10 Things To Think About Before Accepting That CISO Job

Recently I published an article on how to be effective when accepting a CISO role. That article was written to share some insight into how a CISO, who has taken a new CISO position, would come into that job and proceed to fit into their new organizational culture and build their enterprise security program. As I always do when I write articles, I requested input from security professionals within our community, and several of you asked if I could provide some context on indicators that would tell me a CISO role that I was going to interview for may be wrong for me, and I need to decline the position. So the article to follow is my insights into what I have seen and experienced and what my fellow peers have shared with me in meeting with companies and interviewing for CISO positions. 

Please keep in mind, not all of the following indicators are considered harmful or should cause alarm bells to go off warning you not to take an interview for a position. They are instead, pieces of knowledge that you can use to prepare yourself for that critical interview and help you ask questions that would provide you the insight into whether this position would be a good fit for your continued professional growth. So with that said, let’s get started:

1.     The face of the company, but no team – I have seen this several times before in both job descriptions and actual interviews. The company wants to hire a CISO, and they want the CISO to represent them to the cybersecurity community at large. So far not too bad, but then when you ask questions you find out there is no team associated with the position and they basically want you to go on a talking tour. Now there is nothing wrong with that, just realize the position is really about marketing and sales, and you will primarily be a cyber evangelist for the company. I have known CISOs who have taken jobs like this to get more experience on the business side and to do some travel. I don’t believe it’s good or bad either way; sometimes it’s good to take a break from doing enterprise security and still provide value to the business. I prefer to do both, manage a team and evangelize, but again that is just personal preference.

2.     Hire you for multiple positions – You are in an interview for a CISO role, as the discussions progress they start talking about how they will need you to not only do that job but also help with other positions. The concern here is will they put this in writing as part of your job, will you be evaluated on shadow positions that aren’t in the hiring description, and will you have the resources to be effective in this multi-dimensional role? My concerns when I see this is when you honestly look at it they are trying to have you fill several positions, which is ok if its temporary, but what happens later after you are in the position and they expect it to be the norm. Now I know several of you will say what’s wrong with helping the company out? Nothing, but if you, as the CISO, are swamped with all of this extra work they have given you – how effective are you going to be? My last say on this before we move on, I have accepted positions where I filled multiple roles, and it has been a good experience. However, if this is your situation, just know what you agree to and how you will be supported and evaluated.

3.     The job description is unreasonable – I have spoken at length about this issue, the company is looking for a unicorn. They are searching for a CISO, and the job description has extensive requirements that honestly don’t pertain to the actual job. In reality, the job description is what the HR department thinks CISOs do, not what is actually needed for the company. Why I have problems with this type of advertised role is the company almost never finds a candidate that meets their unrealistic requirements, so the position stays open for months. Plus, when we look at the job posting, nearly all of us start questioning could we do this job? What is actually required? Does the company understand what they need? Would it be worth my time to apply and just get rejected for not meeting their fantasy requirements? I typically tell peers who are looking at positions like this to ignore them unless they like the company or know someone there who can put them face to face with a hiring manager to make their case for applying and accepting someone with more realistic qualifications. Just remember if you are applying for one of these type positions, make sure they really understand what they need because you don’t want to get hired and then have to try and meet unicorn requirements. It's better to be a hard-working pony and have the support to grow your security program and provide value to the business. Before anyone asks, I consider myself to be a hard-working pony <smile>.

4.     Reporting to CIO – This in itself is not bad, so no hate or rocks thrown in my direction, please! I bring this up because there are several things an perspective CISO needs to be aware of if they want to be successful in a CISO role reporting to a CIO. In my career, I have been a CIO, and I am currently a CISO. I have reported to CIOs, and I have reported to other C-Suite positions and have been peers with CIOs. I find with over 20 years of experience in the IT and Cybersecurity communities that how CIOs look at the enterprise technology portfolio of an organization and supporting its business operations and strategic initiatives is very different than a CISOs viewpoint. It’s not a good or bad thing; it’s honestly a different view of supporting the organization and how to manage and remediate risk. If the position you are applying for reports to the CIO then some questions I would want to know are:

a.     Will you have control of your budget?

b.     Is the security budget about 6% - 8% of the overall IT budget? This percentage is the norm for a security budget as compared to IT; it will let you know if you are adequately funded.

c.     How long has the CIO been at the company? I have found if CIOs have been there a long time, they aren’t very flexible in working with CISOs who might want to make changes, so be warned.

d.     How many direct reports does the CIO have? Are you, as the CISO, going to get lost in the crowd? How effective will you be in growing your security program and advocating the importance of cybersecurity?

