Back to Blog
Chief Information Security Officer presenting a cybersecurity risk and SEC disclosure dashboard to a corporate board of directors in a modern boardroom

CISO Job Description Template 2026

by
CybersecurityHiringIT Hiring

CISO Job Description Template 2026

Last updated: April 26, 2026

A Chief Information Security Officer (CISO) leads an organization’s information security strategy, regulatory compliance, and incident response, with U.S. base salaries running $245,000 to $375,000 in 2026 and personal SEC liability that didn’t exist three years ago. Below is a ready-to-adapt CISO job description, a comp table sourced from five independent benchmarks, and the bloat most templates still carry that screens out the executives you actually want.

Tom Kenaley here. KORE1 places security executives across our cybersecurity staffing and CISO staffing practices, and the conversation has shifted in the last eighteen months in a way most public JD templates have not caught up to. The SEC’s Cybersecurity Disclosure Rule went live in December 2023. The Joe Sullivan conviction was 2022. The SolarWinds CISO charges came in October 2023. None of that is hypothetical. It changed who takes the call when a CISO search starts, what they ask about insurance and indemnification before they even read the comp band, and what the strongest candidates need to see in a posting before they bother applying. Boilerplate JDs from 2019 do not get those reads.

This template is built for what the CISO market actually looks like in 2026. There’s a real JD at the bottom of this page that you can adapt and paste into your ATS. Before that, the pieces you need to get right at intake. Profile commitment, comp realism, reporting structure, and the bloat audit that takes most CISO postings from 1,200 words of cargo-culted bullet points down to something a security executive will actually read.

One disclosure. KORE1 earns a fee on the placements we make. The framework below works whether you call us or run the search yourself.

CISO reviewing live cybersecurity dashboards and SIEM threat indicators on a wall of monitors in a modern Security Operations Center

Why the CISO Job Description Changed in 2023

Most CISO JDs you can find online were written before three things happened. The SEC’s final rule on cybersecurity risk management, strategy, governance, and incident disclosure took effect December 18, 2023, requiring public companies to disclose material cybersecurity incidents within four business days and to describe their cybersecurity governance in their 10-K filings. Read the SEC press release if you want the primary source. The practical effect is that the CISO is now named, by role if not by title, in a public regulatory filing for the first time.

That changes the job. It also changed who applies. Quietly. Quickly.

The Sullivan conviction in October 2022, where the former Uber CSO was convicted of obstruction of justice and misprision of a felony related to the 2016 Uber breach, was the first criminal conviction of a security executive for breach handling. The SolarWinds matter, where the SEC charged the company and its CISO Tim Brown with fraud in October 2023, was the first time the SEC went after a CISO personally for security disclosure failures. Both cases are still working their way through appeals and procedural challenges. The chilling effect on the candidate pool is already done.

What this means in your JD. Strong CISO candidates in 2026 read the posting for three signals before they read the comp. Whether the role has D&O insurance with cyber-specific coverage. Whether the reporting line provides legitimate independence or is a pass-through to whoever caused the security gap. Whether the company will indemnify the CISO for decisions made in good faith. None of those words have to appear in the public JD. But the JD that signals the company has thought about them, by mentioning board reporting cadence and a defined risk-acceptance authority, is the JD that gets the senior reads.

The JDs that haven’t updated. They get applications. Wrong ones. Just not from anyone the search committee actually wants.

What Does a CISO Do?

A Chief Information Security Officer owns the strategy, governance, and execution of an organization’s information security program. That covers risk management, regulatory compliance, security architecture, incident response, third-party risk, identity and access management, and the security side of the technology roadmap. The role reports either to the CEO, the board, the CIO, or the COO depending on the company. Where it reports matters more than most JDs admit.

