Career roadmap

Head of Security

You own the security org across SecOps, AppSec, GRC and IAM — typically reporting into the CIO or CTO. The job is org design, budget defensibility, board narrative, and hiring + retaining senior managers.

Year-by-year milestones

  1. Own a board / audit committee narrative
  2. Defend a budget cycle end-to-end
  3. Restructure the org once
  4. Run one regulator engagement
  5. Promote two managers
## What the role is really about A Head of Security sits between the engineering org and the executive narrative. You own a budget (usually £1-5M for mid-market, £5-20M for enterprise), a headcount plan, vendor commitments, audit posture, and a quarterly story you must tell to the audit committee or board. The shift from Manager to Head of is bigger than the shift from IC to Manager: you move from running one team to designing an org that runs four. You hire and develop managers, not engineers. You spend more time on procurement, vendor escalations, and audit narratives than on technical design. ## What you're measured on - **Audit + regulatory posture**: clean findings, regulator engagement, NIS2 / DORA / SEC readiness - **Budget defensibility**: every line item ties to a measurable risk reduction - **Org design**: span of control, manager bench strength, attrition < 12% - **Board confidence**: the audit committee trusts your numbers and your judgement - **Cross-functional**: SLAs with engineering, legal, finance, HR, comms ## The leadership readiness lens For this rung we look at: 1. **Budget judgment** — defend a £3M ask, justify a £500k cut 2. **Board comms** — 5 slides to the audit committee, no jargon, clear ask 3. **Org design** — when do you split AppSec from SecOps; when do you hire a deputy 4. **Regulatory fluency** — NIS2, DORA, SEC cyber disclosure, UK Cyber Resilience Bill 5. **Risk appetite** — can you articulate the company's appetite in your CEO's words? 6. **Team building at scale** — hire + retain senior managers, build a promotion pipeline

Frequently asked questions

Head of Security vs Deputy CISO — are they the same?

Often interchangeable in the UK. Deputy CISO usually implies a clearer CISO succession path; Head of Security implies a peer to other Heads (Eng, IT, Data).

Do I need to have been an IC in every function I now manage?

No, but you need credibility in at least two. Most strong Heads come from SecOps + GRC, or AppSec + Architecture. Pure GRC backgrounds struggle without technical credibility.

How long before CISO?

Typical UK path is 3-5 years as Head of. The unlock is usually a regulated industry (finance, healthcare, CNI) or a public listing that forces a CISO title.

Map your own roadmap

Get a personal gap report, AI Career Twin and practice keyed to your target band.

Start free
// related