Managing Partner, Caldwell Partners

The Chief Information Security Officer (CISO) job has changed significantly in the last couple of years. It has historically been more of a lower-level, tactical IT job, but now has become a higher-level strategic, business-oriented role around enterprise risk management. With that shift in the job responsibilities, the specifications have changed, and therefore how you write your resume should change accordingly.

This primer will provide guidance on how to write a winning resume to help land your next role as a strategic CISO. The most important thing is to demonstrate that you have what is required for today’s CISO position. As you look back through your career, think about how to translate your experiences into a story of what companies want today.  Even if you have had that more technical bent in your previous roles, companies now are interested in your business acumen, your communication skills, and your leadership skills, including how to influence others—in other words, your “softer” skills.

With that in mind, here are some points you want to convey as you highlight your career history:

• What you learned in your previous roles about leadership and management
• How you demonstrated that you have strong business acumen and have used security strategies as a business enabler
• How you helped your business colleagues manage their risk
• How you used your influencing skills to get people to do things they didn’t necessarily want to do
• If you are part of the management team, how you have demonstrated “executive presence,” such as presenting before the board or C-level executives
• How you brought about positive change for your organizations

Tell a good story
The story that must come across is how you bridge the business and technical components of the role—how you are technical but also a leader and an executive manager. Be sure to highlight the unique experiences (at the time) you had in all of your moves. For example, “My team implemented the first cloud security program” or “I built the Security Operations Center from scratch.”
As a differentiator, you can seed your resume with trending hot topics that you have experience with, such as cloud security, privacy, artificial intelligence, machine learning, blockchain, and so on.
Otherwise, your resume should contain the standard fare with as much accuracy and transparency as possible: the companies you worked for, the dates, the job titles, your education. If you feel comfortable, talk about the reporting structure in your jobs, as in “I reported to the CIO.” List the specifics of what you managed. For example, “I managed a team of 20 people and we were responsible for the cybersecurity strategy, policies and operations.”
If you’ve had a lengthy career, the last 15 years in particular are the important ones. For the job roles prior to that, simply list the company, your job title and the dates. There’s no need for any other details about older jobs; they would just make the resume that much longer.
Speaking of length, try to keep your resume to two pages, three at the maximum. No one has time to read a five-page resume. The discipline of the economy of words will help you highlight the most meaningful information. Content is far more important than form.

Explain yourself, if necessary
If you have made a lot of moves in your career – what we call a “jumpy” career – you need to take extra care to explain the moves. In general, employers are wary of people who don’t stay in their jobs very long. For example, a change in companies might be the result of an acquisition, not an actual change in jobs. You might say, “I was at ABC company for 18 months and then XYZ company for 2 years, but it was all the same job. ABC was acquired by XYZ during my tenure.” Such an explanation shows that you are more stable than your resume may make you appear.
You want to list your education and any relevant additional courses, certifications or training. For example, “I attended the CISO Academy presented by the FBI,” or “I hold the CCISO certification.” If you didn’t earn a full college degree, it’s fine to mention that in the resume if you explain why. “I was in my fourth year of college when my father passed away. I left school to take care of my family, and I haven’t gone back to complete my degree.” It’s not important that you didn’t finish, as long as there is a good reason why.
Most people conclude their resume with the standard line “references upon request.” If you can, list the people who are your references—especially if you have someone who is well known and respected in the industry. People want to know who you are close to. It matters, so consider who you use for your references.

Beyond the resume
There are interesting aspects of your career that won’t go on your resume, but you should be prepared to talk about them if you get an interview. For instance, your motivations, what you are good at, what your strengths are, what career lessons you took away from each job role you’ve had. These are great discussion points that you should bring up if the interviewer doesn’t ask.
Make sure your LinkedIn page is current with your experiences. In fact, I recommend you focus as much on your LinkedIn page as on your resume, as many recruiters and prospective employers will find you and learn about you online first before ever seeing your resume. You should be updating your LinkedIn profile every month to reflect the new things you are doing. Make it as real-time as you are. The people in your network matter, too, as employers might take this as a sign of your relevancy. Your network in security is really important because it takes a village to build a secure enterprise.
As you write/update your resume, keep in mind that employers want to see that you are on the right trajectory to be their next CISO. They want to see that you have progressed and learned and have had increasing levels of leadership and responsibility. If you tell a good story, you will be that much closer to the next big step in your career ladder.

Caldwell Partners is one of the world’s premier providers of executive search and has been for more than 45 years. Matt Comyns is managing partner of the firm’s Cyber Security Practice. His focus is on recruiting chief information security officers and next-level-down top lieutenants in information security for large global corporations and fast-growing private companies, as well as cyber security consultants for leading professional services firms and top executives for cyber security technology companies.

The post How to Write a Great CISO Resume – Know What to Include appeared first on Security Current.