The job is not technical hands-on work. A modern CISO at a mid-sized or larger company spends most of their week across three categories of work that blur into each other constantly. Quarterly board and audit committee meetings, with the prep work and one-on-one director calls that fill the two weeks before each one. Vendor and customer security questionnaires that turn into revenue blockers when they sit too long, where the security review process is the literal gate between a six-figure deal and a closed-lost in the CRM. And the cross-functional negotiation between engineering velocity and risk tolerance that determines whether the security function is treated as a partner or as an obstacle in the rest of the company’s quarterly roadmap and resourcing decisions.

Six things shape what the role looks like day to day:

  • Whether the company is regulated. SOC 2 alone is a different job than HIPAA plus PCI plus state privacy laws plus a NYDFS Part 500 obligation.
  • Whether the CISO inherits a built program or is the first one. First-CISO roles are 70% program-build and 30% operational. Inherited programs are the inverse.
  • Company stage. Series B startup CISO and Fortune 500 CISO use the same title for very different jobs.
  • The reporting line. CISOs reporting to the CEO have authority on governance decisions and a direct line to the executive who can break a stalemate. CISOs reporting to the CIO have to fight for budget against the same boss who owns availability and uptime, which means risk-acceptance disagreements always resolve in favor of whoever signs the budget.
  • Whether there’s a CTO who sees security as a peer function or a cost center.
  • What the recent breach history looks like. A post-incident CISO hire is a different role than a steady-state one. Same title. Different job.

A JD that doesn’t pick a side on those six points gets generic applicants and burns the search committee’s time on first-round interviews that surface the same misalignment over and over again until somebody pulls the posting and rewrites it three weeks late. Specifying them upfront is how you attract the candidate who has actually done the specific version of the role you’re hiring for, instead of one who once read about it in a Gartner report.

Chief Information Security Officer whiteboarding a cybersecurity governance and risk tier framework with senior security team members in a modern conference room

The Three CISO Profiles

Most hiring managers think CISO is one role. It isn’t. There are three distinct profiles in the market, and the strongest candidates for each rarely cross over.

The strategic and governance CISO. Sits closest to the board. Spends most of their time on risk reporting, audit committee briefings, regulatory positioning, and the security-finance negotiation that runs through the CFO and CRO. Usually has a CISSP and frequently an MBA. Comes out of consulting (Big Four, Mandiant, KPMG) or a regulated industry. Strong at translating technical risk into board-level dollar exposure. Less hands-on with the technology stack than the JD often suggests they should be. The most expensive of the three profiles by total comp, often by a wide margin.

The hands-on technical CISO. Came up through security engineering, application security, or red team work. Reads code, runs threat models with the architecture team, can argue with a senior engineer about Kubernetes admission controllers and not lose. Strongest fit for technology-first companies, SaaS platforms, and any environment where the CISO has to defend technical decisions on the merits and not the org chart. Often holds OSCP or GPEN alongside CISSP. Tends to underweight governance, which becomes a problem at scale unless paired with a strong VP of GRC.

The regulated-industry CISO. Built their career inside healthcare, financial services, defense, or critical infrastructure. Knows the specific regulatory framework cold (HIPAA, PCI DSS 4.0, NYDFS Part 500, FedRAMP, NERC CIP). Spent years in the audit cycle. Comfortable with the documentation and evidentiary discipline that regulated environments require. Expensive in their vertical and unfamiliar in others, which means a financial services CISO is often the wrong hire for a SaaS company even when the resume looks impressive.

The hiring decision is which one you need. The JD has to commit. A posting that lists CISSP, OSCP, MBA, HIPAA, SOC 2, PCI, FedRAMP, and twenty years of executive experience is not asking for a CISO. It’s asking for a unicorn with no opportunity cost. Nobody sends that resume. The real candidates read that and move on.

CISO Job Description Template

This template is structured for a strategic and governance CISO at a regulated mid-market company. Adjust the regulatory framework, the technology specificity, and the experience requirements to match the profile you’re actually hiring. The italic notes are intake guidance, not part of the posting.

