Security leaders chart new post-CISO career paths

The evolution and growing prominence of the CISO role gives holders more options on where to go next in their careers.

executives on the move stairs career promotion upward steps
metamorworks / Getty Images

Mike Engle started on the CISO career track early in his career, moving up to senior vice president of information and corporate security at Lehman Brothers in the early 2000s

Engle says he thought the professional path was a good fit, explaining that he found security technologies, such as encryption, fascinating and the cat-and-mouse aspects of the work challenging.

“I liked that thrill of putting solutions in place that stop something bad from happening,” he adds.

But Engle says he didn’t like other aspects of his position, particularly the governance and regulatory requirement tasks that intensified following the 2002 passage of the Sarbanes-Oxley Act.

He also saw the pressure on security chiefs ramping up and started to feel the drain that came with the 60-plus hour workweeks that had become the norm. “A lot of my team members went on to be CISOs at big companies, and their stress levels are pretty crazy because the threat levels have gone up so much,” he says.

Mike Engle, Co-Founder & Chief Strategy Officer, 1Kosmos 1Kosmos

Mike Engle, Co-Founder & Chief Strategy Officer, 1Kosmos

So Engle took a detour and became an entrepreneur. He started a company specializing in tracking technology, a decision based in part on his experience and interest in the technology itself. He then launched Bastille Networks and later 1Kosmos, where he’s now head of strategic planning. He’s also managing director of 1414 Ventures.

Engle acknowledges that his security expertise and his executive experience have helped him succeed but says he prefers the challenges of the startup community.

“I don’t see myself going back to being a CISO,” he says.

CISO exit ramps

Engle’s career trajectory may not be the typical path for enterprise security professionals, but a range of security experts say it’s becoming more common to see the CISO role as a way station to other jobs. Of course, many security experts still aspire to move up the enterprise security team ranks to become CISO and then move into CISO roles in increasingly larger or more complex organizations. But longtime security leaders and others in the field say a growing number of CISOs are deciding to seek a wider array of follow-on roles.

“The career path for security professionals is changing,” says Matt Aiello, a partner with executive search firm Heidrick & Struggles and leader of its global cybersecurity practice. “CISO is still going to be an endpoint [in the careers] for many, for some it will be a beginning of a different pathway.”

Heidrick & Struggles delved into this dynamic in its 2021 Global Chief Information Security Officer (CISO) Survey. It notes that the CISO is “relatively new in the context of other C-suite roles” (many sources date the role to the mid-1990s with the first titleholder being Steve Katz) and as a result “CISO career progression remains tricky.”

CISOs themselves, however, have some pathways mapped out:

  • 47% of survey respondents said they want to become board members;
  • 44%, chief security officers (a role that includes physical as well as information security);
  • 18%, entrepreneurs/consultants;
  • 16%, chief risk officers;
  • 12%, CIOs;
  • 8%, private equity officers;
  • 3%, CEOs; and
  • 2%, developers of new tools at a security firm.

Some 5% said “other,” while 3% said they preferred not to answer. Only 9% wanted to retire.

Speaking to those findings, the study authors concluded that “the wide range of next roles CISOs are interested in highlights that this is an evolving role, one where the next move isn’t clear.”

A maturing role

Others share that assessment, saying that the history of the position had to some degree limited post-CISO career moves. For example, they point out that the CISO position for many years existed under the CIO, which itself had historically fallen under other C-suite roles. And they note that the CISO role through much of its existence had been viewed as a highly technical one, with those holding the title being extremely capable technologists but not full executives. As a result, Corporate America didn’t automatically view a CISO as a candidate for other C-suite roles, board appointments, and other similarly high-level assignments.

But leaders in the security field say as security grew into a board-level concern and an issue of consumer interest and national attention, the CISO position became more critical, more prominent, and more demanding. Thus, security executives developed a broader range of skills in order to do their jobs. And that in turn opened up more career possibilities.

Gregory J. Touhill, adjunct faculty member, Carnegie Mellon University’s Heinz College of Informatio Gregory J. Touhill

Gregory J. Touhill, Director 

“These additional paths have opened up in the past three to five years, and that’s because of the maturity of the role and because the board’s understanding of the CISO role has dramatically improved in that time,” says Gregory J. Touhill, director of the Software Engineering Institute’s CERT Division at Carnegie Mellon University.

He adds: “As the board has prioritized cybersecurity as a business enabler, we have seen an increased recognition of the CISO’s talent and capabilities that extend well beyond technology to operational leadership.”

