Career path

How CISOs Actually Get Hired: Search Firms, Back Channels, and the Hidden Market

How CISO hiring really works: retained search firms, internal recruiters, back channels, and how to get on the radar before the seat opens.

Updated July 7, 2026 · 11 min read · Free, no paywall

Most CISO jobs are filled before you ever see them. That is not a complaint about the system; it is the single most useful fact you can internalize before starting a search. I am a security executive at a large technology company, and in my own search right now I have been through enough loops on the candidate side (retained searches, internal exec recruiting, and a back-channel conversation that started at a dinner) to see the machinery clearly. This guide is what I wish someone had drawn on a whiteboard for me two years ago.

If you are a Director or Head of Security planning the jump, read this alongside the first-time CISO guide, because how you get hired shapes the job you inherit.

The Three Channels, Honestly

There is no reliable survey data on how CISO seats get filled, so treat what follows as observed pattern from someone inside the market, not statistics. But the pattern is consistent enough that every sitting CISO I compare notes with describes roughly the same distribution.

Retained executive search fills most CISO seats at companies above roughly $1B in revenue, and a large share below that. When a board or CEO decides they need a security executive, the reflex is to call Heidrick & Struggles, Russell Reynolds, Spencer Stuart, Egon Zehnder, or Korn Ferry (or, for startups and growth-stage companies, a tech boutique in the Riviera Partners tier). The firm is paid a third of first-year cash whether or not you specifically get hired, which changes their incentives in ways worth understanding (more below).

Internal executive recruiting dominates at large technology companies. Firms with mature talent functions employ their own executive recruiters who run CISO and VP Security searches in-house. These recruiters are less visible than search partners but just as important: they maintain their own pipelines, they source continuously even when no req is open, and a relationship with one of them can surface roles that never touch an external firm.

Back channels fill the rest, and at the most senior levels the proportion grows: board members who have watched you present, investors who run CISO networks across their portfolios, the deputy who steps up when the incumbent leaves, vendor advisory circles, and the small number of CISO communities where real referrals happen.

And then there are public job postings, the smallest and worst channel for real CISO seats. Here is the uncomfortable read on a posted CISO req: it usually signals one of two things. Either the role is a compliance-checkbox position (the company needs to tell auditors and customers someone owns security, with limited mandate and budget) or a retained search already ran and failed, and the company is now trawling. There is a third, more benign case: some companies post the req for pay-transparency or internal-mobility compliance while the retained search runs in parallel, and the posting is functionally decorative. In all three cases, the application portal is the lowest-probability door into the building. Use postings as market intelligence (who is hiring, at what level, at what comp band), then find a warm path in.

Once a firm signs the engagement, the search runs in phases, and you can influence each one, but only if you know what is happening on the other side of the glass.

The spec meeting. The partner sits with the CEO, the hiring executive, and sometimes board members to write the position spec. This document decides your fate before you exist in the process: it fixes the reporting line, the scope, the target profile (“scaled security at a public company” versus “built a program from Series B”), and the comp band. If you ever get a chance to shape a spec (say, a CEO calls you informally for advice before engaging a firm), that is the highest-leverage moment in the entire market. The distinction between a real CISO seat and a retitled director role often gets baked in right here; the VP of Security versus CISO guide covers how to read that distinction in a spec.

Research and the long list. Associates, not the partner, build a long list of 60 to 100 names. They work from LinkedIn boolean searches keyed to the spec language, conference speaker agendas, the firm’s internal database of everyone who ever returned a call, and peer referrals from CISOs the partner trusts. This is why findability is not vanity: if your LinkedIn headline says “Cybersecurity Leader | CISSP” instead of language that matches how specs are written, an associate scanning 300 profiles at speed will not map you to the role.

Calibration candidates. Here is an insider detail that stings the first time you learn it: early in a search, the partner shows the client two or three candidates whose real purpose is to calibrate the spec: to test whether the client actually wants what they wrote down. If you are contacted in weeks two or three of a search, moved quickly to a client conversation, and then hear nothing, you may have been a calibration candidate. The tells: the partner’s prep is thin, the conversation is more about your background in the abstract than the role in the specific, and feedback is vague. It is not personal, and handled well it still builds the partner relationship. But do not spend emotional capital on it.

