CISO vs Director of Information Security
Companies that require information security leadership typically hire someone in a CISO or Director of Information Security position. You might be wondering what the differences are between these security top dog roles. At their core, they have the same responsibility – to protect a firm’s data and systems. However, what a recruiter or job ad won’t tell you is how markedly different these positions are. In short, I’d advise not taking a Director of Information Security job, unless you are early in your career and understand what you would be stepping into. (Note that in some large firms there are Director positions that report the CISO and are accountable for a silo within information security. These high-ranking, but not chief, positions are not the topic of this post.)
A CISO is an executive position. An effective CISO requires expertise in IT, engineering, operations, risk management, law, compliance, incident management, corporate politics, and personnel management. The CISO may report to the CEO. Many CISOs also report to the board of directors. (A CISO reporting to the CTO or CIO is problematic, as discussed below.) The CISO has significant authority, commensurate with the job’s responsibilities.
A Director of Information Security isn’t necessarily an executive role, and certainly not a senior executive role. The giveaway line in jobs ads is: “You’ll be working with senior management.” I.e., you’re not part of the senior management team. This is the job that companies offer when they don’t take security as seriously as they should. The Director of Information Security requires the same skill set as a CISO. The Director will usually report to a CIO or CTO, which results in conflicts of interest. (This topic is beyond the scope of this post. Suffice to say that an information security leader should have the authority to stop a project dead in its tracks, even if this hurts the firm’s bottom line.) A Director of Information Security will usually not have the authority needed to properly and thoroughly administer security within an organization. Corporate politics and financial priorities often lead to compromises that weaken the security posture of a firm.
Along with the diminished title and placement within the hierarchy, the average Director will be paid significantly less than the average CISO. Adding insult to injury, a Director may often have an inadequate budget to staff his or her security group. If a Director isn’t paid well, it’s safe to assume that the budget for the rest of the staff will be paltry. That’s if the Director has any budget at all for direct hires. It’s all too common to see these positions advertised with a red flag: “This position is an individual contributor role which may turn into a management role in the future.” You should avoid these opportunities. There is no medium to large business that can effectively manage security with one person.
In summary, you should only consider a Director of Information Security role if you are willing to be undercompensated for your skills and can accept working in an environment where security probably isn’t given first-class treatment. You’ll have essentially the same responsibilities as a CISO, but the lack of authority and adequate budget will make your job significantly more difficult. These are tough pills to swallow for many passionate and talented security leaders.