Making an impact

Touhill has personal insight into this evolution: He himself is a former CISO, having been appointed by former President Obama to be the U.S. government’s first CISO. He says he has selected his subsequent roles in part on “looking at where I could make the biggest difference.”

That ability to make an impact, though, is often what security executives say they like about the CISO position.

As Engle says, “Being the CISO, you’re putting services out there, you’re keeping customers secure, that’s what it’s really all about. You have to be an enabler as well as a protector. That’s what I enjoyed, trying to figure out a way for security to be an enabler in the business.”

That’s also luring CISOs to other positions, according to multiple sources.

Moving out or moving up

Aiello says he sees security executives wanting to leave their CISO roles for positions on corporate boards as well as advisory boards at startups and security vendors where they can have such an impact.

That’s the path that Simon Hodgkinson took.

Hodgkinson moved up through the IT and security ranks to become CISO at BP, serving in that position from 2017 to 2020. He now has advisory and executive roles with several organizations, including RangeForce, Reliance acsn, Semperis and Zscaler.

He says his work as a CISO prepared him for his current work.

“Being the CISO at BP provided the opportunity to work closely with the board and executive leadership to really understand the strategic business outcomes, how digital transformation was key to delivering these, and how to appropriately manage cyber security. This experience has been invaluable in the advisory/consultancy roles,” he says, adding that the perspective he gained as a CISO being “approached by thousands of companies each year, being able to share what worked/did not work in engaging the CISO is valuable experience to share with these companies.”

Aiello says he sees CISOs also moving into consulting jobs and venture capital work – with the latter particularly appealing for its wealth-building opportunities.

Others see CISOs becoming chief risk officers and chief trust officers as well as chief product officers at security vendors.

Meanwhile, Touhill says CISOs are well suited to move into a new, emerging executive role which has oversight of all security realms—cyber as well as physical and personnel-related.

Pursuing passions

Dawn Cappelli says she had a range of options available after she retired in April from the CISO job at Rockwell Automation, deciding at that time that she “was ready to come off the front lines” and leave behind the tremendous level of responsibilities that comes with being CISO.

Dawn Cappelli, Director, OT CERT at Dragos Dragos

Dawn Cappelli, Director, OT CERT at Dragos

She admits her first plan was to fully retire but rethought her objectives after a colleague convinced her that she could find something that would match what she wanted next in her life.

Cappelli says she wanted to work as a “security evangelist” yet also wanted more time for her family, which now includes two grandchildren. She found the perfect fit as the part-time director of the OT CERT at Dragos, an industry cybersecurity company.

“This just hit at my passion point,” she says, explaining that she’s responsible for launching a community resource center for industrial asset owners and operators. “It’s something I felt I could do to help society as a whole.”

Aiello says Cappelli is far from the only security exec who has rethought, or is rethinking, their retirement plans, saying that the “CISO position’s rapid ascent to the C-suite is forcing these very questions.”

Finding the right fit

Aiello and others agree that such contemplation is important, because not all possible options will work for everyone. They point out that not all enterprise security executives are developing the leadership skills and business acumen needed for some of those other positions. Meanwhile, many others aspire no further than the CISO position.

“I don’t think that CISO has to be the pinnacle, but if it is, it’s still a great place to be. It’s a place that still has great meaning,” Touhill says.

He adds: “Not every CISO wants to be a COO or a CEO. Rather, it’s all about finding the right fit and the right team and the right mission.”

Scott King worked as a CISO at Sempra Energy before becoming senior director of cybersecurity services at Rapid7, a cybersecurity vendor, in 2017—a move he says he made in part to learn more about how companies make money.

Scott King, VP and CISO, Encore Capital Group Encore Capital Group

Scott King, VP and CISO, Encore Capital Group

“I wanted to learn more about how the business operates. I wanted to sit on the side of the P&L. That was really the motivation for me,” he says.

But after four years there, he took another CISO role, this time at Encore Capital Group.

“I learned what I wanted to learn about margins and profit and loss, and so I wanted to go back and apply what I learned in a security program at a company that really embraces security. That’s why I went back to being a CISO,” he explains.

King says he doesn’t think it was always so easy for CISOs to move in and out of the role but agrees it has become easier to do, providing more opportunities for security professionals while further elevating their reputation as executive leaders in the process.

“The profession had been narrowly focused: You were trying to stop bad things from happening,” he says. “But that changed, the perception has changed, and more are now able to move onto other roles if they have the willingness to do so.”

Copyright © 2022 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022