SFIO CRACHO - stock.adobe.com
When Steve Zalewski first left his role as chief information security officer at Levi Strauss in 2021, he took a few months to recharge and reset.
"I met my wife and daughter again," he said. "I travelled. I started to sleep at night, and I stopped having nightmares. I dropped 10 pounds. I wasn't drinking as much."
Oftentimes, a security officer leaves one CISO position for another, perhaps in pursuit of a fresh challenge or a larger paycheck. In a 2022 survey of 327 CISOs, executive search firm Heidrick & Struggles found 53% had previously held CISO roles. Yet the research also reported a majority of sitting CISOs don't want their next jobs to be as CISOs. With no clear path for life after the CISO role, such security leaders need to weigh their options.
First, recover and recalibrate
CISOs often find themselves in states of severe burnout by the time they leave their posts, stemming from years of operating in crisis management mode. Many security professionals have similar dispositions to those working in emergency response, law enforcement and the military, Zalewski suggested.
"They run to the problem, and they have a drive to protect people," he said. "But you cannot sustain that level of emotional energy every day."
Cybersecurity incidents happen daily in large enterprises, however, leading to inevitable exhaustion. When Zalewski was at Levi Strauss, which had around 10,000 end users at the time, the company averaged three cyber incidents -- often successful phishing attacks -- per 24-hour period. They happened across time zones and in offices around the world.
"It was a 24/7 job; there was no downtime," Zalewski said, adding that he used to describe his role as running a triage shop. "I constantly had people coming in that had been attacked. My job was not to make them whole but to understand how to limit the damage to that line of business and keep doing business. So not to put the fingers back but maybe just to save the arm."
Coming down from that kind of nonstop stress takes time, Zalewski found. He cautioned that the first phase of life after the CISO role -- recovering and resetting -- could take three months, six months or a year.
"You have to find who you are again," Zalewski said. "You have to reach the point where you're just happy to wake up in the morning and don't feel like you're back in the battle."
Then, reassess and reboot
In the Heidrick & Struggles survey, just 17% of North American CISOs said they would like to retire when they leave their current roles. For his part, Zalewski briefly considered it.
"I thought, 'What is retirement?'" he said. "It's waking up every day and doing what you want -- fishing, sewing, playing poker, socializing. Whatever you love that makes you feel good."
But while he knew he didn't want another operational CISO role, Zalewski realized his greatest passion was still cybersecurity. Then the phone rang.
"A friend -- a venture capitalist -- called me and said, 'Here's the thing: We can't afford to have you on the bench,'" he said. "'You're a senior member of the community, and you have a responsibility to give back. So pick the part that makes you happy and do that.'"
With this advice in mind, Zalewski started mentoring other CISOs, eventually taking on additional roles as a consultant for corporate security programs, as an advisor to security startups and venture capital firms, and as an investor himself.
Possible post-CISO paths
Current CISOs would do well to think about their future goals as well as how their tenures as security leaders might inform their next steps. Certain types of CISOs take to some paths more readily than others. For example, while tactical CISOs with limited business acumen would make unlikely CEO candidates, they might thrive in technical consulting roles.
Zalewski added that how a CISO has treated others -- both internally and within the broader security community -- also affects future opportunities.
"The things someone can do after the CISO role will depend on the CISO," he said. "Personally, I made a lot of mistakes. But I was really conscientious about learning and trying to do the right thing."
Bearing all of this in mind, consider the following possibilities for a CISO's next act.
Corporate board member
Of the North American CISOs Heidrick & Struggles surveyed, the greatest percentage -- 56% -- said they would like to serve as board members in their next roles. But this transition is far from a given, the researchers noted, as boards of directors typically prefer candidates with prior experience. And while almost half of CISOs sit on advisory boards, just 14% reported holding corporate board positions.
Being a good CISO is not enough to guarantee a director's seat, Zalewski agreed. He advised security leaders who aspire to board membership to cultivate their professional brands through speaking, writing and press engagements. "There's a lot that goes into it," he added. "Don't think people will just throw these opportunities at you."
Chief trust officer
The emerging chief trust officer (CTrO) role marks another possible stop on the CISO career path. In a keynote address at the Forrester Research Security & Risk Forum 2022, analyst Jeff Pollard shared his research on the rise of the CTrO at major enterprises.
"Every single chief trust officer that we found was a former chief information security officer," he said in his address. "This is what they graduated to after being CISOs."
