Life after CISO?

"I have finally made it to the CISO role; now what?" This question is one I've encountered from many of my peers over the past several years. Typically, our conversations begin over a cold beverage, catching up on family life and the challenges we face in our roles before inevitably leading to exploring what comes next if we were to leave cybersecurity. We've put tremendous effort into achieving our current CISO positions and navigating various roles, projects, and companies. After this significant investment of time and energy, it's time to consider what lies ahead. While we may find ourselves at the top of our profession, the reality often falls short of our expectations. For some, the cumulative stress of multiple CISO roles leads to burnout, prompting a fundamental question: is it time for a change?

As one of those CISOs reflecting on my extensive experience, I am assertive in my belief that the journey does not end here. I continue to thrive leading teams and building security programs for my organization. However, engaging in discussions with fellow executives and professionals in our community highlights the myriads of new opportunities available to us in cybersecurity. This article aims to outline some those opportunities clearly. Instead of marking the end of a career, these prospects represent a powerful new beginning.

• CIO – Chief Information Officer: While some of my CISO peers may initially scoff at the idea, it warrants serious consideration. Many CISOs have successfully transitioned to the CIO role. Despite our differing technology stacks and priorities, a CISO seeking a change of pace can effectively make this switch. From my experience as a former CIO, I firmly assert that those stepping into this role must understand the significant shift in perspective it entails. Your focus will be delivering daily enterprise IT services, spearheading efforts to architect and provide exceptional IT support to employees. This shift can be particularly advantageous for CISOs as organizations increasingly combine CISO and CIO responsibilities under a single executive.
• CTO – Chief Technology Officer: Some CISOs, particularly those with software development or network engineering backgrounds, have rightfully moved into high-level technical positions after their tenures as CISOs. These professionals, seasoned in leading security operations and collaborating with product teams, find this transition a natural and compelling fit. I encourage CISOs with engineering or product development expertise to seize this opportunity—it aligns perfectly with those with a genuine passion for hacking and technical innovation.  
• CRO – Chief Risk Officer: I have observed CISOs whose roles have evolved into that of Chief Risk Officer, primarily driven by the demands of the business. Those with risk management, auditing, or consulting backgrounds are ideally positioned for this transition. This role is especially relevant today as companies grapple with an increasing array of regulations and compliance requirements. The CRO position offers a valuable avenue for CISOs ready to leverage their specific skills in risk management and auditing for new opportunities.
• vCISO – Virtual CISO: This position is tailored for the CISO who prefers not to take on the full responsibility of a security program but instead seeks to provide guidance as a temporary CSO. The vCISO role allows seasoned security professionals to help organizations build security programs or assist existing CISOs with key projects and initiatives. Many have chosen this path to remain active in the cybersecurity community while taking a break from the pressures of an active CISO role. However, it's essential to recognize that this role isn't for everyone. One must embrace the reality of being a temporary resource and understand that client executives may overlook your contributions. Your mission is to facilitate their success, but it's they who ultimately define it.
• CPO – Chief Privacy Officer: I have held the CPO role numerous times alongside my responsibilities as a CISO. Given the rise of stringent data privacy laws and regulations, I am convinced that the CPO position will continue to grow in significance. CISOs are well-equipped to make this transition because we already manage the security controls that safeguard data and are deeply involved in governance processes related to accounts and access management. Many CISOs also take on business data governance roles, which naturally brings them into the realm of compliance. The CPO role presents an exceptional opportunity for CISOs who wish to remain connected to security while moving into the privacy sector. This transition allows you to serve your organization in a vital capacity without the constant demands of a full-scale security program.
• CSO/CISO Strategist – This is an exciting opportunity! Several friends of mine have recently transitioned into roles as security strategists at larger businesses or organizations. As a security strategist, they advise product, marketing, legal, and compliance teams. Essentially, they leverage their knowledge and experience gained over the years as CISOs to help organizations plan and execute various projects and initiatives that may involve security or risk issues. I've also seen this position used by larger organizations to assist their client companies or boards of directors. For a senior CISO, this could be a great transition with potential growth opportunities.
• Security Researcher - This might be the perfect role for the CISO, who is a hacker at heart and enjoys examining how things are constructed or can be dismantled. I've known several CISOs who have moved into research positions; one is focused on threat intelligence and is dedicated to protecting nonprofits, while another joined a consultancy group to research new, unidentified threats. If you're considering this type of position, it requires strong discipline to manage your time and projects effectively. Additionally, being able to write and communicate your findings clearly is essential.
