Career Options Post CISO

Thank you to Lee Vorthman for sharing his blogs in our knowledge base.

Visit 370 Security Blog

Last year was a busy year for CISOs. Increased regulation from the SEC and other entities are raising the stakes for companies and CISOs. 2023 demonstrated that regulators and law enforcement are not only going to hold companies accountable for incidents and breaches, but they will also pursue accountability against individual CISOs. The CISO role is at an inflection point created by new technologies, increases in regulation and unprecedented personal risk. Given the high stakes of the role I think we are going to see an exodus in the number of people who are willing to shoulder the burden and personal liability of this role. Which begs the question: what are the options for someone after serving in a CISO role?

Serving On A Board

Serving on a board seems like a popular choice lately and now that the SEC has mandated cybersecurity experience on the board I think companies will look to increase their board membership with former CSOs and CISOs. The challenge with serving on a board is finding one that can compensate you sufficiently. I’ve served on several boards over the past 15 years and the compensation will depend on the company size and maturity. Start ups are typically able to offer compensation in the form of equity in the company, but this may turn out to be worthless if the company doesn’t make it. Big company board positions are few and far between, but will pay the best. My advice for CISOs looking to transition into a paying board position is to serve on a board or several boards in your spare time and then transition to become a full time, paid, board member if and when the company can support it.

Advisory CISO / CISO In Residence

One way to “float” between a CISO role and a board member role is to get connected with a Private Equity (PE) or venture Capital (VC) company as an Advisory CISO or CISO In Residence. These roles help the PE and VC companies evaluate potential investments and then help guide the companies to success. If you are an Advisory CISO you can evaluate the companies and if you see one you think has real potential you can choose to be their CISO or serve on their board. Advisory CISOs are not only compensated by the PE / VC company, but they “consult” to the investment companies on a periodic basis and sometimes they are offered the opportunity to invest in the companies they are advising. Not a bad gig.

Consultant

One of the most common post C-Level career paths is to become a consultant. If you are well connected, are in a critical industry or are just great with people, this can be a viable career option. The experience you have built up over your career still has value and companies will pay you handsomely for your time to help advise them. If you work for a company that is unwilling to protect you if you are sued then this may be a way to continue in a CISO capacity, but without the personal risk. I’ve known people who have quit their current role out of frustration and when the company realizes the expertise they are about to lose they hire the person back as a consultant.

Field CISO

Field CISOs are fancy titles for people that are in sales or pre-sales. They typically have a specific region they are assigned and they use the Field CISO title to establish executive relationships with other CISOs and C-Suite members to help sell products and services. Field CISOs typically have extensive industry experience in a particular vertical and then they use that expertise to help tailor solutions to their customers.

Title Change (But Still Security)

Another option post CISO role is to get a title change, but still work in a security related role. This could be something like a Chief Trust Officer or Chief Risk Officer. These roles can offer more flexibility to have a positive impact on the business because they aren’t constrained by the same expectations as a CISO role. At the end of they day you are still a C-Level security executive and can continue to advance your career towards your goals.

Role Change (Not Security)

CISOs are one of the few roles that touch every aspect of the business. As a result, CISOs are well versed in a lot of different business disciplines and it would be easy for a CISO to transition to a CTO, CIO, engineering executive or product executive. For example, a CISO who is looking to exit the role may look to join a security focused startup as their CTO. Their deep industry experience and past credentials will provide credibility and allow them to continue working in the security space in a different capacity. Eventually, they can even hire a CISO to report to them and have oversight over the security function.

Start A Company

CISOs are also well positioned to see gaps in the industry where a solution hasn’t been developed. Lots of well known companies have been formed by former security executives who have left their role to start a company to develop a security related product or service. Starting a company doesn’t mean you have to develop a new technology. You could also start a consulting company, a training company or a staffing company. If you are sitting on a great idea then this is a viable option for you.

Double Down

Lastly, if you enjoy the CISO role, but don’t feel supported or protected by your current company, then find a new CISO role that gives you the support and protection you seek. Part of the interview process for your new role should include questions about who the role reports to, what is the expected budget and headcount, will the role be included in the D&O Policy, what happens if you are personally sued, what is the severance package and how will success be measured? These should all be table stakes for any company looking to hire or retain a CISO and satisfying these requirements will go a long way to making your CISO feel comfortable that you have their back and won’t treat them as a scapegoat.