Career Development – Page 2 – 370 Security Blog

Career Options Post CISO

Last year was a busy year for CISOs. Increased regulation from the SEC and other entities are raising the stakes for companies and CISOs. 2023 demonstrated that regulators and law enforcement are not only going to hold companies accountable for incidents and breaches, but they will also pursue accountability against individual CISOs. The CISO role is at an inflection point created by new technologies, increases in regulation and unprecedented personal risk. Given the high stakes of the role I think we are going to see an exodus in the number of people who are willing to shoulder the burden and personal liability of this role. Which begs the question: what are the options for someone after serving in a CISO role?

Serving On A Board

Serving on a board seems like a popular choice lately and now that the SEC has mandated cybersecurity experience on the board I think companies will look to increase their board membership with former CSOs and CISOs. The challenge with serving on a board is finding one that can compensate you sufficiently. I’ve served on several boards over the past 15 years and the compensation will depend on the company size and maturity. Start ups are typically able to offer compensation in the form of equity in the company, but this may turn out to be worthless if the company doesn’t make it. Big company board positions are few and far between, but will pay the best. My advice for CISOs looking to transition into a paying board position is to serve on a board or several boards in your spare time and then transition to become a full time, paid, board member if and when the company can support it.

Advisory CISO / CISO In Residence

One way to “float” between a CISO role and a board member role is to get connected with a Private Equity (PE) or venture Capital (VC) company as an Advisory CISO or CISO In Residence. These roles help the PE and VC companies evaluate potential investments and then help guide the companies to success. If you are an Advisory CISO you can evaluate the companies and if you see one you think has real potential you can choose to be their CISO or serve on their board. Advisory CISOs are not only compensated by the PE / VC company, but they “consult” to the investment companies on a periodic basis and sometimes they are offered the opportunity to invest in the companies they are advising. Not a bad gig.

Consultant

One of the most common post C-Level career paths is to become a consultant. If you are well connected, are in a critical industry or are just great with people, this can be a viable career option. The experience you have built up over your career still has value and companies will pay you handsomely for your time to help advise them. If you work for a company that is unwilling to protect you if you are sued then this may be a way to continue in a CISO capacity, but without the personal risk. I’ve known people who have quit their current role out of frustration and when the company realizes the expertise they are about to lose they hire the person back as a consultant.

Field CISO

Field CISOs are fancy titles for people that are in sales or pre-sales. They typically have a specific region they are assigned and they use the Field CISO title to establish executive relationships with other CISOs and C-Suite members to help sell products and services. Field CISOs typically have extensive industry experience in a particular vertical and then they use that expertise to help tailor solutions to their customers.

Title Change (But Still Security)

Another option post CISO role is to get a title change, but still work in a security related role. This could be something like a Chief Trust Officer or Chief Risk Officer. These roles can offer more flexibility to have a positive impact on the business because they aren’t constrained by the same expectations as a CISO role. At the end of they day you are still a C-Level security executive and can continue to advance your career towards your goals.

Role Change (Not Security)

CISOs are one of the few roles that touch every aspect of the business. As a result, CISOs are well versed in a lot of different business disciplines and it would be easy for a CISO to transition to a CTO, CIO, engineering executive or product executive. For example, a CISO who is looking to exit the role may look to join a security focused startup as their CTO. Their deep industry experience and past credentials will provide credibility and allow them to continue working in the security space in a different capacity. Eventually, they can even hire a CISO to report to them and have oversight over the security function.

Start A Company

CISOs are also well positioned to see gaps in the industry where a solution hasn’t been developed. Lots of well known companies have been formed by former security executives who have left their role to start a company to develop a security related product or service. Starting a company doesn’t mean you have to develop a new technology. You could also start a consulting company, a training company or a staffing company. If you are sitting on a great idea then this is a viable option for you.

Double Down

Lastly, if you enjoy the CISO role, but don’t feel supported or protected by your current company, then find a new CISO role that gives you the support and protection you seek. Part of the interview process for your new role should include questions about who the role reports to, what is the expected budget and headcount, will the role be included in the D&O Policy, what happens if you are personally sued, what is the severance package and how will success be measured? These should all be table stakes for any company looking to hire or retain a CISO and satisfying these requirements will go a long way to making your CISO feel comfortable that you have their back and won’t treat them as a scapegoat.

The Different States Of A Security Program

It may be obvious, but every company that has a security program is in a different state of maturity. As a CSO, it is important to recognize and understand what these different states mean in terms of where your energy will be applied. If you are interviewing or hiring into a company, it is critically important to understand what state the security program is in so you can determine if the opportunity is right for you and to ultimately maximize your impact in the role.

