Home » Security Leadership » Career/Staffing

Career Advisor: The Top Five Reasons CSO Candidates Don't Get Hired

Stuck one level below the CSO? A security recruiter shares the top mistakes job candidates make when they try to move up.

January 07, 2008 — CSO — You worked hard, finished one or more college degrees and maybe even earned multiple security certifications. In your mind, you now qualify to lead the charge on the most technically challenging security issues any industry can place in your path. But wait, you’re stuck at a professional level that is less than your dream job.

How did this happen? You probably have been paying too much attention to technical skills, and have not put enough focus on your interpersonal and business skills. In working with my clients to recruit C-level security executives, I find that security candidates often tend to come up short for one of the following reasons.

1. Poorly Written Resumes
Think of your resume as a technical writing project. Your resume, cover letter and any other correspondence you share with a prospective employer or recruiter are all chances to demonstrate that you have strong writing skills. Overall, many technology and information-security professionals place too much emphasis on filling their resumes with laundry lists of technology buzzwords and lists of certifications. Although you might think that earning multiple certifications looks good on your resume, employers tell me that certifications don’t mean much unless there is quantifiable and measurable evidence that backs up that expertise.

2. Inadequate Communication Skills
If you’re serious about becoming a security executive, your verbal and written communication skills have to be at least as polished as your technical skills. As more and more regulations are created to drive security and risk management, security professionals must develop sales skills, diplomacy skills, negotiation skills and exceptional presentation skills. Security executives become their company’s voice to outside auditors, regulators and business partners. Security leaders need discipline to know what to say, when and how to say it, and when to say nothing at all.

3. Under-developed Understanding of Business Needs
Only three to five years ago, the business of security was driven by security technology. In today’s market, security executives still need to have appropriate credentials such as the CISSP, CPP and/or CISA designation, but more importantly, they need to understand business, security and risk management. A security executive must be able to identify, quantify and measure risk. Business owners will embrace a security leader much more quickly when they’re convinced that the security executive is there to enable their business to do business, and not to keep the business from performing.

4. Fabricated or Exaggerated Skills on a Resume
I remember one recent candidate who