How to become a CISO

If you have your sights set on the top job in security, there are a number of things you are going to need to do to secure it. CISO salaries are typically in the £120,000 - £130,000 range with some going up to over £300,000 + benefits. In the US, salaries are often closer to $600,000 with some hitting $1 million basics. Working your way up to this role is worth it financially, although it comes with a lot of pressure. You also need to be a well-rounded security and risk professional. CISO’s have responsibility for a large number of areas such as:


  • Security engineering (security architecture, identity management)
  • Security operations (vulnerability management, incident response)
  • Governance (data protection, audits)
  • Risk management (vulnerability scanning, 3rd party risk management)
  • Threat intelligence
  • Training and awareness
  • People management
  • Board (hopefully) level reporting


What is obvious from this list, is that it would be very hard to be an expert in all these areas. And the good news, is it gives you a couple of different routes into the CISO job.


Route one – security expert

Traditionally, the CISO was the most experienced security professional in that organisation. Working your way up through security is one possible way to get the CISO job. This route will typically see you gain security qualifications such as a CISSP and work across broad ranges of security engineering an operations. If this is the route you want to take, make sure that you gain skills or jobs in areas that are not your specialism so that you have the breadth to become a CISO. Ideally, spend some time in cyber risk or information security policy. You may have to make a couple of sideways moves to get the required experience in the organisation.


Route two – consulting

A great way to get a breadth of experience relatively quickly, is to work for a consulting firm. While making use of your expertise, you will get exposure to a range of customers, technologies and hopefully, different areas of security. As you work your way up in one of these organisations, you will gain the soft skills required to become a CISO. Once you have reached an equivalent level, you can look to make a move into industry as a CISO.


Route three – risk management

A number of the skills needed by CISO’s are risk management focussed. You also need some core business skills such as relationship management and an understanding of how businesses approach risk. We see a number of candidates, already senior in their own governance discipline, moving successfully into cyber security. These candidates make excellent CISO’s as they understand risk, how to talk to the board, how to manage PR and training and they quickly learn about the security issues. The CISO does not need to be the technical expert, so a lack of in-depth technical knowledge does not preclude them from the job. You do need some technology experience however; enough to know how to direct the team to do their jobs and to report upwards.  


Meet Our Team


View All
Resilience & Security Recruitment

Resilience & Security Recruitment

We are award winning for resilience & security recruitment, understand why.

Read more
Corporate Governance Recruitment

Corporate Governance Recruitment

Discover our coverage of corporate governance recruitment.

Read more
Digital & Niche Technology Recruitment

Digital & Niche Technology Recruitment

BeecherMadden leads the way in recruiting digital & technology management.

Read more