A CISO’s guide to avoiding certain CISO jobs

These are great times for cybersecurity job opportunities. If a is looking for a job, the CISO is not going to have much trouble — but there is a catch. We keep hearing about how many cybersecurity jobs are going unfilled and there is a talent shortage.

What is being observed and discussed with fellow CISOs is that there is a true shortage at the individual contributor level up to second line managers. At the director to senior vice president positions, the pickings are much slimmer. Every week, cybersecurity executives hear about new CISO vacancy, but most of these CISO jobs are positions that most CISO executives wouldn't want in the first place.

For CISOs in the job market, it's important to learn why the last CISO left a company. Keeping in mind that an interview is a two-way process, the potential CISO should ask questions of the executive recruiter or HR representative that provide clues to why the previous CISO was unsuccessful. It can be tempting to assume the previous CISO was in over his head and you will be able to swoop in and do a better job, when in reality, no CISO would have been successful in the organization.

Not every situation is the CISO's fault, but instead a result of the environment. Sometimes it is being at the wrong place at the wrong time, the wrong job situation or reporting structure that inhibited success of the role or just a toxic environment. For CISOs considering a job change, here are some issues to possibly avoid:

1. Use extreme caution coming into a company as the first CISO. There are many "first-time CISOs" that last only one year because the C-Suite had perception of what the CISO role should be, but communicated subjective goals over objectives that can be measured. The C-Suite may not be sure what they want for a CISO, but it's expected that the CISO must be amazing.

Many Chiefs in the C-Suite have their vision of what the CISO should be by watching movies and TV shows that paint an image of what cybersecurity people look like, but they don't have a point of reference of how the first CISO should operate within their company. The first CISO coming out of the gate is at high risk of not lasting very long in the position because the C-Suite does not have any type of institutional baseline of what is a good or bad CISO.

The CISO that does get hired as a "first-time" CISO may be an outstanding CISO executive, but the C-Suite might not be ready to start spending a lot of money to harden the enterprise and address longstanding and systemic infrastructure issues. The C-Suite will perceive this as the CISO being difficult and they don't have to be as secure as they think they should be.

There are plenty of stories where the first CISO was reprimanded for wanting to build a world-class information security program yet were forced to adjust the information security program to meet bare minimum compliance requirements. The tell-tale indicator is when the C-Suite is getting complaints from users to application owners about how hard things have become since the CISO took the post.

For instance, the application owners had no prior accountability to secure and patch their systems, and they are now being told they have to be accountable and fix their applications and it's disrupting the business and causing downtime. Now the CISO is the bad person when the application owners should have been more attentive to their systems, especially when they are paying an annual 18 percent software maintenance fee! They start to view the CISO as a police officer that is eager to hand out tickets and tell everybody what they are doing wrong.

Being a first-time CISO might be a great experience to start building a CISO career. For the more experienced CISOs, it may be wise to steer clear from first-time CISO positions as tempting as they may be. The odds are against the first-time CISO, and it may leave a resume scar hurting future employment prospects for the top-flight CISO positions at blue-chip companies.

2. As a continuation of being the first CISO, the more experienced executives know how to "sniff out" a weak CISO by using metrics against them. They know the new CISO is most likely a "techie" and doesn't want to bother with developing business metrics.

Case and point, a new CISO joins a company and learns application servers are five years out of date for patching. The CISO tells the application owner to patch and update systems because of the enormous risk to the enterprise. The application owner agrees to performing lots of patches, but gives a warning these are critical servers that have high visibility throughout the company. The servers get patched and restarted, and the critical application is crashing unexpectedly and a four hour maintenance window on a late Saturday night turns into a 10-hour fiasco on Sunday because of the rollbacks of patches and retesting of systems.

To top off the situation, an escalation calling tree is activated because of the potential business impact on Monday morning. The application owner is going to shame the CISO by showing the executive leadership team how application downtime has increased, application stability has decreased, and the source of the problem is the CISO.

Many CISOs underestimate the power and influence of application owners, because they may not get the CISO fired, but the CISOs career is now in the gutter. To counteract this problem, a CISO needs to have metrics to show the business risk of not patching, and how missing patches puts other critical application platforms at risk. If a CISO does not have control over relevant cybersecurity metrics, they are dead meat because they are an easy target.

3. There are several "rock-star" CISOs in the cyber industry that have had a highly successful record of accomplishment within their company. When a replacement CISO arrives, the shoes they may be filling may be extremely difficult to achieve because the former CISO set the bar so high and everybody is going to expect the new CISO to be just like the last CISO.

