Career path

First-Time CISO: Making the Director-to-CISO Jump

How to land your first CISO seat from a Director or Head of Security role: the real gap, board evidence, retained search, and realistic paths in.

Updated July 6, 2026 · 11 min read · Free, no paywall

You can be an excellent Director of Security and still be years away from a CISO seat, not because you lack anything technical, but because nobody with hiring power has ever seen you do the parts of the job that get CISOs hired. I’m writing this while running interview loops for security leadership at a large company and simultaneously interviewing for my own first CISO seat, so I’m seeing both sides of this transition in the same month. Here is what actually separates the people who make the jump from the people who stay Directors for another five years.

The gap is altitude, not knowledge

Nobody fails a CISO interview because they can’t explain zero trust. The knowledge bar between a strong Director and a CISO is nearly flat. The altitude bar is a cliff, and it shows up in three specific ownership shifts.

You own risk acceptance instead of escalating it

As a Director, when you find a risk the business won’t fund, you escalate it. Your CISO decides whether to accept it, and their name goes on the decision. As CISO, you are the end of that chain. When the CFO says the segmentation project waits until next fiscal year, you either sign the risk acceptance or you fight it at the executive table, and either way you own the consequence. Interviewers probe for this constantly. When they ask “tell me about a risk you accepted,” a Director-shaped answer describes convincing someone else to accept it. A CISO-shaped answer says: “I accepted it, here was my reasoning, here’s the compensating control I put in, and here’s how I documented it so the board knew.”

You own the narrative, not the metrics

Directors report status. CISOs construct meaning. The board doesn’t want your vulnerability counts; they want to know whether the company is more or less exposed than last quarter, whether that’s acceptable for the risk appetite they’ve set, and what it costs to change the answer. If you’ve never had to compress a quarter of security work into four minutes for people who will interrupt you at minute two, you haven’t done the core job yet. Our guide to the CISO board presentation covers the mechanics, but the mindset shift matters more than the deck.

You compete for budget against other executives

As a Director, your budget fight is internal to security. As CISO, your incremental $2M competes directly with the CRO’s sales hires and the CTO’s platform migration, in the same planning meeting, in front of the same CFO. You have to argue that a dollar spent on security beats a dollar spent on revenue, which is a genuinely hard argument, and you have to lose it gracefully sometimes without becoming the executive who cries wolf.

The “too technical” kill signal

I’ve now watched candidates die on this in loops I’ve run, and I’ve caught myself doing it in loops I’ve sat in as the candidate. “Too technical” is the most common rejection reason for Director-level candidates going for their first executive seat, and it’s almost never about actual technical depth. It’s about four specific behaviors.

Answering a business question with an architecture

Interviewer: “How would you think about security for our upcoming European expansion?” Kill-signal answer: starts with identity federation and data residency controls. Passing answer: starts with what the expansion is worth, which regulators now have jurisdiction, what the contractual security commitments to European enterprise customers will look like, and then what has to be true technically. The fix is mechanical: for every answer, force yourself to say the business consequence before you say anything with an acronym in it.

Leading with tooling

If your answer to “how did you improve detection?” is a vendor name, you’ve positioned yourself as the person who operates the program, not the person who owns it. Executives buy outcomes. The repositioning: “We cut median time-to-contain from days to hours, which mattered because our cyber insurer had flagged response time in renewal negotiations.” The tool is a footnote if it comes up at all.

Describing your team’s work instead of the business outcome

“My team built out the vulnerability management program” is a Director sentence. “We took the exploitable attack surface on revenue-critical systems down 70% in a year, which closed the last open finding from the enterprise customers’ security reviews” is an executive sentence. Same work. The second one gets you the job.

Hedging every risk statement

Technical people hedge because precision is a professional virtue. Executives hear hedging as an inability to decide. “It depends on the threat model” is true and disqualifying. The fix is to commit to a position and carry the uncertainty explicitly: “I’d accept that risk for twelve months, and here’s the trigger that would change my mind.” Boards don’t want you to be certain; they want you to be decisive under uncertainty, which is a different thing. The full list of questions where this gets tested is in our CISO interview questions breakdown.

The four realistic paths in

Almost nobody goes from Director at one company to CISO at a comparable company in one move. Here are the paths that actually happen, with the tradeoffs nobody puts in the job description.

