The Technology Talent Market: "Growth CISO" Edition

Jason Henninger, Heller Managing Director, explains why "growth CISOs" are so valuable in today's marketplace, how to identify and attract the best candidates, and how job-seekers can find success. 

The role: The CISO role has evolved from a defensive gatekeeper to a strategic growth enabler. Today’s security leaders understand that while emerging technologies expand attack surfaces, it is not enough to view cybersecurity through a defensive lens.

Security regulations are always changing, which can slow down new product releases. Our most successful "growth CISO" candidates implement compliance frameworks, like the Federal Risk and Authorization Management Program (FedRAMP), the Cybersecurity Maturity Model Certification, or the Health Information Trust Alliance, to get ahead of those requirements and enable an accelerated sales cycle.

Growth CISOs not only stay ahead of the regulations that could slow them down. They give their sales teams the ability to assure customers that their data is secure. Growth CISOs help their companies communicate clearly how their data collection policies impact their customers. 

Why they are in demand: Companies need to understand their customers, so collecting customer data has become a key part of most business operations. Whether we like it or not, this data collection is happening right in our houses through connected devices, including security cameras and smart speakers. The demand is high for CISOs who understand that their role is not to put up roadblocks for the sake of security but to partner with business leaders to ensure security and speed time to market.

Most companies are moving from a project to a product model, which requires a very different approach to cybersecurity. In the traditional product model, security was on the sidelines until it was late in the product development process. A growth CISO advances new agile and product delivery models, and is a part of product development, not an afterthought.

Whether the product is a new SaaS platform, ERP system, or even connecting data points between different functions, if you don't include a CISO at the beginning of those discussions, you will lose time in the end. Failure in technology implementation comes from not having the right people at the table, including the CISO. 

What they do for their companies: One force that works against growth is organizational silos, where people stay in their own lanes and don't talk to each other. This is especially true for cybersecurity; no one wants to talk to the cyber team, because they assume they will block their progress. Effective CISOs break down silos, both within IT and with other functions. Rather than say "You can or can't do this," they understand the risk acceptance for a new solution and share risk ownership responsibilities with their business partners.

The CISO is one of the few end-to-end leaders positioned to look across the enterprise, build relationships, and drive consistency. Like the CIO, this role touches every system, process, person, and product in your organization. That makes the CISO role a critical opportunity for transformational leadership. An old-school CISO might keep you safe, but they're plugging up a valuable leadership position that should be driving business partnership, alignment, and growth.

This is especially true for AI enablement. If you don't have a throughline connecting your data and processes, you won't be able to implement AI successfully. A growth-oriented CISO draws that throughline and builds the security posture that gives you confidence.

With the right CISO, you can say, "We're implementing this AI tool because we have security in place," rather than, "Let's do a proof-of-concept and see what happens." Without that foundation, you're already behind the eight-ball. 

How to spot them: Growth CISOs demonstrate enterprise-wide influence and fluency in how data drives growth. They stay current on emerging tech and know their vendors. Without an enterprise influencer as CISO, you'll face too many providers with no consistent cyber program. When CISOs fail at business partnership, they fail at vendor management, putting your company at risk.

With boards, standout candidates don't just report—they influence by discussing risks tied to growth strategy and offering alternatives that balance security with time-to-market. They understand boards manage risk but prioritize revenue growth.

Technical background matters. Top candidates have software engineering experience or computer science education. While business influence is critical, CISOs need credibility with technical teams. I rank backgrounds: software, networks, then audit. However, soft skills and track record almost always outweigh credentials.

Software engineering backgrounds provide credibility and enable CISOs to effectively challenge vendor CTOs on third-party risk—something audit backgrounds may lack.

Seek CISOs who've worked at two to three companies and ideally survived a major security incident. If your program lacks maturity, consider a deputy CISO who executes tactically but communicates strategically.

Military and government backgrounds bring valuable external networks for tracking nation-state threats.

What they want: CISOs want a seat at the strategic table. Whether they report to a CFO, CEO, or CIO, they want direct access to the board and the executive leadership team. Many CISOs require Directors and Officers insurance to protect their own liability.

For compensation, much depends on business context, but CISOs care a lot about the comp band. For example, if the CIO earns $400K in base compensation, and the CISO is offered $200K, that is an indication how valuable the organization considers the role.

To attract top CISO talent, demonstrate that your company takes security awareness seriously. When the CEO drives this message from the top—"we're in this together"—it signals a collaborative culture. Being able to tell CISO candidates, "We have a security-aware culture here, and leadership is committed to being your business sponsor," is a game changer in CISO recruiting.

What the boss should know: I advise our clients to ask CISO candidates how they establish collaboration from the start. I’d also ask how they worked with a CIO. There can be conflict between a CIO, who wants to deliver quickly, and the CISO who is focused on risk. "Hey, can you just go easy on me on some of these vulnerabilities so we can get this across the finish line so they're not breathing down my neck?"

Ask them how they look for opportunities to use cybersecurity as a differentiator to drive business growth. One watch-out: product security experience matters more than ever. "Product" can mean many different things depending on your company, but whether you're delivering products internally or externally, you need a CISO who understands product security. Today, product security is as important as enterprise security, and the two are merging.

You know you've landed a keeper when: People aren't afraid to work with the CISO. 

Jason’s pro tips for growth CISO candidates: Don't neglect your LinkedIn profile. Recruiters will Google your name and look at your LinkedIn, which is your digital resume. Both your LinkedIn and your resume should showcase outcomes, not just responsibilities. " Industry-specific achievements are particularly compelling: "I implemented FedRAMP certification, which enabled us to win government contracts and grow revenue."

Jason: Why do you love this work? The CISO role is so important but so misunderstood, and that's why I feel very connected to this work. The "growth CISO" is rare enough that an opening creates real opportunity. Beyond the business opportunity, this work is deeply meaningful to me on a personal level.

Everything is at our fingertips now—all our information, all our data. Security matters not just professionally but personally, for me and my family. When I log into an app, is my data safe? When I use my credit card, will someone steal my information? This all falls back on cybersecurity now.

The CISO role is still evolving and hasn't been fully defined yet, especially when you think about AI and emerging technologies. That's what makes it fascinating. But the impact is so critical that the faster we can educate companies and place very good growth CISOs in our client organizations, the better it is for everyone.