Becoming a CISO, Part 1: Landing the Right Position

Congratulations! You’ve decided to pursue a Chief Information Security Officer (CISO) role. Now comes the hard part. How do you find the right role, get into the candidate pipeline, and ace the interview?

And how do you set yourself up for success in the first crucial months of your new role?

The final jump from senior security leader to CISO is a wider gap than I had anticipated.  Similar to other high-performance roles, it’s part science, but part art as well.  I wrote this two-part series of articles to help other aspiring security leaders navigate the progression. In this article, I’ll share some of the strategies that have worked for me and other CISOs to land their ideal opportunity.  In the second part of the series, I’ll follow up with advice on making the most of the crucial first months in the role.

Getting in the door

Your professional network is the best path to opportunity. Executive recruiters, management consultants, suppliers, vendors, and most importantly other CISOs are long-term partners in your career journey. They not only hear about executive opportunities before the general public, but their recommendations for top candidates often hold sway with hiring managers and other stakeholders in the hiring process.

A popular management maxim is “Do Fewer Things Better.” This concept applies to job applications in two ways. First, you need to find your fit in the marketplace. Start by taking an honest inventory of your strengths, weaknesses, passions, and previous experience. Think of CISO roles as lying on a two-axis graph: Technical-focus to Business-focus, and Small-cap to Large-cap company. For roles in which of these quadrants are you well qualified? To which will you bring the most passion and your best self? Consider your level of technical and business experience, your experience leading a large team and enterprise programs, and your skill in navigating corporate politics at the executive level.

Second, don’t spend your time where you aren’t differentiated from other applicants. In other words:  don’t be that person who applies to a LinkedIn advert with 800 other applicants. Either find an “in” through a colleague at the company or a friend-of-a-friend, or focus your efforts elsewhere. Understand that there are factors beyond your control, like applicant tracking systems, fatigued recruiters, and busy hiring managers. Almost all senior executives display a radical sense of ownership, so solving for these initial hurdles is a good test of your grit.

Screen time

Phone screens with recruiters are a relatively untouched topic among career advice articles, which is a disservice to job seekers given their importance. Understand that these calls are not interviews. Instead, they serve two purposes:  for the recruiter to determine whether to put you in front of the hiring manager, and for you to decide whether doing so is worth your time.

Almost never are these calls technical in nature. Instead, your main goal is to deliver a compelling, articulate case for how your experience aligns with the hiring company’s needs, and to arm the recruiter with reasons why you are the best-qualified candidate for the role.

Your winning strategy for these calls is to plan your questions in advance, or better yet, develop a template to capture relevant information. Recruiters offer a wealth of information that can propel you ahead in the interviews: insight into the company culture, the hiring manager’s personality, the team size, and scope of your concern. Plan to obtain basics like title, salary range, and policies for in-office and remote work.

The most common misstep at this stage is to lead with unrealistic salary expectations or very specific questions around benefits. This isn’t a time for negotiation, it’s a time for first impressions, and you don’t want yours to over-emphasize money and time off.  Get a feel for whether the salary range is in the neighborhood of your requirements and then focus on being the top candidate. Otherwise, you’ll haggle yourself out of an interview.

Candidate number one

You’ve passed the phone screen and secured interviews. Now, how do you come out on top?

The first step is to realize that the game has changed. Technical acumen, leadership skills, and the ability to plan and execute large initiatives are all table stakes. Strong executives have exceptional interpersonal and critical thinking skills, which blend together into the essential trait called executive presence. A solid foundation in finance enables you to effectively run your organization and speak the common language of the C-suite. Given the close nexus between legal and security, prior experience working with internal and external counsel on cybersecurity and privacy matters will boost your candidacy. And be sure to highlight any experience working with internal or external auditors and presenting to the board of directors.

First and foremost, a CISO is a business leader: a team player whose ultimate goal is to help the company win. The core of your preparation will be to learn the company – how it generates revenue, how effectively revenue flows through to profit, opportunities and challenges, and key industry trends. Recent earnings calls and annual reports are your main tools. Prepare a few thoughtful ideas on how Information Security might partner with other departments to accelerate tailwinds or offset headwinds facing the company. Be ready with examples where you’ve successfully done this in the past.

Preparing for the business aspects of your interview does not diminish the need to prepare for the technical and security side. Again, research makes the difference. What are the company’s “crown jewels”? Customer data? Financial information? Is the company heavily cloud-based? Make reasonable assumptions about what matters to the company and be prepared to speak to the most relevant threats and countermeasures. The best interviews with senior executives and board members engage their curiosity about cybersecurity and become a collaborative exchange of ideas.

A crucial point:  not only do the interview topics, evaluation criteria, and relative emphases change, you must be especially mindful of your audience for these interviews. In addition to the CIO, CTO, and other technologists, you’ll likely meet with the CEO, CFO, COO, General Counsel, and/or members of the Board of Directors. Gather intelligence by asking the recruiter for the names and positions of people who’ll be interviewing you. Prepare for each interview separately; begin by looking up your interviewer online and listing out topics that may be of mutual interest.

Closing the deal

Negotiating your job offer presents a new set of opportunities and potential pitfalls. The best candidates and companies see the offer phase as the final opportunity to evaluate each other’s character and values. Candidates should have their compensation targets and negotiation ranges ready in advance; these should be reasonable and aligned with publicly available CISO compensation studies. Expect the hiring company to leverage their recruiting agency and/or those same compensation studies to ensure their offer is attractive. When there’s a mismatch between the parties’ compensation expectations, be ready to provide copies of those reports or another credible basis for your requests.

Taking a new job is like getting married. Neither the company nor the candidate can know the full extent of the other party’s strengths and weaknesses at the outset. Ultimately, each party is making an informed decision to trust the other. The key factors are the character and personality of the candidate, the hiring manager, and the company. The core of a successful relationship is a good faith attitude and willingness to bring your best effort every day. Fortunately for both parties, attitude is a testable trait and emerges during the interview process.

And just like that, the completion of one challenging test leads to the beginning of another more challenging test – ramping up and thriving in your new role. In the second part of this series, I’ll cover strategies to help you succeed in your first 90 days.