Evaluating a CISO Job: What to watch out for — positive and negative
Like most Chief Information Security Officers (CISOs), I’m often approached by recruiters, inviting me to participate in a candidate pool for another CISO role. Also, like most CISOs, I often agree to at least have a preliminary conversation, because it might be a good opportunity for me, and if not, I might be able to refer someone who would be a viable candidate.
As a result, I’ve spoken to a fair number of recruiters about potential CISO jobs, and I’ve learned to pretty quickly identify if the job is of any interest at all. Of course, what is interesting to me is unique to my situation, as it is for any potential job seeker. However, I think there are some things that all potential recruits should watch for — so you can make a clear eyed decision whether to take the job, or not.
What’s in a Name?
Sometimes, the job is Chief Information Security Officer. Sometimes, it’s (Senior) Director of Security. It might be some variation of Technology Risk Officer, or Business Information Security Officer, or something with Cyber Security in the title. What is true about all of these titles, is they can give you a clue about how the hiring company thinks about what the role is. A company that is looking for an “IT Security Director” is assuming that tools and technology are the answer to the problem. Someone looking for a “Cyber Security Executive”, is probably heavily invested in technology defense as a primary control. Alternatively, a company looking for a “Business InfoSec Officer” is probably looking for someone heavy on controls, regulations and processes.
None of these things are inherently bad or good — no judgement here. They are, however, a great place to start to know if this company can be a good fit with your skills, and with your Security philosophy. If you see yourself as a technical engineer at heart, continuing as a BISO may not be the best path for you to be on.
Who’s The Boss?
If you can get your hands on a position description, you should look to determine who the boss will be. Reporting to the CIO? The CFO? Legal? The CEO? More than one?
There has long been a debate in the Security profession about who the CISO should report to. I’m of the opinion that there is no right answer, other than to say the best place to report is where you’ll be supported, and where you can be effective.
Regardless, the reporting line is an important piece of information for a candidate to consider. If you’re too far down an organization, you’ll need to ask lots of questions about how you’ll get face time with Senior leadership and/or the Board. If you’re reporting to a person who’s regular job puts them at odds with the Security function (can you say Finance, most of the time?), you’ll need to dig further. If the CISO is reporting to a CIO, you should be asking about how independence will be maintained when a CISO needs to counter a CIO decision. More than one boss? How do those two roles relate, and what are the motivations of each of them?
Show Me The Money
Not the benefits package — that comes later. No, this is about knowing how much the Security budget is, and how that compares to the overall revenue of the organization and/or the IT budget. You’ll need to do your homework to know what a good figure would be — it varies by industry and location. Don’t expect the recruiter to know the answer to this — they’ll likely have to get back to you. But if the company cannot answer this question, along with a detailed list of the functions included in Security, and what is not, then consider this a red flag.
Who is the Recruiter anyway?
There are some recruiting firms who specialize in Security recruiting positions, and then there are the others. If the hiring firm doesn’t choose a firm that specializes in Security, expect that the process will likely be longer, and more disorganized, than you might like. Having a recruiter that does general technology isn’t a great thing either. Typically, you realize the problem with this approach when they underestimate the salary packages, and give less than optimal advice to the hiring company regarding skills and experience.
The good news for minority candidates is that companies are acknowledging the benefits of a diverse workforce, and are reaching out. The downside is that companies and recruiters are often looking for minority candidates without giving thought to whether their company culture supports minority/gender success.
I ask recruiters why they are inviting me to apply. Sometimes, I get a lovely story about how qualified I am for the role. Often, I get that followed by “and we really need female candidates in the pool.” I immediately have a negative reaction to this (although I appreciate their honesty). First, it may mean that they are currently not too diverse, and their standard hiring processes aren’t generating a diverse pool. Second, I worry that I’m being set up to be the token female. I appreciate the difficult position that recruiters are in when this occurs — but I’m the one who has to live the job after the hiring is done.
So, if you are the “token fill-in-the-blank”, look into it, and make an informed decision whether you have the energy to work in a company that will likely demand more of you than people in other groups.
Blazing a New Trail
Has the hiring company ever had a CISO before? I don’t mean a “head of security” (who often is a tech person homegrown into a security role), I mean a CISO who expects to be included in company strategy meetings, who is conversant with lawyers (internal and external), and who does more than running a SOC?
If the answer to the question is No, this can be a great opportunity for someone who really likes a challenge, who wants to be a change agent, and who isn’t so concerned with job security. If the answer is Yes, and you’re not the first CISO they’ve ever had, take a good hard look at the style of the previous CISO, and decide if you could be a good successor to that role. Again, there is no right answer to this, but it is absolutely something to investigate.
Who Else Is There?
Job postings can be a bit misleading sometimes. Often, they’ll use a title like “CISO”, and then when you discuss it further you find that you are a sub-division CISO, or one CISO among many, and there may be another uber-CISO who is really in charge of all the Security strategies and decisions.
Sometimes, this can be a great thing, particularly if you’re a new CISO. The community of other CISOs can be a valuable learning pool, and there is definitely safety in numbers. Other times, this can be a bit of a downer, when you’re looking for the job where you get to set strategy and you find that you have more organizational structure to deal with than you would like. So, don’t forget to ask…
Whether a recruiter plucks you from your current job unasked, or whether you are actively looking for a CISO job, it’s most important that you find a role where you can be successful.
Success looks different to everyone, and there is no right answer. Regardless, a candidate owes it to everyone involved in the process, particularly themselves, to get as much information about a potential job as they can. The CISO role is, even now, not well understood by recruiters, or company leaders, or even CISOs themselves — so there is a lot of variability in the available jobs.
Start by knowing what you want in a new job — a chance at a CISO title? a role in a new industry? a role reporting to a CEO instead of a CIO? a rest? Once you know what you want, be prepared to wait until you find it.
It will be worth the wait.