Looking for a new job can be thrilling and stress-inducing at the same time. You want an opportunity that will challenge you and help you grow, but the process of landing an offer for your dream job can be tricky to navigate.

For many people, one of the most vexing issues is how and when to talk about salary and other compensation such as bonuses and stock options, which I call your “all-in” package. This is especially true when the market is moving so fast right now.

What should you say when a prospective employer asks about your salary? It’s a crucial question for both of you, and your response could make the employer increase interest or lose interest in you. Moreover, it could have you leaving money on the table or increasing your salary handsomely. Obviously, you want to say the right things that will leave both you and the employer satisfied that a mutually beneficial deal can be reached.

Know your market value

The matter of compensation will likely come up in the conversation, but don’t be the first to raise the subject. When they ask, it’s fine to say where you are today—they are going to find out at some point anyway. However, it’s key that you have knowledge of what you are worth in today’s market, so you know where you want to get to in terms of a baseline with the move.

The good news is that compensation is rising for CISOs. People in other fields can expect to increase their compensation by 15% or more through a job move; top level security people can often expect more than that. This is where knowledge of the market and your value come into play as you will need to advocate for yourself.

Say you make $200,000 or less all-in, right now, as a CISO. You could say, “Clearly security is a very dynamic market. Based on everything I’ve learned from my peers in the industry and the current opportunities that I’m looking at, it appears that roles for someone with my experience and expertise have a fair market value of upwards of $500,000 or more. I have been targeting roles in the range of at least $350,000 to $450,000, all-in.”

Another way to start the conversation is to say, “As we all know, this is a bit of a crazy market that’s moving really quickly. Numbers are changing all the time in this dynamic market. I’ve done a fair amount of due diligence, and I have seen that for someone with my experience level, the starting point in the market is upwards of $350,000 all-in.” You don’t want to negotiate against yourself but you want to use the conversation strategically to set a floor so they don’t waste your time unless the offer is at least $350,000, or whatever amount you are seeking. You can steer the conversation regarding what you would accept and would not accept.

A recruiter might send you a form to fill in your information. If there’s a place on the form for desired salary, it’s OK to write “TBD, to be discussed at the appropriate time.” Giving full transparency is fine, if and when it’s appropriate to do so, but filling out an initial interest form feels a little too soon.

Acknowledge that compensation can be a tricky subject

You also want to convey that it’s not just about the money for you. Security people are very mission-oriented. Most people with more than five years of experience didn’t get into this industry for money. You can tell the employer you are looking for a company that has a commitment to good security, where there is alignment with the executives and the board around what “good” looks like, and which cares about security as much as you do. You want to go to a company with a philosophy around security that is harmonious with yours, and that includes a commitment to paying fair market value for high quality leaders. It can be tricky, but you need to be balanced with your communication around compensation, because this also demonstrates your business acumen.

You have to have realistic expectations of what a company would offer you. Even if you are currently far under current market value – let’s say you are at $180,000 all-in – it’s rare that someone would offer to double your salary to get you to move. A 100% increase or more can occur but it is highly unusual.

More often than not, there’s a disconnect on salary because the market is moving so fast. The employer might offer, at least initially, a lower all-in package than you might want to accept. Keep in mind that this is a learning process for them as well as you. Don’t reject them outright based on the all-in package numbers; you never want to burn a bridge. If they’re interested enough in you, they might come around to meet your numbers. They might come to realize that they can’t have an expensive luxury car on a low-end budget.

Plan a few moves ahead

Think longer term. You could make a few strategic moves in a 2 ½ or three-year time span to increase your all-in salary significantly from where you are today. For example, suppose you are currently at $180,000 or $200,000 and you take a job at $350,000. Assuming you succeed in that position, within two-plus years you could be looking at $500,000 or more by making another move. That’s how you have to look at it in this market. You are really attractive to a lot of companies that don’t want to pay $500,000 right now; they want to pay $350,000 but there aren’t that many qualified candidates at that level.

If you are under market value today, for whatever reason, part of your attraction is that you will come in at $300,000 or $350,000. Frankly, that is a big reason why you would get the job before someone who is equally or maybe even slightly more qualified, but who is demanding a much higher compensation package. If you take a little bit longer view on this, you could have your cake and eat it too.

It’s a terrific job market today for experienced and well-qualified CISOs. Companies increasingly are looking for people to fill high-level strategic positions around security and enterprise risk management. If you can make a case for yourself, you should command a highly competitive all-in salary. Knowing how to ask for it is key.

The post How to Talk About Salary When Looking for a New Job appeared first on Security Current.

You might be perfectly happy in your job right now, but at some point in your career, you might decide that it’s time for a change. Or perhaps your company will be acquired, and the decision for you to move on won’t necessarily be yours to make. Whatever the scenario, the time to prepare for a job change is now, and you can start by carefully managing – and even cultivating – your reputation as someone who companies really want to hire.