Job Title: Chief Information Security Officer (CISO)

Location: [City, State / Hybrid / Remote-friendly]
Employment Type: Full-time, executive
Reports To: Chief Executive Officer, with formal reporting cadence to the Audit Committee of the Board
Direct Reports: [Initial team size and structure]

About the Role

We are hiring a Chief Information Security Officer to lead our information security program across strategy, governance, regulatory compliance, technical architecture, and incident response. The CISO will partner with engineering, legal, finance, and the executive team to build a security posture that protects our customers, supports the regulatory obligations of our business, and earns the operational credibility that lets the program move at the speed the business needs.

What You’ll Own

  • The information security strategy, including the multi-year roadmap, the program’s risk appetite framework, and the executive narrative the board and audit committee see each quarter
  • Regulatory and compliance posture across the frameworks our business actually operates under, including [SOC 2 Type 2 / HIPAA / PCI DSS 4.0 / NYDFS Part 500 / FedRAMP / state privacy laws]
  • Security architecture and technical controls, working closely with engineering on the design of our cloud, identity, and application security stack
  • The third-party and vendor risk program, including the security review process for customer and partner engagements that affect revenue
  • Incident response leadership, including the runbook, the cross-functional drill cadence, and the executive and board communication path during a real incident
  • The security organization’s hiring, development, and retention, including the structure of the team across engineering, GRC, IR, and operations
  • Quarterly reporting to the audit committee of the board on cybersecurity risk, control effectiveness, and material incidents per current SEC disclosure obligations

What We’re Looking For

  • 10+ years of progressively senior information security experience, with at least 3 years as a CISO, deputy CISO, or equivalent executive owner of a security program
  • Direct experience operating a security program inside a regulated environment relevant to ours
  • Demonstrated track record briefing a board or audit committee on cybersecurity risk, including how you’ve translated technical risk into business and financial exposure
  • A working point of view on security architecture, including identity, cloud, and application security, even if you no longer write the implementation yourself
  • Experience leading a real incident from detection through public communication and post-mortem, with a clear sense of what you learned the hard way
  • Strong professional network in the security executive community, with the ability to recruit senior talent into the function

Preferred

  • CISSP or CISM. CCISO or an MBA is a plus, not a requirement
  • Experience supporting a public company through SEC cybersecurity disclosure requirements
  • Background in our industry vertical, with familiarity with the specific threat landscape and customer expectations
  • Prior CISO or security leadership in a company of comparable size and growth stage

Compensation

$295,000 to $385,000 base, plus annual bonus, long-term incentive, and equity participation. Total target compensation in the $475,000 to $750,000 range depending on company stage and total comp model. D&O insurance with cyber-specific coverage. Standard executive indemnification agreement.

Hiring manager and HR partner sitting together reviewing and editing a Chief Information Security Officer job description template on a monitor and laptop in a modern office

Core Responsibilities in Depth

The bullet list above is the cover sheet. The interview is where it gets real. Here’s what the role actually looks like in execution, because the search committee surfaces the difference fast.

Strategy and risk appetite is the part where most JDs are vague and most strong CISOs probe in the first interview. The candidate worth hiring will ask whether your risk appetite has been documented, whether the board has signed off, and whether there’s a process for changing it when the business does. If the answer is no on all three, that’s not a deal-breaker. Pretending the answer is yes is. The JD that signals you’re early in this work and want a CISO to build it gets the program-build profile. The JD that overstates program maturity gets candidates who arrive expecting infrastructure that doesn’t exist.

Regulatory posture sounds like a checkbox until you ask a strong candidate to walk you through the audit they ran last year. The good ones can tell you which control failed during testing, what the auditor wrote up, and what changed in the program afterward. The weaker ones describe their compliance philosophy in the abstract. The interview question is not “are you familiar with SOC 2.” It is “tell me about the last finding in a SOC 2 audit you owned, and what you did about it.” Most CISOs over a certain seniority have a specific answer. The ones who don’t have either been at the same company too long or were never the one running the audit cycle.