The Different States

In general, a security program can be in one of three different states:

New / Building
Existing / Incremental
Shrinking / Decline

New / Building

A security program that is new typically comes along with new companies, startups or possibly new business units that are acquired via acquisition. However, a company may also be establishing a new program if they are found deficient during an audit or if they suffered a security breach. In this state the CSO (or security leader) needs to establish a program from scratch, which will include mapping risks, developing a budget and establishing funding, recommending tools, evangelizing security best practices and hiring a team. There will be a lot of focus on foundational aspects of security like asset inventory, reporting and initial risk baselines for the organization. Your team will also go after initial program certifications like ISO27001, SOC or other compliance activities. You may even need to establish new processes and ways of working.

Here are some good questions to ask to determine if a program is in the new / building state:

Who is performing the function of security today?
What goals does the organization have in the first year and three years from now?
What is the expected annual budget?
How many headcount do you expect for the security team in the first year?
Where does your company operate and do you expect to have security resources in those geographic regions?
What security tooling is in place today (if any)?
Does the company have any existing compliance certifications (like SOC, ISO, etc.)?
Why is the company focusing on hiring a security leader and building a security program? Did this come about due to a security incident or other security event like a failed audit?
What industries does the company do business in? E.g. finance, government, healthcare, etc.

In my experience, establishing a new security program from scratch is a rare opportunity, but if you get the chance it is truly exciting and offers the opportunity for giant leaps forward in terms of security maturity for the company.

Existing / Incremental

The next state of maturity is existing or incremental and most companies will be in this state. In this state a security program has already been established and has the foundations in place in terms of people, processes and technology. Tooling has already been purchased and implemented, an annual budget has been established and a team exists with different functions like security engineering, security operations and security compliance.

An existing security program usually has smaller goals or incremental annual objectives designed to address some specific area of risk that has been outstanding, or to address a new risk area based on business growth. For example, perhaps the organization has an existing Identity and Access Management (IAM) program, but needs to roll out 2-Factor Authentication (2FA) to further secure access. Or, maybe the business is expanding into the financial industry and needs to become PCI-DSS compliant. These are incremental improvements to the security program and will require increases or reallocation of people and budgets.

A CSO or security leader in charge of an existing security program will generally keep things running smoothly, make sure the company doesn’t regress with respect to security maturity and will continually be evaluating the business for new or existing risks that need to be managed.

Here are some questions you can ask if you are interviewing for a new role that will lead an existing security program:

What is the annual budget for the security program?
What security tools are in place?
How is the team structured?
What are the security objectives for this year? For three years?
What security compliance certifications does the company maintain (e.g. SOC, ISO, etc.)?
How many people are in the security team?
What functions does the security team perform? (I.e. security engineering, compliance, risk, product security, security architecture, security operations and incident response, etc.)
Why are you looking for hire for this role or who am I replacing if I am hired?
How do you expect the business to perform over the next year?

Shrinking / Decline

It is an unfortunate reality that not all programs are in the building or existing states. Sometimes security programs shrink or slip into decline. This can be for a number of reasons such as poor leadership or a declining business. A shrinking security program can also be a temporary state that matches normal expansion / contraction of a mature business and the economy. Whatever the reason, leading a declining security program has significant challenges. First, the security leader will need to over communicate the existing risks to the business and make sure budget and headcount reductions match the reduction of risk as the business shrinks. A CSO can run into real trouble if the reductions are arbitrary and leave the business exposed.

Second, you can expect to have to do more with less. As the business contracts your team will still need to perform, but there may not be additional perks such as training, travel, new tooling, etc. You may also need to consider shrinking budgets and reductions in license counts or other tooling.

Another reason for a shrinking / declining security program is during mergers and acquisitions. Depending on how the deal is structured and the capabilities of the acquiring business, your security team may be redundant or parts of your team may no longer be needed.

A shrinking / declining security program isn’t the end of the world, but it does require careful leadership to make sure the risks are managed appropriately and morale doesn’t completely decline and impact the performance of the remaining team.

Not Everyone Is Good In All States

Not everyone will admit it, but the reality is not everyone is good in all states. This shouldn’t be surprising. Startup founders routinely find they can’t scale a company past a certain point and require additional help. Similarly, I have personally experienced that security programs require different leadership depending on the state of the program and the skills of the individual. Some people just can’t scale a program past the building phase and into the incremental phase. Some people don’t know how to handle decline. Leadership skills aside, some people just have a specific preference for what they like to do.

No matter where you are in your professional career or whatever state your security program is in, I hope this post will help you identify and navigate the type of security program you enjoy leading or are looking to lead one day.

Why Veterans Make Great Security Team Members

Every year the United States honors its fallen service members during Memorial Day. As a Navy Veteran, I spent this past memorial day reflecting on my time in service, the memories I’ve taken away and most importantly remembering the people I served with who made the ultimate sacrifice.

I also thought about the incredible number of people that work for me and with me who are veterans. In general, the veterans I have led, worked next to or served under tended to be the best employees, peers or leaders over the course of my career. Here is why I think veterans make great security team members.

Candor

Anyone who has served in the military or had a military family member knows people who have served tell it like it is. This is a carry over from giving and receiving orders in times of stress that need to be clear and concise. It is also a firm belief that life is too short and at some point you need to stop talking and take action.

