Life After CISO: What Are the Options?

Tips on How to Prepare for the Next Big Career Move
Life After CISO: What Are the Options?
You've spent years in information security, toiling your way to the top - to the CISO role. What's next? What are your career options, and how should you prepare for exploring them?

Jennifer Bayuk is the former CISO at Bear Stearns & Co. She became an independent consultant after the company was acquired by JPMorgan Chase early last year. Bayuk notes that, "The CISO title is something that sticks with you. It is not so much a title as a mindset. I was recently invited to be on a panel of CISOs at a conference, and suggested that it was inappropriate. But a colleague joked, 'Once a CISO, always a CISO,' and I knew what he meant." She wants to remain independent and participate in projects and research that will increase national security as well as equip future security professionals.

Bayuk's transition didn't happen overnight, though. It came after careful consideration - and preparation - for "life after CISO."

Here are some tips for security leaders considering their next career moves.

Know Your Options

It's always good to have career options, but there are times in your leadership career when you especially should start making plans, says Charlie Miller, former Director of vendor governance at Merrill Lynch:

  • All Talk, No Action - When there are numerous senior management changes and most of the CISO's time is spent explaining what they do, vs. doing what needs to get done.

  • Treading Water - When leaders are shifted to maintenance as opposed to building a security program and team within their organization.

To prepare themselves for their next move, existing CISOs need to make sure they stay current with their industry and profession. Which means attending and participating in security and industry relevant seminars and webinars, reading professional reports, books, etc., subscribing to journals, magazines, newsletters, joining industry groups, and professional associations.

And since security these days is much more about the business than the technology, CISOs also must focus on improving their understanding of business concepts and communications. This is the competency that will impress a future employer or client, and yet it's often overlooked by busy executives caught up in the daily grind.

Another key piece of advice: Network, network, network. "Do your job effectively as a CISO, build relationships in your current job with trusted peers, supervisors and your extended network," says Steve Katz, credited as the world's first Chief Information Security Officer. "The more trust you build in your current position, the more opportunities you will get after leaving the CISO position."

Following are four distinct career paths that security leaders have followed post-CISO:

1. Independent Consulting:

Many former CISOs embrace the path of being an Independent Consultant either on a temporary or permanent basis. "I like working for myself, "says Miller, who is now on the verge of forming a LLC with an associate, focusing on Information security outsourcing, privacy, training and awareness programs. He consults to the Santa Fe Group on enhancing the BITS Shared Assessments Program used by institutions when evaluating a third-party provider control environment. "Independent consulting is successful when a strong reputation is built around the individual," says Katz, a prominent figure in the network security discipline. For over twenty-five years, Katz has been directly involved in establishing, building and directing Information Security and Privacy functions. He is the founder and President of Security Risk Solutions, an information security company providing consulting and advisory services to major, mid-size and startup companies and an executive advisor to Deloitte.

Executives should rely heavily on building reputation and networking before jumping ship, as people will want to know "who you really are" maintains Katz.

2. Advisory and Partnership Role:

A trend also seen among former security leaders is to take up an advisory and partnership role with one of the major consulting companies, security vendor and educational organizations, helping them manage their clients' health in areas of security and privacy risks. Katz, for instance, is currently an advisor to Deloitte in the area of risk management and security practices. "I have seen several of my colleagues -- former CISOs within the government -- take up positions with companies like McAfee and Symantec, as an advisor on their business, sales and marketing end," says Daniel J. Lohrmann, the Michigan Chief Technology Officer (CTO) and Deputy Director of the Infrastructure Services Administration within the Michigan Department of Information Technology (MDIT). Prior to becoming Michigan's CTO, he was Michigan's first Chief Information Security Officer (CISO) from May 2002 until January 2009.

"Ultimately your choices depend on what opportunities are available at the time you make the change," Warren Axelrod, Research Director for Financial Services for the United States Cyber Consequences Unit. "Right now, in this time of retrenchment, the job market outlook for CISOs is pretty glum. However, there is a substantial demand for subject matter expertise and advice that comes from many years of on-the-job information security and privacy experience."

Axelrod is Executive Advisor to the Financial Services Technology Consortium. Most recently, he was the Chief Privacy Officer and Chief Business Information Security Officer for US Trust, the private wealth management division of Bank of America.

3. Teaching and Mentoring:

"Security is the most valuable thing we have," says Bayuk, who is also a professor at Stevens Institute of Technology, where she teaches enterprise security architecture. Both Miller and Axelrod have done webinars for various security clients on topics ranging from vendor governance, business continuity and cybersecurity to outsourcing in security. Lohrmann believes strongly in mentoring and providing leadership insights by taking up opportunities in speaking engagements, authoring blogs and books and by being member of professional organizations such as InfraGard to make security more effective. He is also a distinguished lecturer for the Masters Program in Information Assurance at Norwich University.

4. Continue in the Corporate World:

If you've been a successful CISO in one specific business or industry, why not consider a similar role in another type of organization entirely? As Lohrmann points out, "The similarities (in roles) are greater than the differences." The key difference: the specific culture and the way business cases are built to emphasize enterprise security in each organization.

Many former security leaders move on to equivalent positions or greater roles in banking, consulting and government organizations where their knowledge, experience and skills are easily transferrable. For instance, take the case of Rhonda MacLean, a former CISO of Bank of America, who returned to the corporate world and took up a Global CISO position with Barclay's Global Retail and Commercial Banking sometime last year. She however, recently left Barclay's.

Again, Lohrmann in his existing CISO position was asked to become an acting CTO for the state of Michigan even without a formal interview process.

Essential Skills for a Successful Transition:

Below are four basic elements provided by Katz to all existing CISOs who are looking to make a transition.

  1. Excellent Track Record - You must have an excellent track record to be respected and admired as a leader. While still in office, invest time and effort in building a strong reputation.
  2. Professional Proficiency - Develop professional skills, including business, management, security and compliance - all elements that the role demands for outstanding work performance.
  3. Relationship Building Skills - Invest in building meaningful relationships in your current job with trusted peers, supervisors and extended network within the industry and outside.
  4. Self Marketing Skills - You need to have excellent marketing skills to be able to internally sell security within the organization. Be able to build and present business cases effectively to management.

Career Resources:

About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.