The slate. The real deliverable is a slate of four to six candidates, presented with the partner’s written assessment of each. You will never see this document. It covers your track record as the partner verified it, their read on your executive presence, perceived risks, comp expectations, and, critically, anything you said to them, in any conversation, ever. Search firms keep longitudinal notes. The offhand comment you made three years ago about hating board work is in the file.

References before you offer them. Partners run informal, off-list reference calls to mutual contacts before the formal reference stage, sometimes before you are even on the slate. Your reputation in the CISO community is being checked while you think you are still in early conversations. This is the mechanical reason why how you treat peers, vendors, and former teams compounds.

One more structural fact most candidates never learn: search firms observe off-limits agreements: they will not recruit executives out of companies that are active clients. If a major firm has never once called you despite a strong profile, it may be because your employer is on their client list, not because you are invisible. This is a real argument for knowing partners at more than one firm.

Getting on the Radar Deliberately

You cannot apply your way into this market, but you can absolutely engineer your presence in it. Three moves, in order of effort.

Be findable. Your title and LinkedIn must survive an associate’s ten-second scan. If your internal title is “Senior Director, Security Engineering” but you run the whole program, your LinkedIn headline should say what you do in spec language: scope, team scale, board exposure, domains owned. Write the summary the way specs are written (“built and led,” “reports to,” “owns”), not the way résumés for engineers are written. Conference talks matter less for the audience in the room than for the associate who scrapes the speaker list six months later.

Be referred. The single highest-yield ask you can make of CISO friends costs them nothing: “If a searcher calls you about a role and it’s not for you, mention my name.” That is it. Every active CISO gets recruiter calls monthly; most decline and hang up. You are asking them to spend five extra seconds converting their no into your introduction. Make the ask explicitly and specifically. Vague “keep me in mind” requests produce nothing.

Cultivate two or three search partners before you need them. This is the long game and it is the one most people skip. Take every recruiter call, including, and especially, the ones for roles that are wrong for you. A call about a wrong role is a free audition: the partner learns how you think, how you communicate, and what you actually want, and they log it. Be generous with referrals; when the role is wrong for you, give them two strong names and context on each. Become a source before you become a candidate. Partners keep mental (and literal) lists of executives who help them close searches, and when the right seat opens, sources get the first call. In my own search right now, the two most productive relationships are with partners I first spoke to about roles I declined years ago.

Back Channels in Depth

Back channels are not a euphemism for nepotism. They are how the highest-trust hires happen, and they have a specific anatomy.

Board members who have seen you work. Every time you present to your board or audit committee, you are auditioning for seats at every other company those directors touch. Directors sit on multiple boards, and “we need a real security leader” conversations happen in those rooms constantly. This is a strong argument for treating board presentations as a craft, and for staying in light-touch contact with directors who rotate off.

Investors and VC CISO networks. Most major venture and growth-equity firms run security leader networks for their portfolios: some formal with dedicated talent partners, some just a Slack and a dinner series. When a portfolio company needs a CISO, the talent partner’s first move is to poll that network, not call a search firm. Getting into these networks usually requires being a security leader at a portfolio company or being referred in by one; once in, contribute visibly.

The deputy-steps-up path. A meaningful fraction of first-time CISOs are simply the strong deputy promoted when the incumbent leaves: no search, no slate, no external candidates. If you are a deputy, your “search” is largely internal: making sure the CEO and board know you before the vacancy, not after. If your CISO leaves and the company opens an external search anyway, read that signal honestly.

Vendor and community relationships. Vendor CISO advisory boards, practitioner communities, and the informal dinner circuits are where reputations circulate. Vendors’ executives talk to hundreds of CISOs and boards; more than one seat gets filled because a vendor CRO said “you should talk to this person” at the right moment.

The structural advantage of every back-channel path: it skips the calibration slate entirely. There is no long list, no four-to-six candidate comparison, often no competing finalists. You are evaluated against the role, not against a curated field, which is why back-channel offers tend to move faster and negotiate better. It also means more of the diligence burden falls on you: with no partner pressure-testing the role, run your own screen using the offer red flags guide before you fall in love.

Timing Mechanics

A healthy retained CISO search follows a recognizable clock:

  • Weeks 1–2: spec. Partner meets the client, writes the position spec, aligns stakeholders on profile and comp.
  • Weeks 3–6: research and long list. Associates build and screen the long list; the partner makes first outreach calls; calibration candidates surface.
  • Weeks 7–10: the slate. Four to six candidates interview with the hiring executive and key stakeholders; the field narrows to two or three.
  • Weeks 11–14: finals and references. Finalist loops, board or CEO conversations, formal references, offer construction.