Internal promotion when your CISO leaves

The best-odds path, because you’re the only candidate whose executive presence the CEO has already seen. The tradeoff: you often get the seat at a discount, with “interim” titles that drag on, compensation set against your old salary rather than the market, and a board that still thinks of you as the deputy. If you go this route, negotiate the title and comp before you take the interim role, not after you’ve done the job for free for nine months. Our compensation negotiation guide covers the interim-to-permanent conversion specifically.

Deputy CISO stepping up

If your company has a formal deputy role, take it even if it feels lateral. Deputies inherit board exposure, incident command, and regulator relationships, the exact evidence a first-seat search screens for. The tradeoff: you’re betting on your CISO leaving on a timeline you don’t control, and some CISOs treat deputies as lieutenants rather than successors. Ask directly in the first month: “Is this a succession role?” The answer tells you whether to stay.

First security executive at a smaller company

Joining a $100–400M company as their first VP of Security or CISO is the most available path. You get the title, the board access, and full ownership immediately. The honest tradeoffs: you’ll build with a fraction of your current budget, you’ll personally do work you used to delegate, and if the company doesn’t grow, the title doesn’t fully transfer upmarket: a CISO seat at a 300-person company doesn’t automatically qualify you for a 5,000-person one. It does, however, beat another three years as a Director for search-firm purposes, because it converts you from “aspiring” to “sitting.”

VP Security as the on-ramp

At many companies the top security job is titled VP of Security, not CISO, and functionally it’s the same seat: top security executive, board reporting, budget ownership. Take the scope, not the title. When you interview for the next role, what gets probed is whether you owned the risk register and presented to the board, not what your business card said. The CISO interview guide goes deeper on how interviewers actually distinguish title from scope, and how to represent a VP role without inflating it.

Building board evidence before you have the title

This is the part most Directors get wrong. They wait for the title to get board exposure, but the title requires board exposure. You break the loop by borrowing your current CISO’s altitude, and every one of these produces an artifact a recruiter can probe.

Present a section of the board deck. Ask your CISO to give you five minutes of their next board or audit-committee slot: a program update, an incident retrospective, a metrics section. Most CISOs will say yes because succession planning makes them look good. Now “have you presented to a board?” gets a yes with a date and a topic instead of a hedge.

Run the audit-committee prep. Even if you never enter the boardroom, owning the pre-read (the deck, the anticipated questions, the pre-briefing of the committee chair) teaches you what boards actually ask, which is nothing like what Directors expect. Insider detail: experienced recruiters distinguish between “presented to the board” and “built the board materials,” and they’ll ask which one you did. Both count; lying about which is fatal, because they will back-channel it.

Facilitate executive tabletops. Running a ransomware tabletop with the CFO, GC, and CEO in the room is the closest simulation of the actual job that exists. You learn how executives behave under ambiguity, and they learn your name. When a first-seat interviewer asks “how would you handle a disclosure decision?”, answering from a real exercise with real executives beats answering from theory every time.

Do the M&A diligence work. If your company acquires anything, volunteer to run security diligence. It’s the fastest available education in reading a business through a security lens, and “I ran security diligence on two acquisitions” is a line that makes search partners sit up, because it signals you’ve already worked directly with corp dev, legal, and the deal team. That is the cross-functional altitude the job requires.

Keep the receipts: deck sections with your name in the file metadata, tabletop after-action reports, diligence summaries you authored. When a search firm asks for evidence, you want documents, not anecdotes. Our templates include board-deck and tabletop formats you can adapt so the artifacts you create are executive-grade from the start.

Above roughly $500M in revenue (and at almost any public company), CISO searches go through retained executive search firms, not job postings. If a CISO role at a large company is publicly posted, one of three things is true: the search firm posted it for compliance reasons and already has a slate, the company is too cheap to retain a firm (a signal in itself), or the posting is a backup to an internal candidate. Cold applications into these processes convert at close to zero. This isn’t gatekeeping for its own sake; boards pay retained firms specifically to bring candidates who’ve been pre-vetted for executive presence, and an inbound resume hasn’t been.

Getting on the radar

Search partners build their CISO benches years before they need them. The reliable ways in: get referred by a sitting CISO who has placed with that firm (the single strongest signal), take the 30-minute “market mapping” calls when researchers reach out even when you’re not looking (those calls are how you get entered into the database as a candidate rather than a source), and be generous as a reference and a source of candidates yourself. Insider detail: when a researcher calls you for names for a search you’re not right for, the quality of the names you give is itself an audition. Partners remember who sent them good candidates.

