Reflections on CISO placements

2023

With 2023 finally behind us, I felt it was time to reflect on an area of focus for our team last year. As a specialized security consultancy, PSG was instrumental in helping our clients hire 6 Chief Information Security Officers (CISO). This was no easy feat, especially for those unfamiliar with the complexities of hiring at this level. I felt it was important to share what I learned through this process. Hopefully, folks can glean a few take-aways for their hiring needs or in their career journey.

Demographics

Before I launch into what I learned, it is important to understand the variety of organizations we've supported. Here's a snapshot:

• Annual Recurring Revenue (ARR): From $75M - $230M USD

• Company Size: From 150-2300 FTEs

• Industry: Predominately technology, especially SaaS

• Verticals: Healthcare, Fintech, Transportation, Sports, Security Tech

• Geography: US, EU, Australia, Canada

• Company Type: Both private and publicly listed

While this post is tailored to the mid-market tech organizations, it still offers valuable perspectives across other sectors.

Consistency Review

Before finalizing our key learnings from last year’s CISO placements, I took a page from my engineering playbook—running my conclusions through a peer review process. Big thanks to my industry peers [ BW, RO, DB, and others ] who provided critical feedback, ensuring my learnings are not only based on reality but also track with on-the-ground experience.

#1 Convergence

Last year, the dominant trend across the organizations I assisted with security leader placements: the convergence of security and IT functions into a single leadership role. 5 of the 6 roles I assisted with converged the security and IT functions together into one leadership role. Here's why:

• Natural Overlap: IT functions like IAM and endpoint protection have considerable overlap with security. Integrating these teams under one leader can enhance mission synergy.

• Outsourcing Trends: Many companies no longer see traditional IT functions like desktop support as a growth area, choosing instead to outsource them. This shift has resulted in smaller IT teams.

• Efficiency in Team Size and Cost: With IT teams at mid-market organizations shrinking due to outsourcing, the total team size remains small, reducing the necessity for dual leadership. This consolidation is seen as a cost-effective strategy.

Counterpoints

As with any evolutionary step in roles, a few significant counterpoints emerged:

• Independence Concerns: The fear that security might be compromised for IT efficiency wasn't significant among the executives I spoke with. They trust their leaders to make the right trade-offs.

• Skill Priorities: Organizations are prioritizing security skills over IT, believing that it's easier to teach a tech-savvy security professional IT skills than the other way around.

Takeaway

This convergence trend is accelerating, and my advice to aspiring CISOs is to bolster your IT skills to stay competitive and adaptable in this evolving landscape.

#2 Titles

One of the most provocative learnings from last year was that the title of a role—be it "Chief Information Security Officer" or "Head of Security"—did not significantly impact the core aspects of the job. Here's why:

• Compensation: Firms set compensation based on the perceived value of the role, not its title. Salaries, bonuses, and equity options were determined well before the final job title was posted.

• Responsibilities: Job duties remained consistent regardless of title. The blend of management, strategy, and operational responsibilities was established prior to candidate evaluation.

• Hierarchy: The position's place within the corporate hierarchy was decided by the executive team, indicating that a "Chief" title doesn’t always equate to fiduciary accountability for security. This is a whole other topic we will cover in a later blog post.

Counterpoints

As expected, there was considerable feedback from my peers on this topic regarding favoring role substance over title:

• Job Search Impact: Some peers were concerned that not using the title "CISO" might limit the candidate pool. However, most successful candidates were sourced through networking rather than traditional applications, allowing companies to emphasize the role's substance over its title during discussions.

• Employee Retention: There was fear that employees might leave for a role with a more prestigious title. Yet, providing meaningful work and treating employees well ( compensation, flexibility, training, etc.) has proven more critical in retaining talent than the title itself.

• External Expectations: The hypothesis that having a "Chief" in the role might bolster organizational security credibility was discussed. However, it turns out that the substance and effectiveness of the security program are what truly matter to external clients, not necessarily the title of the person leading it.

Takeaways

This learning suggests that substance outweighs title in these roles. From a company perspective, treat your employees well and provide meaningful work. From a security leadership role perspective, focusing on the responsibilities and impact of a role rather than its title may become more prevalent.

#3 Recruiting

Last year's experiences provided me with a somewhat controversial observation regarding the sourcing of candidates for senior security roles. Contrary to traditional methods, here’s how candidates were effectively sourced:

• Employee Referrals: Often, the most successful candidates were those recommended by current company employees. These referrals came pre-vetted and well-informed about the roles, significantly enhancing the efficiency of the hiring process.

• Investment Firm Networks: For VC/PE-backed companies, candidates were often drawn from a maintained list of known successful candidates. These candidates were already recognized for their capabilities and fit within the firm's portfolio.

• Clients: Surprisingly, some of the best candidates were sourced from the company's own client base. These candidates were already familiar with the company’s products and security practices through vendor due diligence and sometimes even knew the staff personally.

Counterpoints

So, what about the traditional paths for recruitment? To be honest, these were not successful for this role/market segment. Here is why:

• Overwhelmed by Volume on Job Platforms: Posting these senior roles on popular job platforms often resulted in an overwhelming number of applicants, sometimes in the thousands. Despite utilizing AI and Applicant Tracking Systems (ATS), our recruitment teams still faced hundreds of "ideal candidates," making it impractical to process effectively. This approach was quickly abandoned for more targeted strategies.

• Specialty Recruiters: While specialty recruiters have their place, especially in large organizations looking for highly seasoned security professionals, their effectiveness in our segment was limited. The pool of interested candidates from these recruiters was smaller, and the high competition for their services—coupled with potentially lower revenue from these placements—made them a less viable option.

Takeaways

These methods underscore the value of utilizing personal and professional networks over traditional HR platforms or specialty recruiting firms, especially in niche, high-level positions. People Operations take note.

#4 Employment Contract/Pay

 I am going to end with what are, in my opinion, the most impactful findings for the prospective employees. Here is what we saw with respect to pay and contracts.

• Stable Pay Rates: Despite the perceived scarcity of senior security leaders due to various industry challenges, compensation remained relatively flat in 2023. The typical package for candidates in this segment included a $260K US base salary, a 30% bonus, and at least $150K in equity over four years. This brings the total first-year compensation to around $375K.

• Employment Contracts: Amidst increasing concerns about legal liabilities for CISOs and other high-stakes responsibilities, none of the U.S.-based security executives managed to secure a formal employment contract. Instead, they continued to be employed on an "at-will" basis.

• Liability Protection: While formal contracts were not on the table, most candidates successfully negotiated their inclusion as an "insured person" under the company's Directors & Officers (D&O) insurance coverage, providing them some level of protection against personal liabilities.

Takeaways

This finding suggests pay may be stabilizing for the role and that there is likely future potential to negotiate into a full employment contract in the near term.

Summary

This post provides insights into the trends and challenges of hiring Chief Information Security Officers (CISOs) I experienced in 2023. What I learned:

• Convergence of IT and security roles is a trend.

• Job titles like "CISO" had minimal impact on the core aspects of the role.

• Candidate sourcing shifted away from traditional platforms and specialty recruiters.

• Compensation remained flat, and most security executives continued to work under "at-will" terms without formal employment contracts.

I hope you found this helpful and if you have any questions, feel free to reach out.

Marc