The role of a Chief Information Security Officer is a much-coveted position that blends extensive technical know-how, managerial excellence, and strong leadership skills. It’s no surprise that finding individuals with all of these skill sets in equal measure is a major challenge. Companies are in a war for the best CISO talent, meaning candidates are likely faced with multiple offers at any one time.
By Karl Sharman, Head of Cyber Security Solutions, Stott and May
With this in mind, here are the five questions every CISO should ask before moving company:
1. Who is the company’s leadership?
One of the biggest challenges most CISOs face is translating cyber risk into a language the board understands and buys into. You need authority and visibility to effectively manage an enterprise risk management initiative. This makes reporting lines really important, so determine whether you will have access to the CEO and the wider board, and gauge their understanding of security knowledge. Do they see security as a business priority or a checkbox exercise?
Dig a little deeper into the company’s leadership team – what do former colleagues say about them? Where did they come from? Have other team members followed them? This type of loyalty is always a good sign. Lastly, make sure you have an understanding of, and access to all key risks across the organization, including the various technology lines.
2. What is the company’s track record?
Do your research and be thorough. Look at the company’s hiring and firing cycles – how often are they recruiting and for which roles? Find out what happened to the previous CISO and why they left. If it is a new role, why are they looking to invest in security leadership now? Ask questions regarding the financial trajectory of the company, its plans for growth, and how they see security fitting into this.
3. Is there an exit strategy in place?
Determine the long-term goals of the business – is there an exit strategy in place for the company? And if not, what is the ultimate goal? It is important to buy into the future of the business and understand how you, as CISO, will help to achieve this?
4. Who is funding the company?
Understanding who is funding the company will help you determine its priorities and how much investment you will likely receive in the security function. If it is backed by venture capital, the goal will always be to sell or IPO so you will be expected to help the business achieve hyper-growth in a short period of time. If the company is already publicly listed, then you know they cannot afford a cyber breach of any kind, so they are likely already investing heavily in the security function.
5. What does equity really mean?
Most companies will look to lure you in with some degree of equity as part of the offer. But do your research as it can be easy to misunderstand this. The main thing to consider is whether equity is included in the full package amount. This means, with an offer of $150,000 base, a 50% bonus, and $150,000 in equity stock options, a company would equate that to a $375,000 full package. However, the only thing that is guaranteed in this offer is the base salary, while the bonus and stock options are quite often determined by elements completely out of your control as the CISO (performance of the company and market dynamics). Educate yourself on the difference between restricted stock, stock options, stock appreciation rights, phantom stock, and employee stock purchase plans before making an informed decision.
In a rapidly changing market where risk is everywhere (even more so as we emerge from the COVID-19 pandemic and remote working becomes the norm for many companies) and the ability to prioritize is essential, CISOs are in incredibly high demand. Before accepting any offer, do your research into the company’s leadership, its hiring and firing cycles, and whether security is viewed as a business priority or not. Are you the first CISO and if not, why did your predecessor leave? Look at what the future looks like depending on who is funding the company and understand what any equity offer really means. Only by asking the right questions can you determine whether a move is right for you.
About the Author
As head of Cybersecurity Solutions at an executive search firm, Stott and May, Karl Sharman has over 10 years of experience building and scaling security teams for Fortune 500 companies, Pre-IPO, late-stage ventures, security consultancies, MSSPs, and more.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.