Total: roughly 14 to 20 weeks to a signed offer, with slippage for holidays, reorgs, and indecisive clients.

Two timing implications. First, candidates can and do enter late: slates get refreshed in weeks 8 through 12 when the client rejects the first field, and a strong referral at that stage can jump the queue entirely. If a partner calls you about a search that is “already down to finalists,” they are usually telling the truth and hedging: a late entrant with a clean story can still win. Second, a search that has been open nine months or more is a red flag about the role, not an opportunity created by attrition. It usually means the spec is broken: the company wants a board-facing executive at a director’s comp band, or the CISO reports somewhere no serious candidate will accept, or finalists keep walking after meeting the leadership team. Ask the partner directly how long the search has been running and whether a slate has already been presented; their answer, and their comfort giving it, tells you a lot.

What Kills You Before the First Interview

Most candidacies die in the recruiter screen, invisibly. The recurring causes:

Comp stated too early and too rigidly. The first screen call includes a comp question, and its purpose is disqualification, not negotiation. Give a range anchored to structure (“my expectations depend on equity and scope, but directionally I’m at market for this level of role”) rather than a hard number. A number too high gets you cut for budget; too low gets you cut for seniority. Save the real conversation for when you have leverage. The compensation negotiation guide covers sequencing.

A LinkedIn that reads IC-technical. If your profile leads with certifications, tools, and hands-on skills, the associate codes you as a strong engineer, not an executive, and you never reach the partner. Executives describe outcomes, scope, and teams.

No story for “why are you leaving.” The partner will ask, the client will ask, and “I’ve hit a ceiling” delivered with hesitation reads as “there’s something you’re not telling me.” Build a two-sentence answer that is true, forward-looking, and boring, and rehearse it until it sounds unrehearsed. The CISO interview guide treats this question at length.

Bad-mouthing your current employer to a recruiter. This one ends candidacies quietly and permanently. Everything you say to a search partner is client work product: it goes in the written assessment, and partners relay tone as much as content. Criticism of your current company reads as risk: you will talk about the client the same way in two years. Frustrations are fine to hold; the recruiter is not your therapist.

Run It Like a Program

The through-line: the CISO market rewards people who invest before they need to. Findability, referability, and two or three genuine search-partner relationships are assets you build over years and draw down in weeks. Start the flywheel now: take this month’s recruiter call you were going to decline, make the “mention me” ask of three peers, rewrite your headline in spec language.

And prepare for what comes after the offer with the same discipline. The way you enter the seat determines your first year; the 90-day plan walks through it, and the templates library has the working documents (outreach notes, tracking sheets, and the interview prep materials) to run your search like the program it is.

Frequently asked

Which executive search firms place CISOs?

The big retained firms (Heidrick & Struggles, Russell Reynolds, Spencer Stuart, Egon Zehnder, and Korn Ferry) handle most CISO searches at large companies. Cyber-focused and tech boutiques in the Riviera Partners tier cover much of the startup and growth-stage market. Most firms have one or two partners who own the security practice, and those specific partners are who you want to know.

How long does a CISO search take?

A healthy retained search runs roughly 14 to 20 weeks from kickoff to signed offer, with candidate interviews concentrated in weeks 7 through 14. Back-channel hires can close in half that time because they skip the research and slate phases. A search open for 9 months or more usually means something is wrong with the role, not the candidate pool.

Should I apply to posted CISO job listings?

Rarely as your primary strategy. Real CISO seats at substantial companies are mostly filled through retained search and referrals before a posting exists, and a public posting often signals a compliance-checkbox role or a search that already failed once. Applying costs little, but treat postings as intelligence about who is hiring, then work a warm path into the same company.

How do I get CISO recruiters to notice me?

Make yourself findable and referable. Use a LinkedIn headline and summary that match search-spec language, speak or publish where researchers look, take every recruiter call even for wrong roles, and give generous referrals so partners learn to call you first. Ask two or three CISO friends to mention your name when a searcher calls them about a role they don't want.

Free template

Steal the 90-Day CISO Plan

The exact 90-day plan structure hiring panels expect: the single asset every CISO candidate gets asked for. Free, editable, yours in one click.

Instant access, no confirmation hoops. Occasional emails on landing the seat; unsubscribe anytime.