• Consultant – Similar to the vCISO position, this role allows a CISO to step away from leading teams and building security programs to work as an advisor for clients. This position can differ from the vCISO role in that you can consult on various topics beyond CISO responsibilities, such as cloud security, leadership, GenAI, incident response, and more. Your experience and imagination are your only limits in this area. I worked as a consultant when I transitioned from Webroot to SoftBank and found it rewarding. I assisted several local CISOs in developing their strategic plans and conducting risk assessments. A word of advice: if you're considering becoming a consultant, you must manage your time effectively and stay current with the latest technologies, threats, and services.
• Security Product Manager – This is a role that CISOs can transition into, especially within cybersecurity product companies. I had a similar experience at Webroot, where I collaborated with product teams to help develop a potential vCISO service after the company was acquired. It was one of the first times I stepped out of the CISO role to engage directly with customers, and I found it both challenging and rewarding. I've also observed other CISOs in companies tasked with managing internal cybersecurity while advising on product security. This option may appeal to CISOs looking for a change after implementing a stable security program. From my experience, it's important to either fully transition from the CISO role to focus on this new position or wait until your security program is mature before tackling both responsibilities.
• VC/PE Consultant – I've recently seen more CISOs working with investment groups as security consultants or operational partners. In this capacity, they ensure portfolio companies are secure, protect intellectual property, and provide insight during the due diligence process before an acquisition or investment. What's enjoyable about this role for CISOs is that they can manage risk and offer security advice without the stress of overseeing a security team or program. Those who take on this job usually have a passion for teaching and enjoy helping startups. They possess extensive security knowledge and appreciate educating businesses on how cybersecurity can foster innovation.
• Entrepreneur/Startup Founder – Many CISOs dream of creating a better product or have ideas for services that businesses would want to buy. This is where entrepreneurship comes in—it's a commitment of 20+ hours a day, seven days a week. I won't say it's easy; you're simply exchanging one source of stress for another. However, you gain the chance to build something new, and if you enjoy creating a startup, it can be a fulfilling pivot in your career.
• Teacher/Mentor – This is an opportunity I often see CISOs pursuing while still in their executive roles. Some choose to step back from leadership to focus on teaching. I hope to teach cybersecurity at the college level someday; mentoring the next generation of security leaders would be rewarding and less stressful than managing a security program. This is an opportunity that CISOs can explore while in their current positions, potentially transitioning into it full-time as a way to give back to the community.
• Industry Evangelist – We are down to our final opportunities, and this is one I have observed multiple peers considering. You may support a CISO and collaborate with marketing, sales, or product teams in this role. As an evangelist, you would travel, discuss cybersecurity, and help expand the business's presence. I have also seen CISOs take on the evangelist role by visiting customers, answering their questions, and relaying their concerns back to the product and marketing teams to improve the company. It's important to note that while this role alleviates the stresses of being a CISO, it comes with the burden of traveling and consistently engaging with people about cybersecurity. If you are someone like me who loves technology and enjoys travel, this could be an exciting job for you. However, be aware that this type of position has its own unique challenges, so I would recommend speaking with a couple of evangelists first to gain insight.
• Sabbatical - Lastly, we may take a break from the CISO role entirely. We could relax on a beach for a while or take time off to write that book we've talked about for years. In this final opportunity, as with all the previous ones, we must take time to recharge and reflect on what matters to us. With renewed energy, we can then re-engage with our community.

I know that I may be overlooking several other exciting opportunities for a CISO to transition into. However, my purpose in this article is not to list everything; rather, I want to encourage people to think about the possibilities. I firmly believe that the CISO role is not the end of a career in cybersecurity. It is a steppingstone to other paths that individuals can take to grow professionally. I appreciate that our community offers many opportunities because I, as a CISO, plan to be here for a long time, in whatever role continues to challenge me and allows me to work with businesses and mentor the next generation.

***In addition to having the privilege of serving as a Chief Information Security Officer, I am a co-author with my partners Bill Bonney and Matt Stamper on the CISO Desk Reference Guide Volumes 1 & 2 and the Executive Primer. I have also authored The Essential Guide to Cybersecurity for SMBs and Developing Your Cybersecurity Career Path. All are available in print and e-book on Amazon. To see more of what books are next in our series please visit the CISO Desk Reference website.