These are great times for cybersecurity job opportunities. If a is looking for a job, the CISO is not going to have much trouble -- but there is a catch. We keep hearing about how many cybersecurity jobs are going unfilled and there is a talent shortage.\n\nWhat is being observed and discussed with fellow CISOs is that there is a true shortage at the individual contributor level up to second line managers. At the director to senior vice president positions, the pickings are much slimmer. Every week, cybersecurity executives hear about new CISO vacancy, but most of these CISO jobs are positions that most CISO executives wouldn\u2019t want in the first place.\n\nFor CISOs in the job market, it\u2019s important to learn why the last CISO left a company. Keeping in mind that an interview is a two-way process, the potential CISO should ask questions of the executive recruiter or HR representative that provide clues to why the previous CISO was unsuccessful. It can be tempting to assume the previous CISO was in over his head and you will be able to swoop in and do a better job, when in reality, no CISO would have been successful in the organization.\n\nNot every situation is the CISO\u2019s fault, but instead a result of the environment. Sometimes it is being at the wrong place at the wrong time, the wrong job situation or reporting structure that inhibited success of the role or just a toxic environment. For CISOs considering a job change, here are some issues to possibly avoid:\n\n1. Use extreme caution coming into a company as the first CISO. There are many \u201cfirst-time CISOs\u201d that last only one year because the C-Suite had perception of what the CISO role should be, but communicated subjective goals over objectives that can be measured. The C-Suite may not be sure what they want for a CISO, but it\u2019s expected that the CISO must be amazing.\n\nMany Chiefs in the C-Suite have their vision of what the CISO should be by watching movies and TV shows that paint an image of what cybersecurity people look like, but they don\u2019t have a point of reference of how the first CISO should operate within their company. The first CISO coming out of the gate is at high risk of not lasting very long in the position because the C-Suite does not have any type of institutional baseline of what is a good or bad CISO.\n\nThe CISO that does get hired as a \u201cfirst-time\u201d CISO may be an outstanding CISO executive, but the C-Suite might not be ready to start spending a lot of money to harden the enterprise and address longstanding and systemic infrastructure issues. The C-Suite will perceive this as the CISO being difficult and they don\u2019t have to be as secure as they think they should be.\n\nThere are plenty of stories where the first CISO was reprimanded for wanting to build a world-class information security program yet were forced to adjust the information security program to meet bare minimum compliance requirements. The tell-tale indicator is when the C-Suite is getting complaints from users to application owners about how hard things have become since the CISO took the post.\n\nFor instance, the application owners had no prior accountability to secure and patch their systems, and they are now being told they have to be accountable and fix their applications and it\u2019s disrupting the business and causing downtime. Now the CISO is the bad person when the application owners should have been more attentive to their systems, especially when they are paying an annual 18 percent software maintenance fee! They start to view the CISO as a police officer that is eager to hand out tickets and tell everybody what they are doing wrong.\n\nBeing a first-time CISO might be a great experience to start building a CISO career. For the more experienced CISOs, it may be wise to steer clear from first-time CISO positions as tempting as they may be. The odds are against the first-time CISO, and it may leave a resume scar hurting future employment prospects for the top-flight CISO positions at blue-chip companies.\n\n2. As a continuation of being the first CISO, the more experienced executives know how to \u201csniff out\u201d a weak CISO by using metrics against them. They know the new CISO is most likely a \u201ctechie\u201d and doesn\u2019t want to bother with developing business metrics.\n\nCase and point, a new CISO joins a company and learns application servers are five years out of date for patching. The CISO tells the application owner to patch and update systems because of the enormous risk to the enterprise. The application owner agrees to performing lots of patches, but gives a warning these are critical servers that have high visibility throughout the company. The servers get patched and restarted, and the critical application is crashing unexpectedly and a four hour maintenance window on a late Saturday night turns into a 10-hour fiasco on Sunday because of the rollbacks of patches and retesting of systems.\n\nTo top off the situation, an escalation calling tree is activated because of the potential business impact on Monday morning. The application owner is going to shame the CISO by showing the executive leadership team how application downtime has increased, application stability has decreased, and the source of the problem is the CISO.\n\nMany CISOs underestimate the power and influence of application owners, because they may not get the CISO fired, but the CISOs career is now in the gutter. To counteract this problem, a CISO needs to have metrics to show the business risk of not patching, and how missing patches puts other critical application platforms at risk. If a CISO does not have control over relevant cybersecurity metrics, they are dead meat because they are an easy target.\n\n3. There are several \u201crock-star\u201d CISOs in the cyber industry that have had a highly successful record of accomplishment within their company. When a replacement CISO arrives, the shoes they may be filling may be extremely difficult to achieve because the former CISO set the bar so high and everybody is going to expect the new CISO to be just like the last CISO.