build personal relationships with c-suite members so you will be perceived as a c-suite candidate (not as a CISO, but as a CIO/CTO or other C-role)?

Your next gig may be a combination of things (Board member PLUS start up advisor PLUS vCISO, for example), not just a singular role. If this is the case, preparing your finances, taxes, insurance and other scaffolding in advance will help ease this transition.

For many CISOs they hope to finish out their career as a CISO. It’s completely doable. For others, they will reach a time in their career where they will need to take the next step, to a non-CISO role. Now is the time to think about what that might be. While the current sluggish conditions won’t last for forever, there will always be headwinds that will make moving away from an operational CISO role more difficult. Know what they are, and actively plan to mitigate them.

As I start my new role as a Cybersecurity Advisor (you know, titles don’t mean much…) I will continue to think about my cybersecurity career portfolio, and what I need to actively manage my career. I hope you do, too.