Veterans aren’t afraid speak up in times of uncertainty because when we were in the military confusion could lead to loss of life. It is better to ask the question and be really clear than to keep quiet and risk disaster.

This candor is particularly important in a security team. Is there a weakness the business doesn’t know about? Are you seeing something anomalous that other people have dismissed? Do you have a new idea that could improve a process or reduce risk to the business? Veterans aren’t afraid to speak up when they have something to say.

Perseverence

No matter what branch of service you come from, all veteran’s made it through some level of training that was more difficult than the civilian life they left behind. Sleep deprivation, physical hardship and generally being uncomfortable are table stakes in the military. This means veterans are hardened against failure and generally hate to lose. They will persevere through difficult tasks and can be relied upon when things become chaotic and difficult. They also seek out training to better themselves and add new skills to their repertoire because they may come in handy in the future.

This perseverance is particularly useful in all aspects of security. Attempting to change a culture to a security first mindset requires incredible perseverance. Similarly, implementing new controls, resolving an incident or passing an audit also requires perseverance. I’ve found the veterans on my team take these events in stride and enter them with the confidence they will accomplish their task.

Perspective

Veterans also possess a unique perspective. This perspective comes from the hardship they endured during the military and carries over to civilian life. No matter how bad the situation gets every veteran thinks back to a time that was worse in the military and says “hey, this isn’t that bad!” Civilian life can be stressful and I’ve certainly had my share of burnout, breakdowns and disillusionment, but every time I think back to my time in the Navy and am thankful I’m not deployed away from my family, I’m not getting shot at and I’m not being asked to do things that could put me in harms way.

This perspective is useful during security incidents, but can also be useful during every day routine engagements with the rest of the business. Security isn’t always going to go perfectly and sometimes this perspective can help you see the big picture, keep calm and work towards a solution.

Willing To Take Risks

It shouldn’t be surprising that veterans are willing to take risks. Everyone who has served took a huge risk by leaving their civilian safety net behind. We deployed to dangerous parts of the world in order to protect our country. Additionally, veterans will tell you they served because of the camaraderie of the people who sat to their left and right. We are willing to take huge personal risk to protect our fellow service members.

This risk taking attitude is useful in the security space because it lets us try new things. We aren’t afraid to fail because we know we will learn from the experience and can try again. We are also willing to put ourselves out there if we know it will result in a better security posture or reduce risk to the business.

Security Mindset

I’ll generalize here, but I think veterans inherently possess a security mindset. We are evaluating strengths and weaknesses of attackers. We are looking at the physical security of spaces. We are considering if a control is good enough to manage the risk or if we need to push harder to secure something. Serving in the military means serving in an organization whose sole purpose is to ensure the security of the nation it protects. This mindset exists at all levels and is readily transferable to the civilian sector.

This shouldn’t be surprising since a large number of veterans often pursue a post military career in law enforcement, the government sector or private security. However, I also find tons of veterans in the IT sector and particularly in the security space. We have a common mentality and it is usually very easy to spot someone else who has served.

Wrapping Up

If you find yourself lucky enough to lead or work with veterans, like I do, then I encourage you to take some time to explore their background and what they did in the military. I’ve often found swapping stories with another veteran is a quick way to build rapport. Their candor, perseverance, perspective and security mindset can be huge assets to your security team and your business.

Do You Need A Degree To Work In Cyber?

In the timeless debate of What qualifications are needed to work in security? (or even the broader IT sector), I want to first start off by saying there are no hard rules. I am not going to gate keep people from the industry by stating you have to have a degree or specific certifications. On the contrary, I think anyone who is sufficiently motivated is welcome to pursue whatever career gives them personal satisfaction. I have seen plenty of individuals who are self taught, without a degree that are amazing. I have also seen plenty of people with degrees that are absolute garbage and so a degree is not a guarantee of quality or suitability for a role. That being said, if I had to choose between two equally qualified candidates in terms of years of experience, qualifications for the job and culture fit, I would choose the candidate with a degree every time and the rest of this post will explain why.

Follow Your Destiny

I want to start by re-iterating that a degree is NOT required to work in cyber or really anywhere in the information technology sector. With the right motivation, curiosity and ambition, anyone can achieve a meaningful career of their choice. There are plenty of online courses, books, certifications, local meetups and professional groups that can offer support to individuals seeking the right knowledge. I think this really comes down to financial opportunity and motivation. If you are unable to afford a four year degree program, are unwilling to take on student loans or are the type of individual that knows without a doubt they want a career in security, then a degree will simply delay you from your destiny.

Setting aside socio-economic, financial and other considerations, I do think degrees offer candidates a number of distinct advantages to individuals in the field of security.

