Shostack + Friends Blog Archive


Job Hunting for Security Executives

Like everyone, there comes a time in every CSOs career where they need to look for a new job. I’ve reached that point in my career and in looking around, I’ve run into several challenges. The first problem I’ve found is that there are a lot of different titles for the person who owns all of information security at a company. It could be anything from CSO or CISO to Director/VP of Information Security. Regardless of what these jobs are called, it turns out that most of these jobs are posted publicly anywhere and you just need to know the right recruiters and to leverage your contacts heavily to get leads and introductions.
Then there is the biggest problem of all, that being that no-one actually knows what a CSO does or what their scope of responsibility should be, or where they should sit within the corporate structure. If you put five CSOs in a room and interview them, you’ll end up with six different job descriptions. Responsibilities may be nothing more then owning the operational aspects of network security to owning privacy, compliance, and both information and physical security. Organizationally, the CSO may report into IT Operations, directly to the CIO, to the CFO, the CTO, Audit, or in rare cases the CEO. Some CSOs will have hundreds of people in their organizations and some will have none.
If we as security folks can’t get some agreement over what our jobs are supposed to be, how the heck are we supposed to sell ourselves to prospective employers? And since employers have no concept of what we do, how are they supposed to figure out who is qualified and what is a reasonable scope of responsibility?
[Edit: Thank you to the folks who have been sending Adam job leads for me! They are greatly appreciated.]

One comment on "Job Hunting for Security Executives"

Comments are closed.