5.     The mandatory requirement to be entirely onsite – This may be an issue for some of you applying for a position. This problem to me is a company's unwillingness to allow some flexible working location or to work remotely. Making CISOs be on site all of the time I feel is old school. With the growing number technologies that enable CISOs to communicate, collaborate and manage teams remotely, it is sad not to offer some form of remote work option. I honestly look at it as a missed opportunity for companies to hire amazing talent that is willing to travel and be flexible. Again, this may not be a problem for you, but I have known exceptional CISOs who have families or have personal requirements to live in a specific geographical area, and they get automatically rejected for positions. I will reiterate I think this is a significant missed opportunity for businesses to access exceptional cyber talent. 

6.     The position calls for a specific CISO type – I am leery about job positions that request a CISO candidate be from a particular industry. Now I know there may be reasons the company requires it, so settle down everyone because I can hear the grumbling coming from people who are in regulated industries. My point with this is there is always a shortage of CISOs such as Financial Institution CISOs or Medical/Hospital CISOs, and job descriptions that are very narrow don’t give room for CISOs who have expertise across multiple fields. When I see a CISO job requisition that allows no room for an experienced CISO to apply without a specific industry set, that to me is a company filling a checkbox. I am a CISO I am not a checkbox, so I would not waste my time applying for a position that has a very narrow focus. Companies can get experienced CISOs who can quickly come up to speed on their specific regulatory requirements. They can even make it part of the hiring contract. I believe being open about the requirements would give them more candidates and access to previous untapped talent.  

7.     Unrealistic pay for the job description – As the role of the CISO matures, compensation is one factor I believe says a lot about how a company views the value of their CISO position. The amount of work and complexity of the CISO job has increased, and more companies require their CISOs to be flexible and assist in projects and initiatives outside of the standard cybersecurity job description. I for one am ok with that; I like challenges and being required to flex and grow professionally. However, I think companies compensation for CISOs is still catching up with today's realities. Some of you may be ok with basic pay and compensation; it is a personal issue that you will need to weigh and decide if the position is worth it or not. I am not one for advocating large salaries, I believe the level of responsibility and work a CISO assumes with the job should be appropriately accounted for by the hiring company.

8.     Company or Industry has a bad reputation – This is a personal issue, but it is one that you should think about when interviewing for a position. If the company has a bad reputation or the industry it operates in has a bad reputation, remember as the CISO you represent them to the cybersecurity community. One thing I have found, the cybersecurity community is large but is also very close-knit, and one's reputation is essential. So think about that when applying for that excellent CISO job. I always research a company and executive staff first before an interview; I want to make sure the organization is one that I would be proud to be a part of and not embarrassed when I go to RSA or Blackhat <smile>.  

9.     They fired the previous CISO – This issue will make you think twice, especially if the firing was in the press due to a breach. I would be cautious about a position like this because you have to wonder has the business learned its lesson if the issue was a breach and will the new CISO have the resources required to be successful. If interviewing for a position like this, make sure you have executive sponsorship, and in the interview process, you meet with the executive leadership team. The CISO hired for this position will be extremely visible and expected to produce results, you will want to make sure you are equipped efficiently to do the job right and not be the next CISO handed a resume generating event.

10.  Interview process too long/too short – My final issue is one that can range across a wide area of whats acceptable and what you need to run away from and fast. If the interview process is too short, you meet the hiring manager, and you don’t meet anyone else – that sets off alarm bells for me. As a CISO, you are in a position to impact the whole organization, and as such most companies want you to speak with several departments to make sure you are a good fit. A short interview process to me says you will not be filling a position that is important or one that is adequately supported – so time to walk away. A lengthy interview process, one where you do ten to fifteen interviews over several days, and then you never hear from anyone for weeks to me speaks of bureaucracy and you will need to decide do you want to wait for their response. For both of these issues, I have during the interview process asked for when a decision would be made on the hiring of the new CISO. I have used that answer to gauge whether I wanted to wait. In all honesty, I have personally waited over six weeks for a response to a position I wanted and later accepted. So again it’s a personal issue you will need to decide if its worth your time or not.

As I have previously stated, this is not an all-inclusive list. I look forward to viewing what other security professionals in our community can share with us on this topic. With that, thank you for reading this article, and I hope it has provided you some value or at least got you thinking about what you would do for your next interview. Good Luck!

***In addition to having the privilege of serving as Vice President and Chief Information Security Officer for Webroot Inc., I am a co-author with my partners Bill Bonney and Matt Stamper on the CISO Desk Reference Guide Volumes 1 & 2. For those of you that have asked about our books, more information can be found at https://www.cisodrg.com. Both are available on Amazon, and I hope they provide you value, enjoy!