Trade vs Profession

Some of the oldest jobs in the world have made distinctions between trades and professions. Trades like plumbing, electricians and general contracting can offer lifelong job prospects, but don’t offer a lot of flexibility to move between them without re-training. Trades also aren’t typically designing things, establishing standards or inspecting completed work. Contrast this with engineers who are designing the components, establishing standards, certifying designs and inspecting completed projects. The difference is an engineer requires a minimum standard of education to make sure the designs, plans and inspections aren’t going to cause loss of life. Simply put an electrician installs the circuit breaker, but an engineer designs it.

This can be true in the security industry as well. It is certainly easier to gain knowledge and grow in your security career without a degree, than it is in physical trades like plumbing. However, without a degree you are committing yourself to that specific field and assuming a certain amount of personal risk if that field declines or gets oversaturated with candidates. Having a degree offers the flexibility to switch careers or blend disciplines based on the company, economy or personal interest. A degree allows you to diversify your knowledge and specialization outside of your specific job and therefore offers advantages over non-degree holders.

Depth and Perspective

A standard four year college degree also provides depth of education. Degrees introduce students to topics of learning they most likely would never explore or discover on their own. Degrees also broaden perspectives by introducing students to new cultures via languages, travel or exchange programs. In my case, after performing horribly in math for my entire high school career, college helped me discover I was not only good at math, but excelled in a specific field of math called Operations Research.

Degrees also provide a standard of education that require students to master basic subjects like finance, public speaking, communication and writing. These skills are invaluable within the technology sector, which is typically dominated by a technical meritocracy at the expense of softer people skills. They are even more important within the management ranks to help explain and lead initiatives at all levels. It fundamentally doesn’t matter how technically proficient you are if you can’t communicate that knowledge and purpose to others in an effective way.

Perseverance and Commitment

Another benefit of a degree is it provides basic insight into the character of an individual. Degrees demonstrate several key traits that are important for a candidate. First, a college degree conveys an individual is able to take on a long term endeavor and complete it. It shows an ability to commit to and persevere when faced with a challenge. Second, a degree demonstrates willingness to learn and flexibility of mind. You are daring yourself to confront new ideas and grow stronger as a result. Third, a degree demonstrates a basic appetite for risk and a willingness to learn from failure. Students are launching themselves into unknown experiences and confronting failure on a daily basis in order to learn and grow as part of their degree program. Lastly, a degree demonstrates the ability to exist and function within a larger community. Existing, functioning and participating in a group setting is a basic life skill that is essential at all career levels.

Officer vs Enlisted

The military is a good example of why degrees are useful. A four year college degree is a minimum requirement to become an officer in the United States military. Officers have a breadth of knowledge along with some specialization in a specific field that provides an inherent advantage for leadership. General education skills like writing and communication are table stakes for military officers because they help explain mission purpose, gain support from senior leadership, develop tactical and strategic plans, or prioritize courses of action that can snatch victory from the jaws of defeat.

A degree affords the same advantages to management and leadership within the security industry as it does to the military. The ability to understand a variety of topics, think critically, communicate effectively and lead people to desired outcomes is increased when you have a college degree.

Final Thoughts

Degrees are NOT necessary to have a successful career in security. Choosing to pursue a degree should not be compulsory for any role in security and is a highly personalized choice. Information technology fields like security have demonstrated that the barrier between a trade and a profession can be torn down with the right motivation and support. However, I do think degrees provide distinct advantages particularly if you are interested in moving into management or simply becoming more effective in your career. A quality degree in any subject will teach you to think for yourself and demonstrate basic character traits that are valuable in any career field, particularly security.

Your CISO Has Career Goals Too

I’ve been thinking about performance reviews lately and how they are a time for you to receive feedback from your manager about how you have performed over a specific time period. It is an opportunity for the employee to communicate achievements that demonstrate growth and it is also a time for the manager to give direct feedback on behavior that needs to start, stop or continue. These discussions typically involve a conversation around what goals the employee has and how the manager can best support them. However, one thing the employee should keep in mind is your manager has goals too. For the CISO this could be business objectives such as improving incident response times, lowering risk or becoming compliant with a new regulation. There could also be personal goals like speaking at a conference, serving on an advisory board or getting promoted to the next job level (e.g. Director to Vice President). The important thing to remember is – everyone has goals no matter what level they are at. Understanding these goals can help employees understand the personal motivations of their direct manager so they can support them if the opportunity arises.

Managing Up

Managing up is a key concept for employees to understand and master throughout their career. Managing up involves influencing, providing context and helping your direct manager understand ways they can best support you. Yet, employee manager interaction should be a two way dialogue. In the same way managers employ situational leadership to lead employees based on their personalities, employees should also seek to understand their manager’s motivations so they can best support them.

