CISO: A Terminal Position

What Happens When You’re Done Being CISO

Helen Patton

--

A couple of months ago, my position as CISO was eliminated. The company still had a CISO (more than one, in fact), and they decided to downsize my security team, and so no longer needed a person with the title of “CISO” in that part of the business. So there I was, working out what came next (and in a hurry). The answer was not simple…

A white question mark painted on a brick wall covered in cement.
Photo by Matt Walsh on Unsplash

When faced with choosing the next thing after CISO, a person has a few options:

  • Find another CISO role. This is the most obvious. Once a CISO, always a CISO. Perhaps it means being a CISO in a new industry, or for a bigger (or smaller) organization, or in a new location. The essential job (running a security program to defend an organization) remains the same. Recruiters, in particular, are very comfortable sourcing CISOs for other CISO jobs. Just like people looking to get their first cybersecurity job, it’s hard to get a CISO role, but once in it, you can jump from CISO role to CISO role in a game of ever more demanding musical chairs. It’s getting a CISO role in the first place that is very challenging. Right now, even the CISO job market is pretty sluggish for people with a CISO title. There are a few positions opening up, but competition for those roles is intense, and the most senior of CISO positions are well guarded by executive recruiting firms. It’s all about who you know, and timing…
  • Find another tech leadership role. Most CISOs I know want to stay in a security leadership position, but an increasing number of folks are starting to see that the thing they love about being a security leader is being a leader first… so they’re willing to consider other technology leadership roles (CTO, CIO, etc. etc.) as a logical next step. Some even blend roles (CTO AND CISO, for example) as a way of sliding into an adjacent leadership discipline. Some really smart security leaders are choosing to bypass the CISO title altogether, and go straight from being a security director (but not a CISO) to a CTO or CIO role, avoiding the job burnout that goes along with most CISO positions. It’s not always obvious for a CEO or other hiring manager that a security leader could be a good candidate for a CIO/CTO role — so bridging that cognitive divide is a challenge for job seekers.

--

--

Helen Patton

Cyber Security, Technology Ethics, and Humanity. What else? I can be found at CISOHelen.com or on Twitter @CisoHelen or on Mastodon @cisohelen@infosec.exchange