RoleCybersecurity

CISO

Board decks, budget defence, incident accountability, regulator calls. Most weeks are politics and translation, not engineering.

The verdict

Stretch destination, not a planning waypoint. The seat exists, the work is real, and the path there is mostly about who picks you, not what you study. Don't optimise toward it before year eight.

Pick this if

You've already run security as a manager or head of, and the next obvious step is executive accountability
You can hold a board conversation about risk without retreating into engineering vocabulary
You're prepared to be personally accountable when an incident hits the press
You actually enjoy the politics, budget defence and regulator-facing work

Skip this if

You're still an individual contributor, the title is a fantasy from here
You'd resent leaving the technical work behind, you will leave it behind
You're chasing the seat for the salary, the fractional and vCISO market pays better per hour for less reputational risk

What "doing well" looks like in the seat

You've led at least one major incident end-to-end and lived to tell it
You can defend a security budget against finance without flinching
Engineering, legal and risk all bring you in early, not late
You've already been asked to advise other security leaders informally

The bit you're probably underestimating

Most CISO tenures are eighteen to thirty months. The seat is high-paid, high-blame, and the next role after it is usually fractional, advisory or another CISO seat at a different org, not upward promotion. The CISOs who last build a reputation around incident integrity and board credibility rather than technical depth. If you're early career and the planner is showing CISO as a target, that's a stretch destination flag, not a recommendation.

Tradeoffs at a glance

Hover any chip for the calibrated meaning. Ratings are directional, not absolute.

Promotion ceiling

Group CISO / CSO; advisory or board-level work after that. Title is mostly horizontal once you're in.

Who actually gets in

+Security Manager
+Security Architect
+Head of GRC
+ex-Big 4 partner

Common misconceptions

−That it's a senior engineering job. It's an executive risk role with a security label.
−That CISSP gets you there. CISSP is table stakes; the job is won on incident track record, board credibility, and budget literacy.
−That every org needs one. Most orgs under ~500 staff buy fractional or merge it into the CTO.

Where this leads

vCISO / fractional
Board advisory
Security consulting partner
Risk leadership

Certifications people pair with this

Listed because the graph connects them to this role, not because you need all of them. Most practitioners pick one or two.

Pathways that pass through here

The serious next step

You've read about the role. The harder question is whether it's the right one for you.

A Career Verdict is the written, practitioner-authored call on your specific route into and out of this role. Six primitives, same format every time.

Plateau zone

The flat year nobody warns you about, named and timed.

Reality vs Fantasy

Your actual five-year curve against the one you've been sold.

What to sit and what to skip

Each cert on your list: useful, optional, or skip, with reasons.

The call

A single written judgment on whether your plan holds up.

Tradeoff spectrum

What you're giving up for what you're choosing, plotted.

Decisive factors

The two or three things that will actually make or break this.

See what a Career Verdict looks like £25 · one verdict, yours to keep

Built on POST's practitioner-authored assessment framework, calibrated by James from twenty years across helpdesk, infrastructure and security. Framework is human-authored; the verdict applies it to your inputs.

All roles