Find Out What Goals They Have

One of the easiest ways to support your manager is to bond with them by getting to know them on a personal level. Ask them what personal goals they have, what motivates them, what parts of their current job do they enjoy and what parts do they try to avoid? Maybe your CISO also wants to gain more responsibility by building a privacy function. Or, perhaps they have identified a new risk to the business and need to put together a team to address it. Your CISO is a human being and they have career and personal goals just like anyone else. By asking questions about their goals, your CISO can discuss them with you and gauge how to best involve you so you can both get ahead. Here is a short list of goals your CISO may have:

Personal Goals

Speak at a conference
Gain a new certification
Obtain an new degree or complete a certificate program
Get promoted to the next career level
Serve on an advisory board
Expand their professional network
Learn a new skill
Understand an emerging technology

Business Goals

Obtain a compliance certification (ISO, SOC, FedRAMP, etc.)
Take on a new responsibility
Achieve an objective or KPI (e.g. reduce risk, reduce response times, etc.)
Establish a new strategic partnership
Stop doing something that frustrates them

What Can You Do To Support Their Goals

Once you understand the personal and career goals of your CISO you can begin to align some of your career goals to support them. This could mean completing objectives that directly align to the business objectives for the CISO. Or, it could mean offloading your CISO from activities that frustrate them so you can gain experience and grow your career. This will free up the CISO to take on new activities and you can advance your career by drafting in their wake. This is also an opportunity for you to offer suggestions about where you think you can offer the greatest assistance for areas that align to your own career goals and personal interests.

Wrapping Up

Performance reviews and career management shouldn’t be a one way activity. Employees who understand the personal and career goals of their CISO can better align their activities to support them. This can lead to learning new skills, taking on new responsibilities and accelerating their career progression. Next time you have a performance review conversation with your manager, take the time to ask your manager what goals they have and how you can best support them because it will pay dividends in the long run.

Defining Your Security Organization

Whether you are inheriting an existing security team, or building an entirely new function, one of the first things you should do after building a strategic plan and creating an organization plan is to define what you want your security organization to look like. This step builds upon the organization plan by defining what each role in your organization will do (including skillsets), what the career path is for each role and what success looks like for each job function. This will not only help define the details or your organization plan, but it will help lay the foundation for how you want to build your organization (if you are starting from scratch). If you are inheriting and organization it can help you establish your expectations by clearly defining what you want from each part of your organization. It can also help you plan for a re-org or help to diagnose performance issues with a particular team or within the overall security org.

If you are part of a large organization most or all of this will be defined by your HR department, but I still find it useful to tailor the general HR approach to your specific security organization. If you are part of a start up or small organization then you may need to define everything yourself.

Mission Statement

First, I recommend creating a mission statement. This should be a really short statement about the overall purpose of the security organization. This mission statement will not only help to clarify what your group is trying to achieve, but it will also give a sense of purpose to the security practitioners within the security org. I recommend creating a mission state at the org level and then for each function within the security org to help clarify the purpose of that function. This will be useful to explain what your security functions do, especially when interfacing with non-security groups like legal, finance, hr, etc.

Example:

The mission of the security org is to enable [company x] to effectively manage risk related to security and privacy of our products and services.

Role Definitions

Once you have defined the purpose of your org, you will want to look at your organization plan and define what each role will do. Security Engineers, Security Architects, DevSecOps Engineer, Governance & Risk Practitioner, Incident Response Analyst, etc. will all need a short description of what the role will do. Going through this exercise will serve three purposes. First, if you need to hire for any of these roles you can use most of this information in the job description. Second, if you already have people in the role, it will help clarify your vision for the purpose of that role. Lastly, if you need to request budget, these role definitions will help explain what these people are going to do as part of the budget request.

Example Role Definition: Security Engineer

Designs, builds, configures, diagnoses, integrates and maintains security tooling required by the security organization. Establishes requirements, performs trade-off analyses and recommends tool selection. May work with other IT or engineering groups within the organization.

Career Paths

Once you have the roles defined you will want to establish career paths for these roles. Establishing career paths will require you to think about the scope and impact of each level of the role. For example, if you have 5 levels in your organization you will need to define titles for each level, the skillsets for each level and how those skills increase in scope and impact. You will need to do this for both individual contributor roles and management roles. I recommend breaking out the skills into general and role specific.

General Skills

General skills are skills required by all employees in your organization. These include things like communication, strategic thinking, agility and collaboration. If you are part of a large organization, these skills should already by defined so you can work with your HR team to adapt them to your security function and then define what each employee should be demonstrating at each career level.

Example: Communication

Level 1 – Able to articulate clearly and concisely when communicating
Level 2 – Able to convey thoughts and opinions in a compelling manner to the appropriate audience
Level 3 – Gains support for new projects by clearly communicating value and addressing concerns
Level 4 – Builds networks throughout the organization to support large initiatives and future endeavors
Level 5 – Champions strategic initiatives in ways that generate organization wide support

Role Specific Skills

Role specific skills are skills required by each role. They are unique. An engineer may require hands on knowledge of specific security tooling and the underlying platforms. An incident response analyst will require in depth knowledge of how to respond, contain and recover from an incident. Governance and Risk analysts may require specific regulatory knowledge. Input for these skills can come from the CIS or NIST control sets, industry job postings and industry certification requirements. All of these need to be defined in increasing scope and responsibility so employees know what is expected and can prepare for the next level of the role.

