Before Your Next Move
You're not on a job board. You're not actively looking. But you're thinking about it. This is what we'd tell you over a coffee: what to look for, what to avoid, and how to evaluate your next opportunity.
We Work for the Company. But We Respect the Candidate.
Let's be upfront: we work for the company, not for you. Our client is the founder or the board who engaged us to find their next security leader. That's who pays us.
But we've been in this community for over a decade. We've reviewed thousands of resumes at Career Villages, mentored security professionals through career transitions, and spoken at the same conferences you attend. We know that the best placements happen when both sides are informed, and when the candidate is making a decision based on reality, not a recruiter's pitch.
This guide is what we'd tell you over a coffee if you asked us: "I'm thinking about my next move. What should I be looking for?"
Signals It's Time to Move
Not every itch means you should jump. But if several of these resonate, it's worth having the conversation.
You've stopped learning
The problems you're solving this quarter are the same ones you solved last year. Your growth curve has flattened and you're maintaining, not building. That's not a bad thing, but it means the role has outgrown you, or you've outgrown the role.
The company's risk appetite has changed
The startup that hired you to build fast and break things is now talking about compliance frameworks and audit readiness. If that shift excites you, great. If it doesn't, that's a signal. Not every security leader wants to become a governance person.
Your leadership isn't listening
You've flagged the same risks three quarters in a row and nothing has changed. The board nods, the CEO agrees, and the budget doesn't move. At some point, the question isn't whether you're communicating well enough. It's whether this company takes security seriously.
You want to build again
You built a program from zero and it's running well. Now you're in maintenance mode. Some people love that. If you're the kind of person who gets energy from the blank canvas, from the chaos of day one, there are companies that need exactly that.
The comp conversation has stalled
You've been told the budget isn't there, or that security leadership comp is 'benchmarked internally.' If you're being paid below market and the company won't close the gap, that's not a negotiation problem. That's a values problem.
You're being recruited constantly
If your inbox is full of recruiter messages, that's the market telling you something. Not every opportunity is worth exploring, but if you're not even curious, ask yourself why. And if you are curious but haven't acted, ask yourself what's holding you back.
Evaluating Your Next Role
The interview process goes both ways. Here's what to look for and what should give you pause.
Reporting Structure
Who does the security leader report to?
Green Flags
- Direct report to CEO or CTO with board access
- Dotted line to the board's risk or audit committee
- Clear escalation path that bypasses engineering leadership when needed
Red Flags
- Leadership has no interest in evolving the reporting line as the company grows
- Security is permanently buried under IT with no plan to give it its own seat at the table
- No defined reporting line. They'll 'figure it out' after you start
Questions That Tell You Everything
These are the questions we'd ask if we were sitting in your chair. The answers reveal more about the company than any job description.
"What was the last security decision that went to the board?"
Tells you whether security is actually a board-level conversation or just a slide in the quarterly update.
"When was the last time a release was delayed for a security issue?"
If the answer is 'never,' either they have perfect security (unlikely) or security doesn't have the authority to stop a ship.
"What happened after your last penetration test?"
The findings don't matter. What matters is whether anyone acted on them, and how quickly.
"Who will I be working with most closely in my first 90 days?"
If the answer is only 'the engineering team,' the role might be more technical than strategic. If it's 'the board and the legal team,' it might be more governance than building.
"What does success look like at 6 months?"
If they can't articulate this, they haven't thought about what they actually need. That's not necessarily a dealbreaker, but it means you'll be defining the role yourself.
"Why did the last person in this role leave?"
The answer tells you more about the company than the candidate. Listen for patterns: burnout, lack of authority, misaligned expectations.
Questions From Candidates
Thinking About a Move?
We don't do mass outreach. If we reach out to you, it's because we think there's a genuine fit. And if you reach out to us, we'll give you an honest read on the market, your positioning, and what's out there. No strings.