[Posted on Behalf of Gary Hayslip CISO Softbank Investment advisor]
Over the years in my career, I have heard some variation of this question from many of my peers. Usually, the discussion starts over a cold beverage as we catch up and discuss how our current roles and the companies we work for have issues. Note to the reader everyone has issues, which leads to the inevitable “now what is there something else?” Basically, they have worked hard to achieve their current CISO role, having worked through many different positions, projects, companies, etc. After all of that time, they start to question themselves. They have made it to the supposed top of their profession and find that it isn’t what they thought it was going to be, or they have served as a CISO multiple times and find they are facing burnout and asking themselves if its time to make a change and what does that look like?
I am one of those CISOs looking back over my years of experience and wondering whats next? I continue to enjoy leading teams and building security programs for my organization. However, in speaking with other executives and professionals in our community, I am fascinated by the new opportunities we seem to create daily in the cybersecurity field. These discussions with fellow security professionals motivated me to write this article and list some of the opportunities I see out there, so all of us understand we are not at an end but a possible beginning.
CIO – Chief Information Officer, I can hear many of my CISO friends laughing at me as I make this suggestion but give me a second to spell out why this may be a new security professional role. I have known CISOs who have stepped into the CIO role, many of us work closely with CIOs, and though we have different technology stacks and different agendas, I believe if a CISO wanted a change of pace, they could make the switch. From someone who has been a CIO in the past, I would caution that you should understand your view of the business will shift if you take this route. Your new role will focus on delivering enterprise IT services, so you will lead the efforts to architect and provide exceptional IT services to employees. That takes a lot of work, and it means you are focused on daily service delivery, so think about it.
CTO – Chief Technology Officer, I have known some CISOs who came from software development or network engineering backgrounds who, after several roles as a CISO, transitioned into more of an enterprise technical role for their business. These peers where CISOs worked internal security and worked with product teams were familiar with research and development, so making the switch was a good fit for them. I think this option fits CISOs with an engineering and product development background, and I believe to be an excellent opportunity for the CISO, who is a hacker and engineer at heart.
CRO – Chief Risk Officer, I have known CISO s whose role at an organization evolved into this one over time. Of course, it was because of their company's business needs, and they had a background in risk management and had probably been an auditor or consultant in a previous role. Again, this opportunity is a role like CTO that I think is open to CISOs who have specific experience and skillsets in risk management and audit. I believe it can be a proper fit for the right CISO that could provide new opportunities, especially with the new regulations and compliance requirements many businesses face today.
vCISO – virtual CISO, this job is for the CISO who doesn’t want to own a security program but is happy to come in and help a business as their temporary CISO and build one for them or assist a standing CISO with projects and new initiatives. I have known several security professionals who wanted a break from being an active CISO, so they selected the vCISO route as an opportunity to stay engaged with the community. This role is not for everyone; one of the hardest parts of this job is understanding that your work can be disregarded or assumed by one of the client business executives. You have to accept you are temporary, you are there to help them be successful, but in the end, they define success and can decide to go a different route.
CPO – Chief Privacy Officer, I have held this role multiple times while also being a CISO. I think it will continue to mature and stand on its own due to many of the new laws and regulations on data privacy. I have found CISOs fall into this role pretty easily because we typically manage the security controls that protect data. We are intimately involved with the governance process of accounts/access management. I have also found much CISOs help with business data governance initiatives, leading them to work with regulations and compliance rules involving privacy. So the CPO role could be an excellent opportunity for a CISO who may want to continue doing some security but cross over into the privacy field. This move would allow them to continue serving the business in an important role but not manage to feed a security program.
CSO/CISO Strategist – this is an exciting opportunity for several friends to transition into working for larger businesses or organizations. Kind of like being a senior security executive who is there to advise product, marketing, legal, and compliance teams. In essence, it is taking all of the knowledge and experience you have gained over the years as a CISO and helping your company plan and execute various projects and initiatives that may have some security/risk issues. I have also seen this position used by larger organizations to advise and assist their client companies or their board of directors. For a senior CISO, this may be a good transition into something new with possible growth opportunities.
