Career roadmap

CISO

How to become a CISO (Chief Information Security Officer) — the executive cyber role responsible for organisation-wide security strategy. UK comp: £150k–£400k+.

Year-by-year milestones

  1. Years 0–8Practitioner foundation£50k–£120k

    Build T-shaped depth: one deep specialism (architecture, GRC, IR, appsec) plus broad exposure.

  2. Years 8–12Head of Security / Deputy CISO£120k–£180k

    Own the security function under a CISO; manage 5–25 staff; lead board updates.

  3. Years 12+CISO (SMB to mid-market)£150k–£250k

    End-to-end ownership; report to CEO or CTO; manage budget £1–10M.

  4. Years 15+Group CISO (large enterprise / FTSE 100 / bulge-bracket)£250k–£500k+

    Board accountable; multi-region team; £20M+ budget; regulator-facing for FCA/PRA/ICO/NCSC.

The CISO owns information security strategy, reports to CEO / Board / Audit Committee, and is accountable for the security posture, incident outcomes, regulatory compliance, and security culture of the organisation. The role splits between Security-Programme CISO (in-house) and vCISO / Fractional CISO (consulting). ## Career milestones ### Years 0–8 — Practitioner foundation _Salary: £50k–£120k_ Build T-shaped depth: one deep specialism (architecture, GRC, IR, appsec) plus broad exposure. ### Years 8–12 — Head of Security / Deputy CISO _Salary: £120k–£180k_ Own the security function under a CISO; manage 5–25 staff; lead board updates. ### Years 12+ — CISO (SMB to mid-market) _Salary: £150k–£250k_ End-to-end ownership; report to CEO or CTO; manage budget £1–10M. ### Years 15+ — Group CISO (large enterprise / FTSE 100 / bulge-bracket) _Salary: £250k–£500k+_ Board accountable; multi-region team; £20M+ budget; regulator-facing for FCA/PRA/ICO/NCSC. ## Core skills - Board-level communication and risk narrative - Security strategy and 3-year roadmap design - Budget management and ROI articulation - Incident response leadership and crisis comms - Regulatory fluency (UK GDPR, NIS2, DORA, FCA SYSC, PRA SS1/21) - Vendor and contract negotiation - Talent strategy and team building - M&A security diligence ## Recommended certifications - `cissp` - `cism` - `iso-27001` - `crisc` ## First 90 days in the role Listen tour: every department head, audit committee chair, CFO, CTO, top 5 customers, top 5 suppliers, NCSC liaison if applicable. Inherit the risk register; reframe it in business language. Publish a 100-day roadmap in week 12. ## Common pitfalls Leading with technology. New CISOs who open with 'we need to replace the SIEM' lose the room. Lead with business risk, regulatory exposure, and customer trust — then earn the right to talk technology.

Frequently asked questions

Engineering route vs GRC route to CISO?

Both work. Engineering-route CISOs lean technical and are common in tech/fintech. GRC-route CISOs lean operational and dominate banking/insurance/healthcare. Best CISOs deliberately rotate through both before the seat.

Is a vCISO / fractional CISO a real career?

Yes — booming market. Typical engagements are 1–3 days/week per client across 3–5 clients; £150k–£300k portfolios.

Do CISOs need an MBA?

Optional. Helps for FTSE-100 / bulge-bracket seats; unnecessary at SMB/mid-market. CISSP + CISM + a clean board-comms track record outweighs the MBA in most CISO searches.

How long is the average CISO tenure?

26 months globally; 30–36 months in the UK. Burnout, post-breach exits, and competing offers all drive churn.

Map your own roadmap

Get a personal gap report, AI Career Twin and practice keyed to your target band.

Start free
// related