How to Evaluate a CISO Job Offer

The majority of CISOs (75%) are considering going after a new role, according to the State of the CISO, 2023-2024: Benchmark Summary Report from IANS and Artico Search. “What we expect to see coming up in 2024 is CISOs to feel more urgency to move into new roles and for businesses to potentially start opening up more opportunities as the economy shifts,” Nick Kakolowski, research director at IANS, a provider of security insights, tells InformationWeek.  

Burnout, an increasing desire for risk protection, and a drive to take on new challenges are among the reasons CISOs decide to look for new opportunities. With a lot of talent seeking a change, what can CISOs expect in the job market? Once an offer comes in, what makes it attractive or potentially a pass?  

The CISO Job Market 

Cybersecurity talent is in demand; the skills gap continues to be a hot topic of conversation. But at the CISO level, the competition for roles is fierce. “We would call it more of an employer market when it comes to CISOs, meaning there [is] more great talent out there than there are roles at this point,” says Bobby Gormsen, director, executive search at executive recruiting firm Riviera Partners. “The competition for these roles is at an all-time high. So, we're seeing great candidates getting placed and equally as great candidates coming in second and unfortunately not getting the role.” 

Related:Passing the Security Baton: CISO Succession Planning

CISOs in the market for a new role can start the process by turning to their personal network. Talk to other fellow CISOs, mentors, and trusted recruiters to get a sense of what roles could be available and why they need to be filled.  

“I think having those personal connections is super, super helpful because you'll tend to get the real answers,” Jay Pasteris, CIO and CISO of Blue Mantis, a digital technology services provider, tells InformationWeek.  

The CISO role has evolved over the years, increasingly demanding a blend of technical and business expertise paired with compliance and risk management. Different organizations, depending on the size, industry, and security posture, tend to need different types of CISOs. Some CISOs will be focused on building a security program from the ground up. Others might be taking over post-breach.  

“[Be] introspective and [say], ‘What type of CISO am I to-date? Where am I likely to be a compelling candidate, and what would be most interesting to me?’” says Steven Martano, partner, cybersecurity practice at recruiting firm Artico Search.  

What to Look for in an Offer 

Related:How Will AI Change the CISO Role?

What does a compelling CISO job offer look like? The answer to that question, in many ways, is a personal one. But there are some important elements that all CISOs will likely want to consider before accepting a new role.  

Compensation is, of course, one of the most straightforward metrics for evaluating a job offer. With the expectation to shoulder more risk, particularly with increased scrutiny from regulatory bodies like the SEC, compensation expectations are rising for CISOs.  

How that compensation is structured is a significant consideration. CISOs tend to have a shorter tenure compared to other C-suite leadership roles. Their median tenure is four years, according to the 2023 Global Chief Information Security Officer (CISO) Survey from executive search firm Heidrick & Struggles. CISOs who stay in their roles for a shorter period will likely be more interested in cash compensation versus equity that vests over several years, according to Gormsen. “They're looking for short-term guaranteed cash over long-term incentives,” he explains.  

While cash is king, it isn’t everything. The responsibilities and resources that come with a CISO opportunity are vital to determining if the role is a fit. “What's the expectation for the first year, and then what does success over three years look like?” Martano asks.  

Related:SEC Cyber Disclosure Rules Usher in a New Era for CISOs

CISOs can ask questions to get an idea of whether an organization will provide the necessary resources to meet those success metrics. “You want to be able to go into a place where you know the security is valued, the security is a priority, that you're not going to be fighting tooth and nail for every scrap of budget to get stuff done,” says Kakolowski.  

Reporting structure is another element to evaluate. Many CISOs would prefer to report directly to the CEO and the board. This role is gaining organizational elevation, but most CISOs are still at the VP or director level, according to the State of the CISO, 2023-2024: Benchmark Report. CISOs can report to a variety of roles, such as CIO, CTO, COO, CFO, general counsel, and chief risk officer.  

Reporting structure can work, or not, in a variety of different ways. The heart of the issue is how an organization positions security.  

“It's critical to understand how the folks in that reporting structure view security and how much economy ... they are going to give you as the CISO to drive decisions and make the changes that are needed and enforce those,” Pasteris explains.  

Risk protection is increasingly a must-have for CISOs, and it can come in different forms. Does an organization offer its CISO directors and officers (D&O) insurance? Contractual indemnity? An executive severance package?  

“It's really important to understand why the business is structured the way it is,” says Kakolowski. “If you're not on D&O insurance, what that means and why you're not. Is it because the CISO isn’t really considered an officer of the business? At which point, maybe you can get indemnity. Maybe you can get some other financial protections to make up that difference.” 

While it isn’t always possible to know exactly how a role will fit until you get started, the interview process can be revealing. How do the various people at an organization talk about the CISO role and the organizational approach to security?  

“I tell my clients all the time [to] be really thoughtful about the process that you're putting a candidate through because oftentimes that is viewed, and often correctly … as a harbinger of what it's like to work for that company,” says Martano.  

Job Offer Red Flags 

Some potential red flags can help CISOs weed out job offers that are not the right fit. During the interview process, it is possible candidates will encounter a misalignment of expectations around the role. It could be a red flag “if you're hearing inconsistent messaging, if you're getting a sense that some people that you're interviewing with have a completely different perspective on the expectations of security or their alignment with security or their … acceptance and evangelizing of security,” says Martano.  

An organization’s reporting structure may raise red flags for CISOs as well. CISOs may be reluctant to report to a certain function. For example, Pasteris shared he would not consider a role if it involved reporting to a CFO. “That's a … nonstarter for me. That tells me that this is about finances only,” he explains.  

It is also important to consider what roles will report to the CISO. “If you have an outlier in the reporting structure where you have a security focused individual not reporting directly into the CISO org, I think that is a major red flag,” says Gormsen.  
If it becomes clear that an organization does not recognize the value of security or does not offer CISOs the right environment and resources to do their job, that offer might be one to turn down. “I would probably walk away from opportunities where I’m looked at as a check the box function: limited budget, limited authority, limited scope, and limited understanding of the business impact,” says Pasteris.  

Accepting a New Role 

It can take a month or more to find and place a candidate. “A good, well-run CISO search we get done in under 90 days,” shares Martano. 

The amount of time it takes to go through the process of searching for, accepting, and starting a new role varies depending on a lot of factors. From the CISO perspective, faster isn’t always better. “If I'm looking for a new opportunity, I'm not going to rush into that. There's too much to weigh; there's too much at risk,” says Pasteris.