Career Advisor: The Top Five Reasons CSO Candidates Don't Get Hired

Stuck one level below the CSO?
A security recruiter shares the top mistakes job candidates make when they try to move up.
By Jeff Snyder

You worked hard, finished one or more college degrees and maybe even earned multiple security certifications. In your mind, you now qualify to lead the charge on the most technically challenging security issues any industry can place in your path. But wait, you’re stuck at a professional level that is less than your dream job.

How did this happen? You probably have been paying too much attention to technical skills, and have not put enough focus on your interpersonal and business skills. In working with my clients to recruit C-level security executives, I find that security candidates often tend to come up short for one of the following reasons.

1. Poorly Written Resumes
Think of your resume as a technical writing project. Your resume, cover letter and any other correspondence you share with a prospective employer or recruiter are all chances to demonstrate that you have strong writing skills. Overall, many technology and information-security professionals place too much emphasis on filling their resumes with laundry lists of technology buzzwords and lists of certifications. Although you might think that earning multiple certifications looks good on your resume, employers tell me that certifications don’t mean much unless there is quantifiable and measurable evidence that backs up that expertise.

2. Inadequate Communication Skills
If you’re serious about becoming a security executive, your verbal and written communication skills have to be at least as polished as your technical skills. As more and more regulations are created to drive security and risk management, security professionals must develop sales skills, diplomacy skills, negotiation skills and exceptional presentation skills. Security executives become their company’s voice to outside auditors, regulators and business partners. Security leaders need discipline to know what to say, when and how to say it, and when to say nothing at all.

3. Under-developed Understanding of Business Needs
Only three to five years ago, the business of security was driven by security technology. In today’s market, security executives still need to have appropriate credentials such as the CISSP, CPP and/or CISA designation, but more importantly, they need to understand business, security and risk management. A security executive must be able to identify, quantify and measure risk. Business owners will embrace a security leader much more quickly when they’re convinced that the security executive is there to enable their business to do business, and not to keep the business from performing.

4. Fabricated or Exaggerated Skills on a Resume
I remember one recent candidate who interviewed with a client who requires heavy Cisco certifications. The candidate was book-smart and highly certified, and his attitude bordered on cocky. In fact, for the first time ever, when I was attempting to prepare him for his interview, I was asked if I was trying to be patronizing. After a brief phone interview, my client--who is loaded with Cisco certifications himself--called back and rated the candidate a 2 on a scale of 10, where 10 is the desired score. It turns out that the candidate’s real-life experience with Cisco products was barely beyond the entry-level after working in industry for six years. C-level executives tell me that they often encounter job candidates who are unable to articulate details connected to projects showing on their resume. If you list a skill or completed project on your resume, be sure that you can defend this information in an interview.

5. A Lack of Passion
Security and risk management are both hot and serious topics for employers. Employers tell me that they want to hire job candidates who show passion for their chosen profession. On top of education, technical skills, knowledge of regulations and business understanding, a sincere passion for your chosen profession of security is the intangible element that enables one candidate to edge out the next equally qualified candidate and capture the job.