Security Researcher - for the CISO who is a hacker at heart, someone who loves to look at how things are put together or how they can be taken apart might be the position for you. I have known several CISOs who stepped out of their roles and moved into being researchers, one of them interested in threat intelligence and working with how to help protect non-profits. Another joined a consultancy group and spends all of her time researching new threats that we are not even aware of yet. Of course, if you are looking at this type of position, it is another one that takes a lot of discipline to manage your time and projects plus it helps if you can write and communicate your findings well <smile>.
Consultant – similar to the vCISO position, this is a job where the CISO could break from leading teams, build security programs, and work as an advisor to clients. This can be different from the vCISO position because you can be a consultant on other things besides being a CISO like Cloud Security, Leadership, Smart Cities, Running Red Teams, etc. Your experience and your imagination honestly are the only limits to the options you have here. I worked as a consultant last year as I transitioned between Webroot to SoftBank and found it rewarding. I helped several local CISOs in building their strategic plans and helped conduct several risk assessments. Word to the wise, if looking to be a consultant, you need to manage your time effectively, and you still need to keep yourself current on the latest technologies, threats, and services.
Security Product Manager has become a role I have seen CISOs transition into, especially at cybersecurity product companies. I did something similar when I was at Webroot, as the company was being acquired; I was asked to work with the product teams and develop a possible vCISO service. It was one of the first times I had stepped out of the CISO role to work with customers, and I found the opportunity to be intriguing. I have also seen other CISOs working at companies tasked to manage internal cybersecurity and help with the security of products their business was selling. I think this option is one that CISOs transition into who want to try something different after implementing a stable security program. That is the primary point I would make on doing this type of job; as a CISO, you should either fully step out of being CISO to focus on this new job, or if you plan to do it and internal security together doesn’t do it until your security program is mature.
VC/Investment Consultant – recently, I have started to see more CISOs work with investment groups as a consultant. Either working with companies in the portfolio, ensuring they were secure, and intellectual property is protected or providing insight into the due diligence process before an acquisition or an investment. What would make this job fun for a CISO is you get to help manage risk and provide security advice without stressing managing a security team or security program. Those CISOs I have seen fill this type of job are those who enjoy teaching and helping startups and have extensive security knowledge and how businesses are managed and how cybersecurity can help them be innovative.
Entrepreneur/Startup Founder – I think many CISOs dream of how they could do a particular product better, or they have an idea about a service they know businesses would want to buy. Well, here it is a job that is 20+ hours a day, seven days a week <smile>. I didn’t say it would be easy, and of course, you are exchanging one source of stress for another. However, you get the chance to build something, and you never know you may find you like creating a startup and pivot your career to something new.
Teacher/Mentor – this opportunity is one I see CISOs doing while still in their role as a security executive, even though some decide to take a break from their leadership role and focus on teaching. I hope to teach at the college level about cybersecurity someday; I think being able to mentor the next generation of security leaders would be rewarding and less stressful than managing a security program. So this is one opportunity I think CISOs can do in their current position and, over time, transition into it full time giving back to our community, and to me, I think this is a good thing for all of us.
Industry Evangelist – we are down to our final opportunities, and this is one I have seen multiple peers in where they may support a CISO and work with the marketing, sales, or product teams. In this role, you would be expected to travel and talk about cybersecurity and help grow its footprint in the community. I have also seen CISOs filling the evangelist role who visited customers answering their questions and bringing back their issues to the product and marketing teams to improve the company. Be advised if looking at this type of role gives up the stresses of being a CISO. Still, you will take on the burden of travelling and continually speaking to people about cybersecurity. If you are someone like me who loves technology and enjoys travelling well, this might be the new job for you; however, understand this type of position brings its own particular issues, so I would recommend speaking with a couple of evangelists first.
Sabbatical – finally, in the end, maybe we decide to step out of the CISO role and take a break. Perhaps we sit on the beach for a while or decide to take time off and write that book we have been talking about for years. What's important in this final opportunity is that we take a break and refocus on what's important to us in all of the previous ones. With renewed energy, we get back involved with our community.
I know I am probably missing several more exciting opportunities a CISO could transition to. Still, my purpose for this article wasn’t to list everything to get people to think of the possibilities. I firmly believe the CSO/CISO role is not the end of a career in cybersecurity. It is not the final role but a stepping stone into another path that incumbents can take to continue growing professionally. I like the fact that our community has many opportunities for us because I am one CISO that plans to be here for a long time in whatever role that still provides me with a challenge and the opportunity to continue mentoring the next generation.