This primer provides tips on managing your reputation to help ensure an optimal outcome for both you and your potential employers.

Give people a reason to trust you

The Chief Information Security Officer (CISO) role is all about creating trust and protection for an organization. Likewise, you need to give people a reason to trust you. You will command a premium salary if you are perceived to be credible and trustworthy. This is something you must foster now and manage during a job search process.

Be forthright with the companies that may be looking to hire you. Do not misrepresent yourself because you really want the job. There are many different types of CISO positions – those that are more strategic in nature and those that are more technical or operational. As long as you are transparent about your intentions, it’s acceptable to position yourself as a change agent or a “fix-it” candidate that will go in to a company, make the necessary changes to get the company up to security best practices, and then move on in two to three years’ time. Some companies may be fine with that.

If you are fortunate enough to have multiple companies interested in hiring you, don’t play games with them, such as pitting one against another in a bidding war. Part of why a company wants to hire you is for your good judgment and business acumen, which includes managing your own reputation and search process. If companies catch a whiff of game playing – and they will, if it’s there – then your credibility will be called into question and the interest could dry up.

Take a long-term view of your career

The market for cybersecurity leaders is very hot right now, and it will be for some time. It can be tempting to want to job hop to continue to increase your compensation package. However, making a move to chase the money can be so short-sighted—and possibly damaging to your career, if you get a reputation for jumping ship quickly or move into a position that doesn’t suit you well.

You need to manage your career moves, whether you plan to work for just another five years, or for 10 or 20 years. As you plan to make a move, ask yourself, “Is this the right move for me at this time? What new things can I learn? How I can be a change agent for this company? Will I have the leeway and the resources to accomplish good things?” Do your due diligence before accepting an offer.

Brand yourself as a continuous learner

The cybersecurity industry is changing very rapidly. You have to be a continuous learner to stay current with threats, technologies and trends. Invest in yourself. Your resume should show that you are fresh on relevant certifications, you keep up with current topics, you take courses to expand your knowledge, and you participate in ISACs and other programs to gather and share knowledge.

Part of learning is taking on challenging roles that will stretch your mental muscles. Look for opportunities to do new things. For example, many companies offer to cross-train their key employees by moving them around within the organization. Welcome these opportunities to learn something new, even if they take you out of your comfort zone for a while.

Differentiate yourself

People can look pretty much the same on paper, so there should be something on your resume that makes you pop. Your differentiator could be a unique degree or certification, hands-on experience with a hot topic, a unique combination of education and skills, or whatever you believe sets you apart from others. Highlight your differentiator on your resume if you know a prospective employer has an interest in that area.

For example, maybe you go deep on a specific topic, like privacy. With the GDPR looming large for global companies, anyone who can tout special expertise in privacy protections is a standout. Other trending topics today that are good differentiators are cloud security, artificial intelligence, blockchain and machine learning.

Get noticed for your leadership

There are numerous ways to get noticed outside of your own organization. One way is to create thought-leadership content that demonstrates your expertise, such as through published articles or speaking opportunities. You can take a leadership position within industry organizations, such as the SANS Institute, your industry’s ISAC, or groups like the Cloud Security Alliance.

It’s good to align with universities and/or schools and their cyber curriculum. It shows that you are interested in preparing the next generation of security professionals for real-world jobs.

Be a catalyst for others to be successful

Too often, people get focused on how to make themselves successful. Companies look for people who have a knack for helping others be successful too. For example, one CISO I’ve worked with participates in his industry ISAC. He has a reputation for being incredibly helpful to the ISAC, in terms of pushing the boundaries of information sharing and openness among the member organizations. He helps individuals and he helps his entire industry. He is just a catalyst for goodness that is helping to change the industry. His reputation will precede him if and when he goes on his next job search.

In summary…

You are in an exciting professional field, in exciting times. There is plenty of growth in the market, as well as lucrative financial rewards. It’s important that you manage your reputation to put yourself in the best light possible with the people who might want to hire you.

Let me summarize my tips:

• Engender trust and credibility in your reputation. Honor the commitments you make.
• Take a long-term view of where you want to go. Don’t simply chase money to move from job to job.
• Keep current with your knowledge and brand yourself as someone who is always learning.
• Be a team player with a reputation for helping others be successful.
• Establish yourself as a thought leader.
• Look for opportunities to learn new things.
• Develop a differentiator that will make your resume pop.

Caldwell Partners is one of the world’s premier providers of executive search and has been for more than 45 years. Matt Comyns is managing partner of the firm’s Cyber Security Practice. His focus is on recruiting chief information security officers and next-level-down top lieutenants in information security for large global corporations and fast-growing private companies, as well as cyber security consultants for leading professional services firms and top executives for cyber security technology companies.

The post Create Better Career Opportunities – Manage Your Reputation appeared first on Security Current.