Companies that require information security leadership typically hire someone in a CISO or Director of Information Security position. You might be wondering what the differences are between these security top dog roles. At their core, they have the same responsibility – to protect a firm’s data and systems. However, what a recruiter or job ad won’t tell you is how markedly different these positions are. In short, I’d advise not taking a Director of Information Security job, unless you are early in your career and understand what you would be stepping into. (Note that in some large firms there are director positions that report to the CISO and are accountable for a silo within information security. These positions are not the topic of this post.)
A CISO is an executive position. An effective CISO requires expertise in IT, systems engineering, operations, risk management, law, compliance, incident management, corporate politics, and personnel management. The CISO may report to the CEO. Many CISOs also report to the board of directors. (A CISO reporting to the CTO or CIO is problematic, as discussed below.) The CISO has significant authority, commensurate with the job’s responsibilities.
The Director of Information Security is the position that companies offer when they don’t take security as seriously as they should. A Director of Information Security isn’t necessarily an executive role, and certainly not a senior executive role, even though it requires the same expertise as a CISO. The giveaway line in job ads is: “You’ll be working with senior management.” I.e., you’re not part of the senior management team. It’s also common to see Director jobs that work with stakeholders, not senior leadership. The Director will usually report to the CIO or CTO, which results in conflicts of interest. (This topic is beyond the scope of this post. Suffice it to say that an information security leader should have the authority to stop a project dead in its tracks.) In most cases, a Director of Information Security does not have the authority needed to properly and thoroughly administer security within an organization. Corporate politics and financial priorities often lead to compromises that weaken the security posture of a firm.
Along with the diminished title and placement within the hierarchy, the average Director will be paid significantly less than the average CISO. Adding insult to injury, a Director may not have an adequate budget to properly staff his or her security group. If a Director isn’t paid well, it’s safe to assume that the budget for the rest of the staff will be paltry. That’s if the Director has any budget at all for direct hires. It’s all too common to see these positions advertised with a red flag: “This position is an individual contributor role which may turn into a management role in the future.” You should avoid these opportunities. There is no medium to large business that can effectively manage security with one person.
In summary, you should only consider a Director of Information Security role if you are willing to be undercompensated for your skills and can accept working in an environment where security probably isn’t given first-class treatment. You’ll have essentially the same responsibilities as a CISO, but the a) lack of authority and b) budgetary constraints will make your job significantly more difficult. These are tough pills to swallow for many passionate and talented security leaders.