From the outside, when someone reaches CISO level, the move to the next role should be easy. After all, they’ve already made it to the top. But many security leaders find the opposite is true. Once they’re in a certain industry, it’s harder to get out.
Executives and recruiters often assume a CISO’s experience only translates within their current sector. First Bank CISO Marc Ashworth, whose career has spanned aerospace, healthcare and finance, has seen it happen repeatedly.
“You see people staying within the same industry … it seems like those in the startup world stay in the startup world, those in software development stay there. Once you get to larger enterprises, you tend to stay in those larger enterprises. Whereas, if you’re in a small or medium business, it’s harder to break into a larger enterprise.”
The perception isn’t arbitrary, rather it’s rooted in how executive hiring works, according to Sal DiMarco, global advanced technology managing partner at talent advisory firm DHR Global. “Back in the day, you stayed in your vertical. You were an industrial person, you were a retail person, you were a telecom person, you were a software person. You stayed in your lane and that’s what it was.”
DiMarco highlights the convergence of technology in the last 15 years has started to shift this perception. He says enterprise technologies has become more standardized across industries, allowing CISOs to move more freely between sectors.
“Technology has become pervasive across all industries,” he says. But DiMarco warns that opportunity alone isn’t enough, CISOs still need to actively reframe why they’re suitable for a role.
So how can CISOs move across sectors successfully, and prove their skills are transferable?
From consulting to finding similarities between different industries
Building a transferable skill set is essential for those looking to switch industries. For Dell’s first-ever CISO, Tim Youngblood, adaptability was never a luxury but a requirement. His early years as a consultant at KPMG gave him a front-row seat to the challenges of multiple industries before he ever moved into cybersecurity. Those early years also taught Youngblood that while every industry has its own nuances, the core security principles remain constant.
“I’ve always believed that variety is the spice of life,” he says. “I worked for KPMG for several years, servicing 30 different clients a year in multiple industries, oil and gas, healthcare, financial services, you name it. As my career progressed, I took a lot of those key learnings from my consulting days. I felt comfortable I could go work for any company in any industry and be successful with what I knew.”
Like Youngblood, Ashworth’s consulting business became his superpower. He says it gave him the ability to switch from working between different verticals without losing sight of his key objectives of identifying risk and finding solutions.
Youngblood also points to engaging with industry-specific information-sharing and analysis centers (ISACs) whether it be healthcare, financial, retail, or even maritime. “These groups were initiated by the government to enable public-private sector sharing, and it’s a great avenue to take to understand how other industries solve the same problem.”
From a recruitment perspective, the best shot anyone can have if they’re moving from a consulting background is moving across to a CISO role that’s with one of their clients, which DiMarco says is common. “Because you’re a known commodity and they’ve seen how you work. They’ll be able to say you’re consultative, you’re strategic, and knows how to deliver on a strategy. I’ve seen them in action, and I’m willing to give them a shot to come into the enterprise.”
For CISOs without consulting experience, but who still want to switch verticals, DiMarco recommends identifying sectors with structural similarities or adjacent industries because they’re the easiest transition. He describes this kind of moves as “baby steps” toward a bigger vertical shift.
“Take someone from pharmaceutical and put them into a healthcare organization. They’re not the same models, and a lot of things are different, but the infrastructure of those companies, from a technology perspective, are similar. You’re still dealing with the regulated environment and all of the things that go into regulation when it comes to technology.”
Understand and demonstrate achieved results
Making the jump into a new industry isn’t about matching past job titles but about proving you can create impact in a new context. DiMarco says the key is to demonstrate relevance early.
“When I pitch a candidate, I explain what they did, how they did it, and what their impact was to their organization in their specific industry,” he says. “If what they did and how they did it, and what their impact was on the organization resonates where that company wants to go, they’re a lot more likely to say, ‘I don’t really care where this person comes from because they did exactly what I want done in this organization’. It’s about the results, but it’s about articulating the results of how you’re going to do it if you come into a different industry.”
Youngblood took this approach when he moved from being the CISO at Kimberly-Clark to McDonald’s. “On the outside, everybody sees the golden arches, and they all have the same look and feel,” he says. “But on the back end there are joint ventures, conventional licenses, and country licensees. When you’re the CISO, you have to try and bring everybody together, even though they operate slightly differently.”
Beyond operational structures, Youngblood also had to adapt quickly to industry-specific threats. “At T-Mobile, SIM swapping is a huge issue in the telecom industry. Most people don’t realize how frequent it’s happening. It’s a billion-dollar industry, sometimes nation-state funded. Some of them are in the back office and directly taking over the identity of a person, which can cause a lot of damage.”
For Cyber Self-Defense CEO Michael Meline, whose career originally started in law enforcement before he stepped into cybersecurity in financial services and then healthcare, the fastest way to build credibility in a new sector is to deeply understand the risk landscape.
“You’ve got a lot of the same risks, so it really is risk management. I don’t care what field you’re in, my intent in dealing with cybersecurity is to go in, identify the risks, and then build a plan to mitigate them.”
Demonstrating you understand the risk landscape can give candidates a significant edge. “Outline where you think your skills are transferable from the industry you’re in to what you know about the other industries you might be interested in, and then let’s start talking through examples of what you’ve done in your industry and how we think it can relate to the industries you’re talking about targeting and we would build from there,” says DiMarco.
Avoid getting pigeonholed
The biggest career risk for many CISOs isn’t burnout or data breach, it’s being seen as a one-industry operator. Ashworth’s advice is to focus on demonstrating transferable skills. “It’s a matter of getting whatever job you’re applying for, to realise that those principles are the same, no matter what industry you’re in. Whether it’s aerospace, healthcare, or finance, the principles are the same. Show that, and you’ll avoid being pigeonholed.”
For Meline, avoiding being pigeonholed starts before moving into a new industry, by focusing on risk first and then learning about the business. “As I’ve progressed throughout my career, what I’ve discovered is cybersecurity is nothing more than risk management. As a cop, I would identify risk and take the appropriate steps to mitigate it,” he says. “It’s the same thing when I deal with risk in the corporate world. I’m working with stakeholders all the way from the bottom of the organization to the top and collaborating on how we deal with this risk, and then build the right plan to address the risk in a way that meets the needs.”
Ultimately, DiMarco says the key is showing relevance and being able to draw parallels across industries. “It boils down to the uniqueness of the candidate and drawing your analogies of how close you are to those other industries.”
No Responses