Incident response is where the JD usually says “lead incident response” and skips the substance. What you actually want to know in the interview. When did the candidate last own an incident that required executive escalation. What was the call they made on disclosure timing. What did the post-mortem find that changed how the team operates. And, separately, how did they handle the one part most CISOs hate to talk about, which is the board meeting after a real incident, where the questions are not always fair and the audit committee chair has had a long week. Strong candidates describe a real incident with detail. Weaker ones describe their incident response framework in the abstract. The framework matters less than the war story.

Board and audit committee communication is the responsibility most search committees underweight at the JD stage and most CEOs end up caring about more than anything else. A CISO who can sit in front of a board, take a hostile question from a director, and translate technical risk into a clear financial dollar exposure is a different hire than one who reads slides. The interview signal. Ask the candidate to walk you through a board deck they wrote in the last year. The strong ones still have the file. The weaker ones describe what they would put in one.

CISO Qualifications, Certifications, and Education

A clean CISO posting commits to a short list of certifications and treats education as evidence of trajectory rather than a gate. The bloated postings that list every credential the security industry has ever issued get fewer senior applications, not more.

The credentials worth listing in a 2026 CISO JD:

  • CISSP. Still the closest thing to a baseline credential at the executive level. Most senior CISOs hold it. Listing it as required is reasonable. Listing it as preferred is reasonable. Listing it as one of seven required credentials is how you screen out half your pool.
  • CISM. ISACA’s management-track equivalent of CISSP. Common in regulated industries and audit-adjacent roles. Treat it as a CISSP substitute, not an addition.
  • CCISO. EC-Council’s executive certification. Useful but not common. List as preferred only.
  • Industry-specific credentials. HCISPP for healthcare. ISA/IEC 62443 for industrial control systems. Cloud Security Alliance certifications for SaaS environments. Pick the one that maps to your regulatory framework.
  • MBA. Useful at the strategic and governance end of the CISO market, particularly for board-facing roles. Not a requirement. CISOs without MBAs run security programs at large public companies every day.

What to leave off. Plenty. OSCP, OSCE, GPEN, and the offensive credentials are signals of a hands-on profile. They’re appropriate to list when you’re hiring the hands-on technical CISO, and out of place when you’re hiring the strategic governance CISO. Listing them when you don’t actually want a hands-on operator confuses the candidate pool and signals indecision about which profile you’re hiring.

Education. Bachelor’s in computer science, information systems, or a related technical field is a reasonable preference for a CISO posting in 2026, particularly when the role spans hands-on technical decisions. Master’s degree is a plus, useful at the strategic governance end of the market. Neither is a hard requirement, and gating on either of them disqualifies real CISOs we’ve placed. The strongest CISOs we’ve placed include people with non-traditional paths who built operational credibility before they ever managed people. A JD that requires a master’s degree disqualifies a meaningful share of them.

CISO Salary in 2026

CISO compensation in 2026 has wider variance by company stage, regulatory burden, and reporting line than almost any other executive role. Public-company CISOs at large enterprises run total comp in the high six figures and into seven figures. Mid-market CISOs sit comfortably below that. Series B and C startup CISOs trade base for equity. The table below pulls base salary medians and total comp ranges from five public sources, with the methodology and limitations called out so you can adjust to your market.

