Should I Stay or Should I Go Now?
With a nod to The Clash, I’ve been thinking about career decisions of Chief Information Security Officers (CISOs), and their decisions to stay in, or leave, their job.
Conventional wisdom suggests the average tenure of CISOs is two to four years. For an executive position that requires a deep business understanding, this isn’t a long time. It’s not that different from CIOs, but much less than CFOs and CEOs. Perhaps it’s the tech. Perhaps it’s the (lack of) respect. Perhaps it’s because companies don’t yet think of it as an executive position. Perhaps it’s the opportunity for more pay. In any case, a CISO’s decision to stay, or go, is usually very particular to the individual situation, but the factors to consider are common.
The Current Job
There has already been a lot written about choosing a company with leadership that supports the Security program. This is important to think about. But once you’ve chosen a company to work in, one whose mission you support, and that company has demonstrated support for Security, and you’ve been there three or four years, what other factors should you consider?
- Have you done what you set out to do? It might be to start a whole new program, resurrect a failing program, pivot a program in a new direction, or keep a good program running well. Have you done this? Have you done this so that, once you leave, the work you’ve done won’t unravel for no good reason? If you were hired for this purpose and you leave before you’re done, will you burn bridges with your current leadership?
- Do you have a succession plan? If you leave now, is there someone waiting to step into your role with a minimum of pain? Is it known by senior leadership how to backfill your skills, and your role? Is the replacement process known by your team? Is your successor ready now, or will it take some more time to grow their skills and experience?
- Is your team stable? If you leave, will that spark an exodus of Security talent that will negatively impact the work you’ve already done? Would you intentionally take folks with you when you leave, and does your current leadership know this?
- Are your peers and leaders supportive of Security even if you are no longer there? Or have they really been supporting you, but would withdraw support if someone else took over the Security function? Will funding and political support continue in your absence?
- Are you in the middle of a major initiative, Security-led or otherwise, which needs your leadership to complete well? Heaven forbid you’re in the middle of a multi-year APT, but also consider if there are other efforts (a major ERP upgrade? A wholesale move to the Cloud? A Zero-Trust deployment?) for which your presence is essential.
In short, is now the right time to go?
The Potential New Job
Let us start by assuming there is another Security offer on the table. Also, let’s assume that your current job is generally OK, and not a complete hell-on-earth that you should run from at all costs. What should you consider when comparing the new job with the old? How do you know it’s worth the emotional and financial expense of making the move? There is risk in making a change, so what should you consider to help evaluate your exposure?
- Will you learn something new? Moving from one place, just to do the same thing at another place, may not make the most sense. It won’t significantly expand your skills or experience, which will look absurd on a resume for the next job opportunity that comes along.
- Will you be taking on a bigger role, in terms of people or geography? If so, this can help you grow your skills, but can also add to your stress and requirements to be constantly on call.
- Does the new role bring you closer to, or higher up in, the c-suite? The constant Security debate about who a CISO should report to (the CIO? the CEO? the Board?) is constant for a reason — exposure to the c-suite is an important growth opportunity for any CISO. If you’ve only ever reported through the IT organization, maybe now is the time to consider a new role reporting more directly to senior leadership.
- Is the new job in an industry you know well, or are you changing industries? Is that industry in the middle of disruption to a degree which will excite you, or stress you? If CISOs are so limited in their tenure, they’re not learning deep experience in any given industry. Perhaps you should be selecting a new job in the same industry, instead of jumping from vertical to vertical.
- Do your skills align to the needs of the new company? Yes, we want a job where we can learn and grow; we also need to consider if we can be successful in the new role. Does your new opportunity value and take advantage of your strengths?
In short, is this new job worth the effort to change?
The Security industry is hot. The need for CISOs with experience is acute, and most existing CISOs are being courted by recruiters and other partners on a regular basis. Even if you’re happy in your current role, I would encourage you to at least explore other options — they may be a pleasant surprise — worst case you make some more connections. But once you get to a time where another offer is likely, or on the table, it’s important to seriously consider all options before making the big jump.
Too often, Security Leadership is seen as less-than-committed, chasing the bigger paycheck, and difficult for company leaders to understand. Making a considered, transparent decision to stay, or go, and sharing this with your current and future organizations, will help them understand you and your successor(s). That will make life easier for all of us.