Using your current title honestly

Never inflate your title. Firms verify, and one caught inflation ends the relationship permanently. What you can and should do is state scope alongside title: “Head of Security, reporting to the CTO, owning a 40-person org and the board security update” positions you accurately as CISO-ready. If you present the current CISO’s deck sections, say exactly that. Search partners place people into stretch roles all the time; what they can’t do is stake their credibility on someone who shades the truth, because their fee depends on the placement sticking.

Timing and the market you’re actually in

A realistic first-seat timeline: individual searches run four to eight months from first recruiter call to signed offer, and most first-time candidates go through two or three full processes before one closes. From the day you decide to pursue the seat to the day you start, plan on nine to eighteen months. Budget your energy accordingly: a full CISO loop is six to ten interviews plus a presentation exercise, and running two loops while doing your day job is a part-time job in itself.

The first seat is the hardest one you will ever land, for a structural reason: every company wants a sitting CISO, and search firms are paid to deliver low-risk slates, so first-timers are the risk on every list. Your second CISO search will be dramatically easier even if your first seat is small. That asymmetry should change your math: a first seat at a smaller company than you’d prefer is usually worth more than holding out two years for the perfect one.

When to take the stretch role instead

Take a deputy CISO or VP Security role instead of continuing to chase the top seat when any of these are true: you’ve gotten to final rounds twice and lost to sitting CISOs both times (the market is telling you what’s missing, so go get it), the deputy role comes with explicit succession language, or the VP role is the top security job at a real company even without the C-title. Don’t take the stretch role when it’s a title without the scope: deputy to a CISO who won’t share the board relationship teaches you nothing you don’t already know.

One more insider detail worth internalizing: interviewers increasingly end loops by asking some version of “what would your first 90 days look like here?”, and first-time candidates reliably answer it like Directors, leading with an assessment of tooling and team. Answer it like an executive: stakeholders first, risk picture second, quick wins third, roadmap last. Work through the CISO 90-day plan before your first loop, not after your first offer, and use the 90-day plan builder to have a concrete, company-specific answer ready. Walking into a final round with a one-page 90-day sketch tailored to that company is the cheapest differentiation available to a first-time candidate, precisely because sitting CISOs rarely bother.

What to do this quarter

If you’re 0–12 months out, sequence it: this month, ask your CISO for a section of the next board or audit-committee deck. This quarter, run one executive tabletop and write the after-action yourself. Within six months, have two search-firm relationships where you’re in the database as a candidate, and have your scope-forward positioning (title, reporting line, board exposure, budget owned) down to two sentences you can say without hedging. The jump from Director to CISO is not a promotion you wait for. It’s a case you build, and every piece of evidence above is buildable from the seat you’re in right now.

Frequently asked

How do I become a CISO from a Director of Security role?

Build documented board and executive exposure before you have the title: present sections of the board deck, run audit-committee prep, facilitate executive tabletops. Then target realistic entry points (internal promotion, deputy stepping up, or first security executive at a smaller company) rather than cold-applying to large-company CISO postings.

Do I need a CISSP to become a CISO?

No. Certifications almost never decide a CISO hire. Boards and CEOs hire for judgment, communication, and evidence you can own risk decisions. A CISSP can help pass early recruiter screens at conservative companies, but no certification substitutes for board-facing track record.

How long does it take to land a first CISO role?

Plan on 9 to 18 months from deciding to pursue the seat to signing an offer. Individual searches run 4 to 8 months, most candidates go through two or three processes before one closes, and the first seat is the slowest one you will ever land.

Is VP of Security the same as CISO?

Often functionally yes, especially at companies under roughly $1B in revenue where the VP of Security is the top security executive. What matters is scope: do you own the risk register, present to the board, and control the budget? A VP title with executive scope is a legitimate first seat and a common on-ramp to the CISO title.

Free template

Steal the 90-Day CISO Plan

The exact 90-day plan structure hiring panels expect: the single asset every CISO candidate gets asked for. Free, editable, yours in one click.

Instant access, no confirmation hoops. Occasional emails on landing the seat; unsubscribe anytime.