Example: Security Engineer

Level 1 – Demonstrates a working knowledge of security engineering concepts such as network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.
Level 2 – Demonstrates a detailed knowledge of one of the following security engineering concepts – network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.
Level 3 – Demonstrates a detailed knowledge of one or more of the following security engineering concepts – network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.
Level 4 – Demonstrates a expert knowledge of one or more of the following security engineering concepts – network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.
Level 5 – Demonstrates and applies expert knowledge of one or more of the following security engineering concepts – network security, identity, storage, encryption, operating systems, cloud, DevSecOps, etc.

The career paths will help you during budget requests to justify why you need a specific role level. For example, maybe an upcoming initiative is really critical and has a tight timeline so you need to hire someone very senior so they can start making an impact right away. Alternatively, maybe you want to hire a more junior person because it will fit in the budget, but now you need to plan to train them and ultimately, the project will take longer to complete.

Career paths will also help clarify what your team members should be working on to get promoted to the next level. They are also useful during goal setting, career conversations, performance reviews and mentoring sessions.

Example Career Path: Security Engineer

Level 1: Associate Security Engineer
Level 2: Security Engineer
Level 3: Senior Security Engineer
Level 4: Principal Security Engineer
Level 5: Distinguished Security Engineer

Scope and Impact

The last thing you should do as part of this exercise is define the scope and impact for each career level. Defining scope and impact gives further clarity to your team members about how they should be thinking about their role and what success looks like. It defines what part of the organization they should spend their time in and who (or what level) they should think about interacting with.

Example: Scope & Impact

At the end of this exercise you will be left will a very detailed explanation of not only what your security organization looks like, but what success looks like as well. Your Role Definitions will provide a short description of each role, your Career Paths will help define the levels and performance expectations for each role and the Scope and Impact will define the level where each role is expected to contribute. All of this will become a reference guide for every single member in your security org and will help you as the CSO to budget, plan, diagnose and shape your organization to achieve success.

Thinking About Compensation

In the last quarter there have been a significant number of layoffs at high profile technology companies. The economy has also made these layoffs particularly challenging. If you didn’t receive a raise of at least 12% last year to keep up with inflation, then you didn’t get a raise or even got a pay cut. A job market flooded with candidates combined with top candidates seeking new positions means the job market is heating up for tech positions across the board. Some of these positions will be CISO level jobs and if you are in the market to make a career change you will inevitably run into salary negotiations at some point during the interview and negotiation process. Here are some things you will need to think about as a new or repeat CISO when negotiating for compensation in your new position.

Job Level

The management level of the CISO role varies across industry and company size. Some CISO roles are Director level, the majority are VP level (including Sr. VP and Executive VP) and a few are truly C-Level as named officers of the company. The role level should be commensurate with the level of responsibility – the more responsibility, the greater the impact to the company and the more senior the role should be. Likewise, the more responsibility, the more risk you are assuming (or responsible for) and so compensation should recognize and reward this.

Company Size

The first choice you will need to navigate is what type of company you want to work for. Public vs private companies will be the main tradeoff, but government or public sector may also be something else you are considering. The main thing to consider with company size is you typically can get a higher title at a smaller company, but this comes at the expense of a lower base salary or more risk in terms of the longevity and stability of the company or the ability to liquidate your equity. However, this risk comes with the potential for a bigger payout and so it is important to really do your research and make sure it is something you truly believe will succeed.

Government and public sector also offer interesting advantages. These roles can come with high visibility, but will typically offer lower salaries or total annual compensation than the private sector. The tradeoff here is you are forming highly visible connections across government and the public sector. You can also establish your reputation on a nationwide level. Lastly, government and public sector positions offer a pension or some form of retirement after the fact. Private sector companies typically do not offer the same level of retirement unless you self fund or have a match via an employer plan. There is a real tradeoff between private and public sector in terms of immediate compensation or deferred compensation, which will come down to your overall financial goals and associated timing.

Risk vs Reward

Let’s briefly talk about risk vs. reward. The type of company you choose to work for and the sector you choose to work in will dictate how much risk you are assuming, which will directly impact your compensation. On the one extreme there are startup companies. They offer the most risk, but also the most reward. On the conservative end of the spectrum there is government and public sector. These jobs are really stable, but can’t match the big pay offs that are associated with start ups or publicly traded companies.

In the graph above I placed public companies as having more risk than private companies due to the fluctuating nature of equity that typically makes up a large portion of the compensation at these companies. However, the real answer is “it depends” and so I encourage you to do your homework on the company you are considering.

Total Compensation

The next thing to understand is: what is the total compensation for the position and what makes up that total compensation? I often find interview candidates are hyper focused on base salary because it offers the guaranteed paycheck each month. However, there are a lot of other ways to build a total compensation package, especially at the executive levels. My recommendation is to take the time to understand all of the components that go into total compensation at the new role. Carefully evaluate the risks and to determine what you are comfortable with, then use that to discuss options with your prospective employer.

