Emily Heath
Board Member
Former CISO
Nicole Ford
Global VP & CISO
Rockwell Automation
Myrna Soto
Board Member
Former CISO
Meredith Harper
SVP, CISO
Synchrony Financial
NOVEMBER 2023
As a CISO, you have spent the majority of your career in information security, ascending to the top – the CISO role. You're finally there, but what's next? What are your career options, and how should you prepare for exploring them?
At the recent Global CISO Executive Summit, two current and two former CISOs came together to lead a discussion on how to set yourself up for success when transitioning to the next steps after a CISO role. Leading the lively conversation were Nicole Ford, Global VP and CISO at Rockwell Automation; Meredith Harper, SVP and CISO at Synchrony Financial; Emily Heath, Former CISO and Board Member; and Myrna Soto, Former CISO and Board Member. They shared their experiences in changing roles and industries, obtaining Board roles and what they’ve learned along the way.
Strategically Planning the Next Steps After Your CISO Role
To tee up your next role, the executives agreed that you need to have a plan and you need to be strategic about your career path. Meredith shared, “I've been orchestrating my exit ever since I entered the cybersecurity industry.” She went on to explain that 10 years ago, she started getting serious about obtaining board roles. She said she thought about, "How do I strategically move myself into a space where I can start building a CISO profile that is attractive?"
The panelists agreed that “not all CISO roles are good roles.” The brand, the industry, and the work you are able to take on are important factors – especially gaining experience beyond the CISO role.
Every CISO role is not created equal.”
– Meredith Harper
SVP, CISO, Synchrony Financial
Myrna agreed that CISOs need “to be very strategic.” Meredith shared that “every role won't make you attractive in the board space.” When she first started applying for board roles, for instance, she noticed that she kept getting beat out and it was almost always by someone in the financial services industry.
Gaining Broad Business Experience Beyond Security & Risk Management
The executives were unanimous in sharing that CISOs need to have broad business experience, not just security expertise. Emily shared that she had “always planned to serve on boards and have a life after being a CISO.” In order to get there, she said, “I knew that you couldn't just be a security executive to be on a public board; you had to be a broader business professional.”
In addition to expanding their work beyond cyber security and risk management, the panelists noted that CISOs should think about what a board is looking for, including the ability to impact revenue.
Myrna added, “If you present yourself as the technical CISO, you're dead. You have to be business centric, and that business centricity will get you on the radar. It's very difficult without it.”
When you can demonstrate that you're first a business executive, and second a cyber executive, you'll start to stand out.”
– Myrna Soto
Board Member, Former CISO
Meredith added, “If you're now not getting the opportunity to build and flex that business muscle, you must learn quickly – your technical knowledge will not carry you. You must be able to translate insights into business language.”
CISO Roles with Big Brands and in Key Industries Are Important
The security leaders recommended being thoughtful about the companies and industries in which you are working. Emily shared that “working for United gave me a bigger platform. It was a brand, which gives you more visibility and opportunity. The brand is super important.”
Myrna suggested that CISOs think about working in multiple industries, and Nicole agreed that “industries matter.” Meredith went back to her experience trying to get board roles while working in the healthcare industry. “Experience in a healthcare setting wasn't cutting it,” she said. “It wasn't attractive enough.” Meredith made the move to Synchrony Financial to diversify her background and add the financial services industry to it.
Meredith emphasized that the brand matters in pursuing future board roles, and shared, “Even if it's a large company regionally, moving to a national and international brand is critical to stand out.”
Positioning Yourself as a Direct Report to the CEO
The four executives also shared the importance of CISOs’ reporting structure and the value of reporting directly to the CEO. Myrna said, “I was in the technology space for over 30 years, and for 26 of them, I didn't report to the CIO.” She added, “You should always have a direct reporting relationship to the executive management committee. This is a key piece in elevating your role in this profession and carving a place for yourself outside of technology.”
Emily agreed, saying, “I firmly believe we need to elevate our visibility as CISOs to get the experience we need to get on a public board… If you can, you should always negotiate CEO reporting, as that will open up more doors down the road.”
Taking the Time to Carve Out Next Steps
Myrna noted that everyone in the discussion had taken a completely different approach to their post-CISO roles. The panelists shared that since CISOs suffer burnout more quickly than other C-level roles, it’s especially important to think ahead. While most CISOs are “heads-down” and focused on their current jobs, they need to carve out some time to plan their path forward.
Myrna said, “This is so important. Build your team, and pull your head up… use some of your time out of the security space."
Meredith encouraged others to consider opportunities outside of board roles, as well. “Think about – how do I take 30-plus years of experience and deliver that to an academic environment to teach cybersecurity leadership?” She noted the gap between security education and “students being prepared to hit the ground running and step into leadership roles.”
Myrna brought the discussion to a close, noting, “I have failed at retirement 3 times. I now call it ‘rewirement.’ This role is no less work, but I definitely sleep better at night.”
Content adapted from the Global CISO Executive Summt. Special thanks to all participating companies.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.