CISO reviewing SOC 2 Type 2 audit binders and compliance evidence with an external compliance auditor at a conference table in a modern office
SourceRole / LevelBase or TotalNotes
Bureau of Labor Statistics, 2024Computer & Information Systems Managers (median)$169,510 baseFederal occupation category, broader than CISO. Floor reference, not a CISO benchmark.
Salary.com (CISO, March 2026)Chief Information Security Officer (median)$278,400 baseU.S. national, base only. Range $232K to $336K (25th to 75th percentile).
Glassdoor (CISO, March 2026)Chief Information Security Officer$245K base / $385K total est.Self-reported, larger sample skewed to mid-market.
Heidrick & Struggles CISO Compensation Survey 2025Public-company CISO (median total)$584,000 totalIncludes base, bonus, and LTI. Skewed to large enterprises.
ZipRecruiter (CISO, April 2026)Chief Information Security Officer (national average)$216,000 basePulls posted-salary data, including roles using the title at smaller companies.
KORE1 placement data (cybersecurity vertical, 2024-2026)Mid-market CISO base, regulated industry$265K to $375K baseFrom actual closed searches, not posted ranges. Total comp commonly $450K-$650K.

What the variance tells you. Pulling a single national CISO salary number and posting it as your comp band is one of the more reliable ways to mis-price the role. Public-company CISOs at large enterprises are a different market than mid-market CISOs in the same metro, and the comp band has to reflect which market you’re actually fishing in. The five-source range above runs from $169K base on the BLS floor to $584K total on the Heidrick public-company benchmark. Both numbers are accurate. Neither is your number unless your company looks exactly like the sample.

For most mid-market searches, $275K to $375K base with total comp in the $450K to $650K range is a defensible band in 2026. Adjust up for highly regulated environments. Adjust down for early-stage companies where equity carries weight. If you want a sharper benchmark before committing to a number, our salary benchmark tool pulls live data filtered to your stage and metro.

Reporting Structure: CISO to CEO, CIO, or COO?

Where the CISO reports is the structural decision that determines whether the role is set up to succeed or set up to be limited. Three common patterns, with real tradeoffs:

CISO reports to CEO. The cleanest authority structure, and the one that current SEC governance expectations increasingly favor for public companies. The CISO has independence from technology delivery decisions and a direct line to the executive who can resolve cross-functional conflict. The downside is that the CEO bandwidth for security is finite, and a CISO without a strong CIO partner can struggle to get technology decisions executed. Best fit for public companies, post-incident hires, and any organization where security has board-level visibility.

CISO reports to CIO. The historical default in most enterprises and still the most common pattern in mid-market. Works well when the CIO sees security as a peer function and budgets it accordingly. Breaks down when the CIO owns availability and the CISO owns risk, because availability and risk-acceptance disagreements always resolve in favor of whoever owns the budget. The candidate pool reads this structure correctly. Strong candidates pass on CISO-under-CIO roles where the CIO is a recent hire trying to consolidate authority.

CISO reports to COO or CFO. Less common, but appropriate in regulated industries where security sits under operational risk or in financial-services environments where the CRO chain matters. The CFO reporting line specifically can work when the comp model already runs through finance and the security program has a clear dollar-exposure framing. It does not work when the CFO views security as a cost line to be minimized.

What we tell clients during intake. Pick the structure based on what the program needs in the next two to three years, not on the org chart you already have. A CISO at a public company increasingly belongs in the CEO reporting line. A first-CISO hire at a mid-market private company can sit under the CIO if and only if the CIO is bought in on the program. The wrong structure produces an expensive hire who underperforms on a search the company will run again in eighteen months.

Chief Information Security Officer briefing a corporate board of directors on cybersecurity incident response and SEC cybersecurity disclosure obligations in a modern boardroom

What Most CISO Job Descriptions Get Wrong

The bloat audit. Below are the patterns that show up in roughly half the CISO postings we see during intake. Each one screens out senior candidates without improving the pool.