Cash Equivalents

Base salary is the big one here, but not the only one. This is the safest form of compensation because it is explicitly written in your offer letter and arrives at regular intervals. I will also lump sign on bonuses into base salary because they are typically granted when you start employment or are guaranteed payouts over a period of time (subject to remaining with the company for a specific term).

Annual Bonuses, Incentive Compensation Plans, Long Term Incentive Plans and Profit Sharing Plans are next on the list in terms of risk. These are basically cash payouts that are given at some interval (monthly, quarterly, semi-annually, annually) depending on the performance of the company. For example, if you are supposed to get a $100 bonus quarterly and in the first quarter your company misses their financial goals, they may choose to only finance 75% of the bonus amount and so you only get $75 that quarter.

Likewise, commission (if applicable) is essentially cash in your pocket, but assumes an amount of risk depending on your sales cycles, lead times, what vertical you are in, your customer, etc. CISOs who are in a public facing role at a product company may be eligible. Similarly, CISO Advisors who help drive sales may also be eligible for commission.

Commission is a lever you can pull on depending on how much risk you want in your compensation. Sales people typically carry very high commissions as percentage of base salary to incentivize them to get out there and sell. Sales engineers or indirect sales people typically have a much lower commission percentage as part of total salary.

Another common compensation option, particularly at public technology companies, is equity. Equity can come in many forms such as Restricted Stock Units (RSUs), Shares or Stock Options. All of these require some sort of sale to convert them to cash and their value will depend on the vesting schedule, how the company is performing, how the stock market is doing (if a public company) or the terms of your ownership in the company that specifies when and how you can sell your stake.

Equity is a form of compensation that allows the employee to assume an amount of risk in their total compensation and it ties their performance (and compensation) to the performance of the company. For a CSO this can be an incredibly rewarding form of compensation particularly if you help take a company through IPO or help mature a company to grow revenue or increase shareholder value.

All of these cash equivalents are negotiable, particularly things like amounts, vesting schedules, strike prices or even equity percentages. Whether or not you get some or all of these will depend on the company and job level of the role.

Indirect Compensation

Other things that will contribute to your paycheck are the benefits your company will provide. Here is a list:

Healthcare – Do they cover healthcare, what type of plans do they offer and how much does the company cover? Do they have an on site gym or allow employees to expense gym memberships?
Vacation / Leave – Does the company offer unlimited time off or are you limited to a certain number of weeks per year? What is the accrual rate, are there blackout periods, are there times when the whole company is expected to take off?
Retirement – Does your company offer a 401k match and what other type of retirement investment options do they offer? Does your employer offer a deferred compensation plan, which can be useful as you approach retirement age?
Training & Continuing Education – What type of training does your employer cover? Do they support you going to conferences? Does your employer offer tuition reimbursement or even pay for a full executive education program if you are considering going back to school? Do they cover professional memberships and certifications?
Work Permits / VISA Sponsorship – Do you require and does your prospective employer offer VISA sponsorship?
Relocation Assistance – Do they offer relocation assistance if you are being asked to move? What type of accommodations and support will they provide if you are being asked to move to a foreign country?
Travel & Expense Policies – What type of travel policies do they have when you travel? Do they provide you with a cell phone or allow you to expense your current phone and plan? Do they pay for your internet connection if you are a remote employee? Do they cover mass transit passes or parking (if located in a major city)?
Discounts & Perks – Do they offer employees other perks like discounts, free tickets to sporting events or awesome swag?

All of these options will vary depending on the company you are considering and it is important to ask questions and consider all of these additional benefits that will indirectly boost your paycheck.

Other Things To Consider

When negotiating for your new CISO role, there are other things you may want to consider asking for depending on your job level and amount of responsibility.

First, you will most likely want to negotiate a severance if you are laid off or terminated as a result of a security event. Typical severance packages offer some amount of base salary payout, but can also include accelerated vesting schedules, guaranteed bonuses, relocation, cash payouts, etc. Severance packages typically don’t come into play until the more senior levels, but given the high risk nature of the CISO role it is something to ask about during the interview or salary negotiations.

Second, if you are in the senior management ranks it is important to ask if the role is going to be a named officer of the company. If it is, you will want to ask about being included in the liability policy for Directors and Officers. If not, you may want to ask if the company has a standard corporate liability policy and if you can be included in it, which can help protect you during lawsuits or other legal issues you may encounter while employed in the role. You may also want to negotiate for the company to cover your legal fees if you are sued and have the ability to select and retain legal counsel of your choosing that the company pays for, but represents you.

This brings us to the last point of consideration which is contracts and contract terms. At the more senior ranks it is typically to negotiate for all these things, but agree to stay for some period of time as specified in an employment contract. This contract may also have specific non-compete agreements, specific non-disclosure agreement terms and other terms you may have negotiated. They key takeaway is to get everything that has been agreed to in writing and included in the contract.