In many cases, Pollard added, these CISOs were "voluntold" that they would be their organizations' first CTrOs, a position that typically reports directly to the CEO and oversees cybersecurity, product security, privacy, risk and compliance.
Steve ZalewskiFormer Levi Strauss CISO
The rise of the CTrO comes as organizations increasingly prioritize digital trust as a business need, even while grappling with the trust gap. According to Forrester Research, B2B companies typically think buyers trust them far more than they actually do.
"Chief trust officers are being born because, as CISOs, they were already unofficially closing that gap between how confident a company is in regard to trust and what the reality is," Pollard said.
Even though many didn't seek out their promotions, the former CISOs he surveyed reported high satisfaction levels in their CTrO roles. Pollard said they now enjoy greater internal engagement, spend more time with customers, and directly drive revenue and growth.
"It's like a breath of fresh air, because trust is different [than cybersecurity]. People care about trust," Pollard added. "These leaders said they felt an immense sense of accomplishment, with the CTrO role making them relevant in an entirely different way than they had been relevant before."
Cybersecurity expert Akshay Sharma, an advisor at LionFish Tech Advisors, predicted every major organization will have a CTrO by 2030. "Everyone expects increasing transparency and control over how businesses collect and use their personal information," he said.
Other C-suite roles
CSO. More than one in three North American CISOs who participated in the Heidrick & Struggles survey said their ideal next role would be chief security officer (CSO). While some security pros use the terms CSO and CISO interchangeably, CSOs technically have a wider purview, handling both physical and information security.
CIO, CRO, CEO, CTO, CPO, etc. Nearly one in four survey respondents said they would like to work elsewhere in the C-suite: 10% want to be CIOs, 9% aspire to the chief risk officer job and 5% want to be CEOs. Other possible post-CISO roles include chief technology officer (CTO), chief privacy officer and chief product officer.
Christopher Prewitt, formerly a CISO at AmTrust Financial Services, now serves as CTO for cybersecurity risk management provider Inversion6. While he called both the CISO and CTO roles incredibly valuable, Prewitt said the top security role often lacks the broad support and respect of other executives.
"As CISO, you are seen as a cost center and an insurance policy for something that may never happen," Prewitt said. "As CTO, you are viewed as a builder -- someone creating value -- rather than as someone focused on risk mitigation."
Many former CISOs choose to become advisors, consultants, virtual CISOs or in-house strategists. These positions allow them to use their hard-won professional experience and expertise to advance security while shouldering less responsibility and stress than the typical CISO role entails.
As a senior cybersecurity strategist at VMware, for example, former CISO Karen Worstell works with both colleagues and customers in an advisory capacity. Worstell previously served as a BISO at Bank of America and a CISO at AT&T Wireless, Microsoft and Russell Investments. She then took an extended sabbatical to become a chaplain before returning to cybersecurity.
In considering any post-CISO opportunity, Worstell said she keeps two personal criteria in mind. It must have positive human impact, and it must let her influence and improve the discipline of cybersecurity for future CISOs.
"Always try to move toward what you want instead of away from what you don't want," Worstell said. "Most people can't describe what they want in life. So be sure you know what that is before making drastic changes."
Private equity executive
Another option is to advise or take over the security practice at an investment firm. Steve Tcherchian, CISO at cybersecurity vendor XYPRO, said he's seen some former CISOs take this route.
"It gives them the ability to keep their skills sharp and stay on the edge of the newest technology without the never-ending pressure and accountability of a CISO role," Tcherchian added.
Business-oriented security pros -- such as Zalewski, who now advises VCs and is himself an investor -- may also relish the opportunity for growth that comes with greater involvement in the financial sphere.
"In one year, I've learned more about the venture capital, private equity and startup communities than I've ever known," he said.
More to learn
While a multitude of possible post-CISO career paths exist, Lionfish's Sharma doesn't see full retirement as a likely option for the typical security leader. "Most retirees need to keep their minds curious and learning -- traits that likely propelled these people to become CISOs in the first place," he said.
To his point, some semi-retired CISOs end up taking on multiple roles in their next chapters, such as -- in the case of Zalewski -- mentor, consultant, advisor and investor. In any such post-CISO position, according to the former Levi Strauss CISO, attitude is key.
"You see some CISOs who just fade away," Zalewski said. "Some want to tell everybody what to do, and they are gently removed from the table. Then you see the CISOs who understand there is still more to learn."