{"id":5606,"date":"2025-10-30T07:00:00","date_gmt":"2025-10-30T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5606"},"modified":"2025-10-30T07:00:00","modified_gmt":"2025-10-30T07:00:00","slug":"tips-for-cisos-switching-between-industries","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5606","title":{"rendered":"Tips for CISOs switching between industries"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

From the outside, when someone reaches CISO level, the move to the next role should be easy. After all, they\u2019ve already made it to the top. But many security leaders find the opposite is true. Once they\u2019re in a certain industry, it\u2019s harder to get out.<\/p>\n

Executives and recruiters often assume a CISO\u2019s experience only translates within their current sector. First Bank CISO Marc Ashworth, whose career has spanned aerospace, healthcare and finance, has seen it happen repeatedly.<\/p>\n

\u201cYou see people staying within the same industry \u2026 it seems like those in the startup world stay in the startup world, those in software development stay there. Once you get to larger enterprises, you tend to stay in those larger enterprises. Whereas, if you\u2019re in a small or medium business, it\u2019s harder to break into a larger enterprise.\u201d<\/p>\n

The perception isn\u2019t arbitrary, rather it\u2019s rooted in how executive hiring works, according to Sal DiFranco, global advanced technology managing partner at talent advisory firm DHR Global. \u201cBack in the day, you stayed in your vertical. You were an industrial person, you were a retail person, you were a telecom person, you were a software person. You stayed in your lane and that\u2019s what it was.\u201d<\/p>\n

DiFranco highlights the convergence of technology in the last 15 years has started to shift this perception. He says enterprise technologies has become more standardized across industries, allowing CISOs to move more freely between sectors.<\/p>\n

\u201cTechnology has become pervasive across all industries,\u201d he says. But DiFranco warns that opportunity alone isn\u2019t enough, CISOs still need to actively reframe why they\u2019re suitable for a role.<\/p>\n

So how can CISOs move across sectors successfully, and prove their skills are transferable?<\/p>\n

From consulting to finding similarities between different industries<\/h2>\n

Building a transferable skill set is essential for those looking to switch industries. For Dell\u2019s first-ever CISO, Tim Youngblood, adaptability was never a luxury but a requirement. His early years as a consultant at KPMG gave him a front-row seat to the challenges of multiple industries before he ever moved into cybersecurity. Those early years also taught Youngblood that while every industry has its own nuances, the core security principles remain constant.<\/p>\n

\u201cI\u2019ve always believed that variety is the spice of life,\u201d he says. \u201cI worked for KPMG for several years, servicing 30 different clients a year in multiple industries, oil and gas, healthcare, financial services, you name it. As my career progressed, I took a lot of those key learnings from my consulting days. I felt comfortable I could go work for any company in any industry and be successful with what I knew.\u201d<\/p>\n

Like Youngblood, Ashworth\u2019s consulting business became his superpower. He says it gave him the ability to switch from working between different verticals without losing sight of his key objectives of identifying risk and finding solutions.<\/p>\n

Youngblood also points to engaging with industry-specific information-sharing and analysis centers (ISACs) whether it be healthcare, financial, retail, or even maritime. \u201cThese groups were initiated by the government to enable public-private sector sharing, and it\u2019s a great avenue to take to understand how other industries solve the same problem.\u201d<\/p>\n

From a recruitment perspective, the best shot anyone can have if they\u2019re moving from a consulting background is moving across to a CISO role that\u2019s with one of their clients, which DiFranco says is common. \u201cBecause you\u2019re a known commodity and they\u2019ve seen how you work. They\u2019ll be able to say you\u2019re consultative, you\u2019re strategic, and knows how to deliver on a strategy. I\u2019ve seen them in action, and I\u2019m willing to give them a shot to come into the enterprise.\u201d<\/p>\n

For CISOs without consulting experience, but who still want to switch verticals, DiFranco recommends identifying sectors with structural similarities or adjacent industries because they\u2019re the easiest transition. He describes this kind of moves as \u201cbaby steps\u201d toward a bigger vertical shift.<\/p>\n

\u201cTake someone from pharmaceutical and put them into a healthcare organization. They\u2019re not the same models, and a lot of things are different, but the infrastructure of those companies, from a technology perspective, are similar. You\u2019re still dealing with the regulated environment and all of the things that go into regulation when it comes to technology.\u201d<\/p>\n

