Life After CISO: What Are the Options?
Tips on How to Prepare for the Next Big Career MoveJennifer Bayuk is the former CISO at Bear Stearns & Co. She became an independent consultant after the company was acquired by JPMorgan Chase early last year. Bayuk notes that, "The CISO title is something that sticks with you. It is not so much a title as a mindset. I was recently invited to be on a panel of CISOs at a conference, and suggested that it was inappropriate. But a colleague joked, 'Once a CISO, always a CISO,' and I knew what he meant." She wants to remain independent and participate in projects and research that will increase national security as well as equip future security professionals.
Bayuk's transition didn't happen overnight, though. It came after careful consideration - and preparation - for "life after CISO."
Here are some tips for security leaders considering their next career moves.
Know Your Options
It's always good to have career options, but there are times in your leadership career when you especially should start making plans, says Charlie Miller, former Director of vendor governance at Merrill Lynch:
- All Talk, No Action - When there are numerous senior management changes and most of the CISO's time is spent explaining what they do, vs. doing what needs to get done.
- Treading Water - When leaders are shifted to maintenance as opposed to building a security program and team within their organization.
To prepare themselves for their next move, existing CISOs need to make sure they stay current with their industry and profession. Which means attending and participating in security and industry relevant seminars and webinars, reading professional reports, books, etc., subscribing to journals, magazines, newsletters, joining industry groups, and professional associations.
And since security these days is much more about the business than the technology, CISOs also must focus on improving their understanding of business concepts and communications. This is the competency that will impress a future employer or client, and yet it's often overlooked by busy executives caught up in the daily grind.
Another key piece of advice: Network, network, network. "Do your job effectively as a CISO, build relationships in your current job with trusted peers, supervisors and your extended network," says Steve Katz, credited as the world's first Chief Information Security Officer. "The more trust you build in your current position, the more opportunities you will get after leaving the CISO position."
Following are four distinct career paths that security leaders have followed post-CISO:
1. Independent Consulting:
Many former CISOs embrace the path of being an Independent Consultant either on a temporary or permanent basis. "I like working for myself, "says Miller, who is now on the verge of forming a LLC with an associate, focusing on Information security outsourcing, privacy, training and awareness programs. He consults to the Santa Fe Group on enhancing the BITS Shared Assessments Program used by institutions when evaluating a third-party provider control environment. "Independent consulting is successful when a strong reputation is built around the individual," says Katz, a prominent figure in the network security discipline. For over twenty-five years, Katz has been directly involved in establishing, building and directing Information Security and Privacy functions. He is the founder and President of Security Risk Solutions, an information security company providing consulting and advisory services to major, mid-size and startup companies and an executive advisor to Deloitte.
Executives should rely heavily on building reputation and networking before jumping ship, as people will want to know "who you really are" maintains Katz.
2. Advisory and Partnership Role:
A trend also seen among former security leaders is to take up an advisory and partnership role with one of the major consulting companies, security vendor and educational organizations, helping them manage their clients' health in areas of security and privacy risks. Katz, for instance, is currently an advisor to Deloitte in the area of risk management and security practices. "I have seen several of my colleagues -- former CISOs within the government -- take up positions with companies like McAfee and Symantec, as an advisor on their business, sales and marketing end," says Daniel J. Lohrmann, the Michigan Chief Technology Officer (CTO) and Deputy Director of the Infrastructure Services Administration within the Michigan Department of Information Technology (MDIT). Prior to becoming Michigan's CTO, he was Michigan's first Chief Information Security Officer (CISO) from May 2002 until January 2009.
"Ultimately your choices depend on what opportunities are available at the time you make the change," Warren Axelrod, Research Director for Financial Services for the United States Cyber Consequences Unit. "Right now, in this time of retrenchment, the job market outlook for CISOs is pretty glum. However, there is a substantial demand for subject matter expertise and advice that comes from many years of on-the-job information security and privacy experience."
Axelrod is Executive Advisor to the Financial Services Technology Consortium. Most recently, he was the Chief Privacy Officer and Chief Business Information Security Officer for US Trust, the private wealth management division of Bank of America.
3. Teaching and Mentoring:
"Security is the most valuable thing we have," says Bayuk, who is also a professor at Stevens Institute of Technology, where she teaches enterprise security architecture. Both Miller and Axelrod have done webinars for various security clients on topics ranging from vendor governance, business continuity and cybersecurity to outsourcing in security. Lohrmann believes strongly in mentoring and providing leadership insights by taking up opportunities in speaking engagements, authoring blogs and books and by being member of professional organizations such as InfraGard to make security more effective. He is also a distinguished lecturer for the Masters Program in Information Assurance at Norwich University.
4. Continue in the Corporate World:
If you've been a successful CISO in one specific business or industry, why not consider a similar role in another type of organization entirely? As Lohrmann points out, "The similarities (in roles) are greater than the differences." The key difference: the specific culture and the way business cases are built to emphasize enterprise security in each organization.
Many former security leaders move on to equivalent positions or greater roles in banking, consulting and government organizations where their knowledge, experience and skills are easily transferrable. For instance, take the case of Rhonda MacLean, a former CISO of Bank of America, who returned to the corporate world and took up a Global CISO position with Barclay's Global Retail and Commercial Banking sometime last year. She however, recently left Barclay's.
Again, Lohrmann in his existing CISO position was asked to become an acting CTO for the state of Michigan even without a formal interview process.
Essential Skills for a Successful Transition:
Below are four basic elements provided by Katz to all existing CISOs who are looking to make a transition.
- Excellent Track Record - You must have an excellent track record to be respected and admired as a leader. While still in office, invest time and effort in building a strong reputation.
- Professional Proficiency - Develop professional skills, including business, management, security and compliance - all elements that the role demands for outstanding work performance.
- Relationship Building Skills - Invest in building meaningful relationships in your current job with trusted peers, supervisors and extended network within the industry and outside.
- Self Marketing Skills - You need to have excellent marketing skills to be able to internally sell security within the organization. Be able to build and present business cases effectively to management.
Career Resources:
- Information Assurance Academic Programs through the NSA approved Universities
- How to Earn a Master's in Information Assurance
- Risk Management Priorities: Joe Restoule, President of RIMS
- Webinar on Business Continuity Risk Assessment & Resource Allocation
- Webinar on Board Responsibilities for IT Risk Management: Building Blocks for a Secure System