  • Listing 8+ certifications as required. CISSP plus CISM plus CCISO plus CRISC plus CISA plus PMP plus ITIL plus Six Sigma. The candidate who has all of those is too credentialed-up to take the role. The candidate who has the right two thinks you’re checking boxes instead of actually evaluating fit.
  • “15+ years of experience required.” Most CISOs at our successful placements had 10 to 14 years when they took the role. A 15-year minimum disqualifies the strongest emerging executive talent.
  • Five different reporting lines on one posting. “Reports to CEO, CIO, COO, or VP of Engineering depending on company structure.” The candidate reads this as you don’t know where the role belongs. Strong candidates pass.
  • Hands-on technical depth and board-level governance experience listed equally. Pick one. The strategic CISO is not going to be the hands-on operator. The hands-on CISO is not going to be the board whisperer. The unicorn JD that demands both finds neither.
  • “Passionate about cybersecurity.” Senior security executives are professional. Treating the role as a passion job is something companies say when they don’t want to pay market.
  • Generic regulatory acronym soup. Listing HIPAA, PCI, SOC 2, ISO 27001, NIST, GDPR, CCPA, NYDFS, and FedRAMP signals that you’ve never actually run an audit and don’t know which frameworks matter for your business.
  • “Drive a culture of security.” What does that mean. Cut it.
  • No mention of D&O insurance, indemnification, or board reporting cadence. Strong post-2023 CISO candidates ask. The JD that signals these are in place gets the senior reads. The JD that omits them doesn’t.

The cleanest CISO postings we see are 600 to 900 words, name the regulatory framework that actually matters, commit to a reporting line, list two to four certifications maximum, and acknowledge the SEC and personal-liability landscape directly. The bloated postings hit 1,500 words and produce a thinner senior-candidate pool than the cleaner ones.

When You Don’t Need a Full-Time CISO

Not every company needs a full-time CISO. Sometimes the right answer is a fractional CISO who runs the program two or three days a week. Sometimes it’s a security director who reports up through engineering or the CIO without the executive title. The wrong hire is more expensive than no hire, and we’ve watched companies spend a year and a search fee on a CISO they then realized they didn’t have enough work for.

Signs you might not need a full-time CISO yet. The company is below 200 employees and not in a heavily regulated industry. There’s no board mandate driving the hire. The current security program is running but needs an experienced operator one or two days a week, not five. The roadmap doesn’t include a SOC 2 Type 2, public-company readiness, or a regulatory milestone in the next 18 months.

Signs you do. The board or audit committee has formally requested it. You’re in a regulated industry where the regulator expects a named CISO. You’re approaching a public-market event where SEC disclosure obligations begin to apply. There’s been a recent incident, customer-driven security review, or insurance-renewal flag that changed the risk profile.

If you’re in the in-between, our guide to fractional CISO services in 2026 walks through the structures, comp models, and the question of when fractional becomes the wrong answer. The short version. Fractional buys you a senior operator without the full executive cost. It does not buy you a full-time owner. Pick based on which you actually need.

CISO vs. CIO vs. CTO

One of the most common questions we get during CISO intake is the boundary between CISO, CIO, and CTO responsibilities. The roles overlap in places, and the wrong split makes the CISO ineffective. We covered the boundary in detail in our CIO vs. CTO vs. CISO guide, including the specific decisions each role should own, the interview questions that surface real boundary clarity, and the board-deck framing for companies that have all three.

The short version. The CTO owns the technology product. The CIO owns the technology that runs the company. The CISO owns the risk and the security posture across both. Two of those three roles can usually be combined at smaller companies. The CISO is the one that almost always needs to stand alone past a certain scale.

Common Questions

What’s the actual difference between a CISO and a CSO?

CISO is information security. CSO often includes physical security, executive protection, and corporate investigations. At most modern technology and financial services companies, CISO is the operative title and CSO has fallen out of common use.

The exception is regulated industries where physical security is a meaningful operational function, in which case the CSO title sometimes still appears with a broader scope. For a tech-first or financial services hire, default to CISO.

Does a CISO need to be technical?

Yes, but the depth depends on the profile. The strategic governance CISO needs to read architecture diagrams and ask the right questions. The hands-on CISO needs to actually engineer. Neither needs to be the most technical person in the room.