This is where the prior CISOs identity is living after they left, because this has become the baseline everyone comes to expect from the new CISO. It may be highly desirable to take on a high profile CISO position in a Fortune 500 corporation, but the new CISO may be unfairly judged and compared to the last CISO throughout the company. This can be a very frustrating situation, because every CISO has a unique brand and identity--yet the CISO's identity may be robbed because he is always being compared to the prior CISO.

If a prospective CISO decides to take on the CISO "rock-star" position, one of the best ways to get respect is to recognize all the good things the previous CISO did and continue his/her cybersecurity program. Over time, the replacement CISO can slowly modify and change the cybersecurity program by bringing their own personality and security philosophy to the enterprise.

4. A category of CISO positions fall into what I call "baby-sitting" CISO jobs that don't have any real power within the enterprise, but becomes the person that is the "handler" for auditors and meeting "check-box" compliance. No true cybersecurity program is in place and never will be until the C-Suite cycles through a series of chiefs.

There are a lot of these CISO jobs available, because the company can't keep a CISO around and they are leaving the organization out of pure frustration. The CISOs constantly feel they are always "window dressing" compliance requirements and your great ideas for a good cybersecurity program are always pacified because the budget is never available. You will never be running a true cybersecurity program.

 The CISO is just there for "show" when the audit companies come in and when customers want to know about how their data will be "so-called" protected with minimal compliance standards. It's true when we hear compliance is not security. Avoid the "baby-sitter" CISO jobs, because the CISO will end up firing themselves. Only exception to taking the "baby-sitting" CISO job is if this is the CISO’s last job before retirement.

5. Outshining the CIO during the job interview. CISOs typically report into the CIO, but not every CIO is a strong leader. If a CISO takes a job reporting into a CIO who is not strong, the CIO will find a way to replace the CISO with a poorly fabricated excuse. It may be time to start preparing for a transition out of the company before the CIO finds an excuse to end the CISO's employment. Some CISOs who are highly skilled and politically astute can "lead from behind" and manage their boss they report in to. This takes great skill and is not for the political novice. The CISO has to be really good at being very careful to not outshine their boss in "public" settings within the organization by knowing when to yield and when to transition power to their boss.

6. One last category of CISO position is the company that can't make up its mind. When a company has a CISO position open for greater than six months, don't waste your time because they are not serious about the CISO position and use excuses of "wanting to wait for the right person."

These are the "tire-kicker" CISO jobs. With cybersecurity changing and evolving every day, waiting six months to fill a position shows how out of touch the C-Suite is when it comes to understanding the daily threat landscape when cybersecurity is in the news every day.

This is usually a barometer of a company that does not know how to "pull the trigger" and make a decision for anything. I'm all for collaboration, but these companies tend to have a committee for just about any type of decision that needs to be made in a company. These organizations tend to have "decision paralysis" and waste a lot of job candidates and employees time as they make a "life or death" hiring decision for the elusive "perfect candidate" that does not exist.

Surprisingly, when I see companies go through an overly obsessive hiring process for a CISO, there is a high likelihood the CISO may not last long because the company is focused on petty issues and details that don't matter and end up being a constant job distraction. When a CISO is finally hired, the CISO job expectations have been building for over six months of how perfect the CISO needs to be and their actions and decisions will always be closely scrutinized. One little misstep usually throws off the management team because they worked so hard trying to hire the perfect candidate with an imperfect hiring process! One method to circumvent this archaic process, approach the company as an Interim CISO so they can "try before buy."

When you are a CISO or if you aspire to be a CISO, you have to raise your game to learn more about the company you are working for, interface and have executive relationships with your peers, and master your social skills to blend into the company. Being a CISO is not about how much you know about cybersecurity and technical ability, but how can a CISO build and operate a successful cybersecurity program that is bespoke to the organization with political astuteness.

Any CISO that is ready for a career change should take the time to dig deep into why the last CISO left and determine if they could be a good fit for the company or pass on the opportunity. Also, always ask for the budget history, audit/regulatory current status, and team history to get the full picture.

A special thanks for editorial review, feedback, and content validation from Amar Singh, CEO & Founder of UK Cyber Management Alliance and Founder of Give01Day; John MacMichael, Washington DC CISO; Jeffrey Vinson, CISO Major Houston Healthcare System; Isabelle Theisen, Americas CISO at Major NYC Bank.