Demand for skilled security professionals remains strong, but it’s being tested by the economic uncertainty that accompanies an election cycle.
Economic uncertainty typically spurs companies to cut spending, and many consequently have either had big layoffs or major restructurings. That’s probably leading to hiring freezes until companies sort out where they stand internally. Executives may also be shifting priorities, and reevaluating security needs while they explore how to optimize current staffing before bringing in very skilled new hires.
If you’re a CISO looking for a new role in this climate, you should probably be thinking about four things:
Highlight the value you bring: Showcase your experience in managing security, mitigating risks, adopting to an evolving threat landscape, and your experience with budgets. One of the keys to building a case for your candidacy is thinking about what type of CISO you are. Are you a CISO who is good at being a builder, the early-on security hire who essentially must do everything while building the organization? Or are you a good security operator, who’s very good with budgets and security operations, and can take an existing program and continue to develop it? Or maybe you’re a transformer, the type of CISO who comes in post-breach or post-incident to an organization that needs a major security overhaul?
Figuring out what type of CISO you are will help you to frame your strengths best.
So, too, will figuring out what size organization you’re suited for. If you’re used to managing a lot of people, odds are that the startup world isn’t for you because there you’d be doing everything until the startup reaches critical mass. When you’re creating your CV, there will be different things to highlight depending upon the size of the organization you’re looking at, and whether it needs to be built from the ground up or transformed.
Understand the industry you’re looking at: How do you highlight your industry knowledge? Some sectors are highly regulated, while others are not. Understanding the specific security challenges for the industry you’re looking at is crucial.
How do you network strategically as a CISO? Do you attend industry events? Are you connecting with your peer CISOs at different groups? Are you connecting to different recruiters? Oftentimes, other CISOs become aware of certain job openings even before recruiters do. How you build and leverage your network is important, as is the kind of brand that you bring to your network.
Demonstrate you’re current with the appropriate skills: Security is one of those industries where you need to be a continuous learner or you get left behind. You need to demonstrate your commitment to continuous learning by staying on top of technological developments and changes, such as cloud technology, blockchain or AI.
Compensation for security professionals varies widely. If you’re looking for a seven-figure opportunity, you need to understand that there are far fewer of those than there are going to be mid-market. Competition will also be fierce. The big determinant of salary is not only the experience you bring to the table, but also, the size and scale of the organization you’re looking at. Not all CISO roles are created equal in terms of authority and scope of operations.
Many organizations are now looking for CISOs because they understand they need them, but some might be offering compensation that’s below the average market value because they don’t have an understanding of the role. In those cases, it’s the job of the recruiter or HR to help them do an accurate discovery of where salaries are and help the company level-set expectations.
Within the past four or five years, there’s been an improvement in the specialist salary reports that are being published. But most organizations buy a generic IT salary report, and those do not tend to be a good reflection of security salaries. Consequently, HR is not necessarily getting the best data from outside since it’s not looking for security-specific salary reports.
Because of the new SEC regulations on security, demand for CISOs will increase. One of the big considerations candidates need to take into account is whether they will have the accountability and the authority to actually get the job done. Where does the CISO report in the organization? If there is a regulatory requirement, I would be fairly hesitant about taking a role where messaging has to go through multiple levels of management before it gets to the right person.
As always, finding the right opportunity is key to any job search.