How CISOs find their perfect job

It’s a good time to be a CISO. In a market where analysts say there are over 1 million unfilled job openings, and with demand expected to rise to 6 million globally by 2019 — according to the Palo Alto Research Center, if you do a good job other opportunities are sure to follow.

Indeed, such is the market, that – as we reported last year, even poor performing CISOs, dismissed from previous jobs, get handed new opportunities time and time again.

The average CISO lasts approximately 17 months – and significantly less for those heads of information security at firms that have been breached. It’s no coincidence, such is the volatility of the job market, that many CISOs have jumped from permanent to CISO-as-a-service opportunities.

Darren Argyle, recently appointed CISO at Australian airline Qantas and formerly of both IBM and Symantec, knows what differentiates the good from the bad.

“An attractive CISO role is one that has a mandate from the board, with a commitment to benchmark and mature the capability,” he told CSO Online. “[The CISO also needs] clear accountability for overall strategy, program transformation and associated budget dedicated to cyber-security. [You also need] recognition from the executive that information security is a business problem.”

Andrew Hay, former CISO at storage start-up DataGravity and director of research at OpenDNS, says: “I’m a builder, so a CISO role that lets me create or grow a security program is far more important to me than a higher salary and the babysitting of an existing program. Personally, I need to be stimulated and busy to add the most value to a business.”

Quentyn Taylor also knows a good job when he sees one – after all, the Canon EMEA director of information security has been in his for over 15 years.

“A good long term CISO job is one that is varied and interesting — too many CISOs roles seem to focus on going into a brownfields site and fixing it. “This forgets that there are two different role profiles here; a short term problem-fixer and a long term role developer. The ideal job shouldn’t be exclusively either but a mix of the two. Provision should also be made that the CISO should be able to mold the role into what they think is required (within reason) — too many roles seem to be pure reactive roles. “The ideal long-term sustainable role is one where the CISO can make the role their own, be part of the business and help the organization grow in harmony with infosec.”

Avoiding the bad job

For all of this, there’s no doubting that there are plenty of ‘bad’ CISO jobs out there too. As some CISOs describe, you need to watch out for “babysitting” CISO jobs, first-ever CISO jobs with little support from the business, and those jobs with weak CIOs (indeed, some would say you want to avoid jobs where you report to the CIO anyway, although there are ways of working better together with CIOs).

Some say you also need to be wary of skills required as CISOs shift away from purely operational, deploying and managing security solutions and policies, to liaising closer with senior management on baking in security as a strategic enabler. Some have warned of breached firms but this can actually work to your benefit — the first-ever CISO at UK broadband provider TalkTalk has reported been given “free reign” to tighten up security following the firm’s data breach in 2015.

“I’ve seen an increasing number of CISO roles, especially at vendor companies, that are CISO in title only,” warns Hay. “This is often a marketing or business development role where the CISO title is used as collateral for opening doors to prospects, existing customers, press outlets, and conferences. Make sure you know what the role actually is and go in with your eyes open.”

Finding a good job can be difficult. A glance at LinkedIn and you’ll find some security professionals discussing the limitations of recruiters, shall we say, from putting forward poor job opportunities to not truly understanding the applicant’s background or level of expertise.

Karla Jobbing, CEO of UK-based cyber-security recruitment agency BeecherMadden, says CISOs should “consider what excites you in a role and weigh that up against the opportunity”.

“There are more roles available now where you will not be the first CISO in place; for many this stage is exciting while some still want a greenfield site.

“Be careful of the roles where the brief does not seem clear. This is typically a sign of a company that is not sure about what they want. This is going to make it harder to succeed, or at best, it will be a long recruitment process where you need to be involved in refining the job description.”

Working with recruiters

So, how should CISOs work with recruiters?

“CISOs need to be selective in their recruiter, ideally using a specialist in the sector, and then working discreetly with just one or two,” says Jobbing. “CISOs are in demand, and recruiters are aware that you receive many approaches daily. However, sending a stock response to all of them isn’t going to get you very far.

“You get out of this relationship what you put in so take time to meet your chosen recruiter and work closely with them on your target employers.”

Argyle adds: “Take the calls from recruiters, you’ll need them one day, you’ll quickly weed out the good and bad. Be clear with them about you’re looking for in terms of location of work and salary expectations, regardless of what you may already be on.”

Hay agrees, adding CISOs must look at the wider picture: “Make it clear the type of role you’re looking for. Also, never settle for a role based on compensation or title. You need to find the job that best fits your career aspirations and individual needs.”

Finding the right job? Decide what’s most important

Hay believes CISOs can find the best job by taking it back to the basics.

“I know it might sound trite, but I always tell people to figure out what it is they want to “be when they grow up”. Do you want to build? Do you want to maintain? Is being locked away in an office better for you or would you rather be a traveling CISO?

“Also, something that is often overlooked, is asking “What’s best for me, my family, and my work/life balance?” Pick what works best for you and the ones you care about.”

“Firstly, get a mentor, then start making your personal brand shine by sharpening up your CV or LinkedIn, ask for recommendations, write articles you’re passionate about,” says Argyle. “Ask around for the good head-hunters and gauge the market.”

And in terms of getting that dream job, Jobling says that CISOs need to, much like their CIO counterparts, demonstrate embedding technology into business objectives.

“Make sure you are focused on building relationships with the business and making cyber into a business issue. This is especially important for the top-paying roles at the moment.

“If you have ideas on how cyber can be involved with sales or customers, get this across. Also, ask a lot of questions about the role and expectations — cyber is still new for companies, even if you are not their first CISO. You need to make sure that the role is shaped exactly how you expect, and how you want it to be.”

How would you find the perfect job? Head to Facebook to let us know.