\n\nThis is where the prior CISOs identity is living after they left, because this has become the baseline everyone comes to expect from the new CISO. It may be highly desirable to take on a high profile CISO position in a Fortune 500 corporation, but the new CISO may be unfairly judged and compared to the last CISO throughout the company. This can be a very frustrating situation, because every CISO has a unique brand and identity\u2014yet the CISO\u2019s identity may be robbed because he is always being compared to the prior CISO.\n\nIf a prospective CISO decides to take on the CISO \u201crock-star\u201d position, one of the best ways to get respect is to recognize all the good things the previous CISO did and continue his\/her cybersecurity program. Over time, the replacement CISO can slowly modify and change the cybersecurity program by bringing their own personality and security philosophy to the enterprise.\n\n4. A category of CISO positions fall into what I call \u201cbaby-sitting\u201d CISO jobs that don\u2019t have any real power within the enterprise, but becomes the person that is the \u201chandler\u201d for auditors and meeting \u201ccheck-box\u201d compliance. No true cybersecurity program is in place and never will be until the C-Suite cycles through a series of chiefs.\n\nThere are a lot of these CISO jobs available, because the company can\u2019t keep a CISO around and they are leaving the organization out of pure frustration. The CISOs constantly feel they are always \u201cwindow dressing\u201d compliance requirements and your great ideas for a good cybersecurity program are always pacified because the budget is never available. You will never be running a true cybersecurity program.\n\n The CISO is just there for \u201cshow\u201d when the audit companies come in and when customers want to know about how their data will be \u201cso-called\u201d protected with minimal compliance standards. It\u2019s true when we hear compliance is not security. Avoid the \u201cbaby-sitter\u201d CISO jobs, because the CISO will end up firing themselves. Only exception to taking the \u201cbaby-sitting\u201d CISO job is if this is the CISO's last job before retirement.\n\n5. Outshining the CIO during the job interview. CISOs typically report into the CIO, but not every CIO is a strong leader. If a CISO takes a job reporting into a CIO who is not strong, the CIO will find a way to replace the CISO with a poorly fabricated excuse. It may be time to start preparing for a transition out of the company before the CIO finds an excuse to end the CISO\u2019s employment. Some CISOs who are highly skilled and politically astute can \u201clead from behind\u201d and manage their boss they report in to. This takes great skill and is not for the political novice. The CISO has to be really good at being very careful to not outshine their boss in \u201cpublic\u201d settings within the organization by knowing when to yield and when to transition power to their boss.\n\n6. One last category of CISO position is the company that can\u2019t make up its mind. When a company has a CISO position open for greater than six months, don\u2019t waste your time because they are not serious about the CISO position and use excuses of \u201cwanting to wait for the right person.\u201d\n\nThese are the \u201ctire-kicker\u201d CISO jobs. With cybersecurity changing and evolving every day, waiting six months to fill a position shows how out of touch the C-Suite is when it comes to understanding the daily threat landscape when cybersecurity is in the news every day.\n\nThis is usually a barometer of a company that does not know how to \u201cpull the trigger\u201d and make a decision for anything. I\u2019m all for collaboration, but these companies tend to have a committee for just about any type of decision that needs to be made in a company. These organizations tend to have \u201cdecision paralysis\u201d and waste a lot of job candidates and employees time as they make a \u201clife or death\u201d hiring decision for the elusive \u201cperfect candidate\u201d that does not exist.\n\nSurprisingly, when I see companies go through an overly obsessive hiring process for a CISO, there is a high likelihood the CISO may not last long because the company is focused on petty issues and details that don\u2019t matter and end up being a constant job distraction. When a CISO is finally hired, the CISO job expectations have been building for over six months of how perfect the CISO needs to be and their actions and decisions will always be closely scrutinized. One little misstep usually throws off the management team because they worked so hard trying to hire the perfect candidate with an imperfect hiring process! One method to circumvent this archaic process, approach the company as an Interim CISO so they can \u201ctry before buy.\u201d\n\nWhen you are a CISO or if you aspire to be a CISO, you have to raise your game to learn more about the company you are working for, interface and have executive relationships with your peers, and master your social skills to blend into the company. Being a CISO is not about how much you know about cybersecurity and technical ability, but how can a CISO build and operate a successful cybersecurity program that is bespoke to the organization with political astuteness.\n\nAny CISO that is ready for a career change should take the time to dig deep into why the last CISO left and determine if they could be a good fit for the company or pass on the opportunity. Also, always ask for the budget history, audit\/regulatory current status, and team history to get the full picture.\n\nA special thanks for editorial review, feedback, and content validation from Amar Singh, CEO & Founder of UK Cyber Management Alliance and Founder of Give01Day; John MacMichael, Washington DC CISO; Jeffrey Vinson, CISO Major Houston Healthcare System; Isabelle Theisen, Americas CISO at Major NYC Bank.