Understand and demonstrate achieved results<\/h2>\n

Making the jump into a new industry isn\u2019t about matching past job titles but about proving you can create impact in a new context. DiFranco says the key is to demonstrate relevance early.<\/p>\n

\u201cWhen I pitch a candidate, I explain what they did, how they did it, and what their impact was to their organization in their specific industry,\u201d he says. \u201cIf what they did and how they did it, and what their impact was on the organization resonates where that company wants to go, they\u2019re a lot more likely to say, \u2018I don\u2019t really care where this person comes from because they did exactly what I want done in this organization\u2019. It\u2019s about the results, but it\u2019s about articulating the results of how you\u2019re going to do it if you come into a different industry.\u201d<\/p>\n

Youngblood took this approach when he moved from being the CISO at Kimberly-Clark to McDonald\u2019s. \u201cOn the outside, everybody sees the golden arches, and they all have the same look and feel,\u201d he says. \u201cBut on the back end there are joint ventures, conventional licenses, and country licensees. When you\u2019re the CISO, you have to try and bring everybody together, even though they operate slightly differently.\u201d<\/p>\n

Beyond operational structures, Youngblood also had to adapt quickly to industry-specific threats. \u201cAt T-Mobile, SIM swapping is a huge issue in the telecom industry. Most people don\u2019t realize how frequent it\u2019s happening. It\u2019s a billion-dollar industry, sometimes nation-state funded. Some of them are in the back office and directly taking over the identity of a person, which can cause a lot of damage.\u201d<\/p>\n

For Cyber Self-Defense CEO Michael Meline, whose career originally started in law enforcement before he stepped into cybersecurity in financial services and then healthcare, the fastest way to build credibility in a new sector is to deeply understand the risk landscape.<\/p>\n

\u201cYou\u2019ve got a lot of the same risks, so it really is risk management. I don\u2019t care what field you\u2019re in, my intent in dealing with cybersecurity is to go in, identify the risks, and then build a plan to mitigate them.\u201d<\/p>\n

Demonstrating you understand the risk landscape can give candidates a significant edge. \u201cOutline where you think your skills are transferable from the industry you\u2019re in to what you know about the other industries you might be interested in, and then let\u2019s start talking through examples of what you\u2019ve done in your industry and how we think it can relate to the industries you\u2019re talking about targeting and we would build from there,\u201d says DiFranco.<\/p>\n

Avoid getting pigeonholed<\/h2>\n

The biggest career risk for many CISOs isn\u2019t burnout or data breach, it\u2019s being seen as a one-industry operator. Ashworth\u2019s advice is to focus on demonstrating transferable skills. \u201cIt\u2019s a matter of getting whatever job you\u2019re applying for, to realise that those principles are the same, no matter what industry you\u2019re in. Whether it\u2019s aerospace, healthcare, or finance, the principles are the same. Show that, and you\u2019ll avoid being pigeonholed.\u201d<\/p>\n

For Meline, avoiding being pigeonholed starts before moving into a new industry, by focusing on risk first and then learning about the business. \u201cAs I\u2019ve progressed throughout my career, what I\u2019ve discovered is cybersecurity is nothing more than risk management. As a cop, I would identify risk and take the appropriate steps to mitigate it,\u201d he says. \u201cIt\u2019s the same thing when I deal with risk in the corporate world. I\u2019m working with stakeholders all the way from the bottom of the organization to the top and collaborating on how we deal with this risk, and then build the right plan to address the risk in a way that meets the needs.\u201d<\/p>\n

Ultimately, DiFranco says the key is showing relevance and being able to draw parallels across industries. \u201cIt boils down to the uniqueness of the candidate and drawing your analogies of how close you are to those other industries.\u201d<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

From the outside, when someone reaches CISO level, the move to the next role should be easy. After all, they\u2019ve already made it to the top. But many security leaders find the opposite is true. Once they\u2019re in a certain industry, it\u2019s harder to get out. Executives and recruiters often assume a CISO\u2019s experience only […]<\/p>\n","protected":false},"author":0,"featured_media":5595,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5606","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5606"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5606"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5606\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5595"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5606"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5606"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5606"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}