## What the role is really about
A Head of Security sits between the engineering org and the executive narrative. You own a budget (usually £1-5M for mid-market, £5-20M for enterprise), a headcount plan, vendor commitments, audit posture, and a quarterly story you must tell to the audit committee or board.
The shift from Manager to Head of is bigger than the shift from IC to Manager: you move from running one team to designing an org that runs four. You hire and develop managers, not engineers. You spend more time on procurement, vendor escalations, and audit narratives than on technical design.
## What you're measured on
- **Audit + regulatory posture**: clean findings, regulator engagement, NIS2 / DORA / SEC readiness
- **Budget defensibility**: every line item ties to a measurable risk reduction
- **Org design**: span of control, manager bench strength, attrition < 12%
- **Board confidence**: the audit committee trusts your numbers and your judgement
- **Cross-functional**: SLAs with engineering, legal, finance, HR, comms
## The leadership readiness lens
For this rung we look at:
1. **Budget judgment** — defend a £3M ask, justify a £500k cut
2. **Board comms** — 5 slides to the audit committee, no jargon, clear ask
3. **Org design** — when do you split AppSec from SecOps; when do you hire a deputy
4. **Regulatory fluency** — NIS2, DORA, SEC cyber disclosure, UK Cyber Resilience Bill
5. **Risk appetite** — can you articulate the company's appetite in your CEO's words?
6. **Team building at scale** — hire + retain senior managers, build a promotion pipeline