The mistake we see is search committees demanding deep technical hands-on capability for roles that are 80% governance work. That filter selects against the strongest strategic candidates and finds nobody who is also good at the board-level part of the job.

How long does a CISO search usually take?

Three to six months from kickoff to signed offer for most CISO searches in 2026. Highly specialized regulated-industry roles run longer.

The variance depends on how clean the JD is at intake, how flexible the comp band is, and how decisive the executive sponsor is during final-round interviews. A search committee that wants to interview eight finalists adds two months that the company often did not budget for. A clean JD with a committed sponsor and a realistic comp band can close in twelve weeks.

Should a CISO have an MBA?

Useful but not required. Public-company CISOs and board-facing strategic CISOs benefit from one. Hands-on technical CISOs rarely use it.

The signal an MBA sends is comfort with finance, governance, and executive communication. A CISO without an MBA who has spent years in board reporting and risk quantification has the same skills. The credential is the shortcut, not the substance.

What does the SEC cybersecurity disclosure rule mean for a CISO hire?

For public companies, the rule formalizes that the CISO is the named accountable executive for cybersecurity in 10-K disclosures and the four-business-day material-incident reporting requirement. It changes who applies, what they ask about insurance and indemnification, and how the board engages the role.

For private companies, the direct rule does not apply. The indirect effect is real. Private-company boards and audit committees increasingly ask the same governance questions the SEC rule prompts public companies to answer. A CISO hired into a pre-IPO company should expect to be running a program against public-company readiness, even before the disclosure obligations technically begin.

Can a CISO be remote?

Yes for most mid-market roles. Public-company and regulated-industry CISOs are increasingly expected to be hybrid, with regular in-office presence for board cycles and incident response.

The expectation in 2026 is closer to executive flexibility than fully remote, which means a CISO based in a different metro than the corporate headquarters should expect monthly travel and quarterly board-meeting weeks. A CISO who does not want to travel for board meetings is not the right hire for a public-company role.

What’s the right comp band for a first-CISO hire at a mid-market company?

$265,000 to $375,000 base, with total comp in the $450,000 to $650,000 range, is a defensible 2026 band for a first-CISO at a regulated mid-market company. Adjust for stage, regulatory burden, and equity weight.

That band sits above the BLS floor and below the Heidrick public-company median for a reason. Most first-CISO hires at private mid-market companies are not running the same job a public-company CISO at a Fortune 500 enterprise is running. Posting a Fortune 500 comp band for a Series C role inflates the candidate pool with the wrong fit. Posting a director-level band screens out the actual CISO market.

How do you tell a real CISO candidate from a resume that just says CISO?

Three questions. Walk me through your last board deck. Tell me about the most recent finding from a security audit you owned. What was the call you made on disclosure timing during the last incident you ran. Real CISOs have specific answers. Resume CISOs describe frameworks.

The fourth signal is willingness to admit a hard call they got wrong, with what they changed afterward. Senior security executives have those moments. The candidate who describes only successes is either too junior, not actually the owner during the events they’re describing, or unwilling to be candid in the interview, none of which are useful for the search committee.

Where to Go from Here

If you’re scoping a CISO search and want a second set of eyes on the JD, the comp band, or the search process, we’d be happy to take a look. Our cybersecurity practice runs CISO searches across regulated mid-market, technology, and financial services. First conversation is informal. Thirty minutes. You can talk to a recruiter on our team and we’ll figure out from there whether what we do is what you need. If you want to run the search yourself with the framework above, the JD template is yours to adapt. Either way, the goal is a CISO hire who holds up at the next board meeting and the one after that, not a posting that sits on LinkedIn for ninety days while the audit committee asks why the search hasn’t closed and the executive sponsor doesn’t have a defensible answer.

Last thing. Whichever CISO profile you’re hiring, the JD is the screen. Fix that first. Then post. The rest gets easier.

Leave a Comment