Wrapping Up

Salary negotiations can be stressful, but they don’t need to be. Doing research, asking questions and knowing your worth can help make salary negotiations go smoothly. Some states now have pay transparency laws which can make it easier to understand the compensation range for the role. At the higher employment levels you may want to consider retaining a compensation lawyer who can draft and review contract or compensation terms on your behalf. Not all of the options I’ve mentioned above will be available at your employer or at the job level you are applying for and so taking the time to understand what is available is important to make sure you are being compensated and protected appropriately.

How Playing Video Games Can Help Your Career In Security

One of my favorite things to do after work is to sit down and play video games. I’ve enjoyed playing video games ever since my father purchased the first family computer in 1986. Now many years later, high powered video game consoles combined with fast internet connections have made playing video games a truly incredible experience and I believe playing video games helps develop and reinforce the skills that are important in a successful security career. Let’s look at some of the skills required by both video games and security professionals.

Problem Solving

One of the most important skills when playing video games is problem solving. Whether you like first person shooters, role playing games, racing games or any other game, all of them require you to determine how to achieve some sort of objective like getting to the next level or unlocking a secret. The thought processes required to solve riddles and level up in video games are also useful in security.

Problem solving in security is important in every discipline. CISOs need to determine how to best manage risk, while supporting the needs of the business. An incident responder needs problem solving skills to determine the nature of an attack and how to best recover from the incident. Security engineers identify problems, establish requirements and then solve the problem by building the solution. All of these roles (and the rest of the Security Org) need well developed problem solving skills to be successful in their role.

Curiosity

Curiosity is also an important skill in video games. What is in this crate? Where does this path go? How do I open this door? What does this new skill do? Exploring the limits of the game are essential to ultimately beating the game and that is also why curiosity is an fundamental skill for working in security. The security industry is inundated daily with new vulnerabilities, new technologies, new attacks and new methods to defend against them. Persistent curiosity is required to continually advance your knowledge, test the limits, learn new skills and ultimately persevere in protecting the business.

As a CSO, curiosity is an important skill to exercise everyday. Asking questions to understand how regulations will impact your industry, how business processes work, how products function or how customers interact with your business is important to inform your decisions on how to best protect the business and manage risk.

Collaboration and Teamwork

Over the past three decades some of the most popular video games have been multiplayer games that rely on collaboration and teamwork to win. When working in a team you increase your odds of capturing a flag, completing a quest, winning the race or beating the game. Team mates can help you, resupply you and even save your life. Just like in video games, security requires team work and collaboration to be successful.

A CSO needs to collaborate with the rest of the business in order to understand how to best manage risk. CSOs need to understand every part of the business to be successful, incident responders need to work as a team to protect the business, compliance professionals need to work with the business owners to gather evidence and governance teams need to work with the rest of the business to establish processes that are minimally invasive. All of this requires teamwork and collaboration in order to be successful.

Attention To Detail

Video games offer unique challenges and the ability to pay attention to small details is often important to complete quests, solve puzzles or beat a level. Racing games require the ability to absorb small details at incredible speed, sports games require players to pay attention to detail to score a point and strategy games require players to pay attention to small details to beat enemies or unlock new skills. Attention to detail is an important skill when playing video games and it is also an important skill in security because all roles in security require attention to detail, which can be the critical difference in resolving a vulnerability or reducing risk.

Often, the small details make the biggest difference in security. GRC professionals need attention to detail to understand specific regulatory requirements or frameworks and how they apply to specific controls or technologies. Incident response professionals need attention to detail to understand how to respond, how to gather evidence and how to recover. Sometimes, it is the small details that someone notices that lead to an investigation and that investigation leads to an incident. Finally, CSOs need attention to detail to understand how to allocate resources, how to budget appropriately and how threats relate to business risk.

Other Important Skills

In addition to the four skills I’ve described above. Video games and security roles also require a number of other common skills. Here is a short list:

Time Management – Using your time wisely and completing tasks within a specific time period.

Discipline – Setting boundaries for yourself and adhering to them.

Competitiveness – Competing with others, rising to the challenge, conducting yourself with honor and being a good sport.

Perseverance – Never giving up, pushing through and completing the job.

Detachment – The ability to look at problems from different perspectives.

Positivity – Don’t dwell on the losses. Focus on the good and believe in a positive outcome.

Cognitive Performance – The ability to focus, perform well under pressure, react quickly and even get into a state of flow.

Wrapping Up

A successful career in security requires not only focusing on domain specific skills (like GRC, Incident Response, etc.), but also more generalized skills that translate to all aspects of life. I personally enjoy playing video games for the reasons above, but also because of the social component that now exists in games. The ability to share the experience with others or discuss games with co-workers and friends is enjoyable. So, next time you are looking to advance your career don’t forget to work on the softer skills along with the security specific skills required for your job and I hope you will consider video games as a viable way to develop those skills!