• Accidental CISO

Promotions. The reward for good work is more work.

Sit down and make yourself comfortable. I want to tell you the story of how I negotiated a promotion that I was offered. This is an important topic that a lot of people, including myself, struggle with. Negotiating your employment agreement can be a nerve-wracking experience because there is a lot on the line. As you can imagine, there is a lot to unpack here, and as usual, I will be as transparent as possible.


And so, it starts

It is often said that the reward for good work is more work. I can confirm this is true. Since finding myself unexpectedly thrust into this CISO role, I have done everything I can to make the best of the situation. Make no mistake, the role has come with its fair share of frustration, but I have learned a great deal along the way. I would not trade the experience for anything.


Amid the annual strategy and budget planning sessions at the end of the year, my CFO pulled me aside for a one-on-one conversation. He told me how happy he and the CEO have been with my performance, and how impressed he was with the IT strategy that I had advocated for in support of my information security program. Not only had I articulated a clear plan that aligned with our business goals, I had helped them understand why it was the right strategy for the company.


“Where is he going with this?” I wondered to myself, as he spoke.


Then he hit me with the question. “Would you be interested in running IT?” I’m sure he could tell by the expression on my face that I was surprised. He went on to add, “You clearly know what we need to do, and I think you are the right person to run the department as we scale the company.”


Well, here we go again! My willingness to provide help outside of my role had landed me in another unexpected situation. Maybe I should just start expecting these kinds of things? The alternative, I suppose, is to stop being so helpful. At this point, I know myself well enough to recognize that probably is not going to happen.


Shall we dance?

My mind raced. I was not sure if he really understood the gravity of what he had just proposed. Thankfully, I had been reading a book on negotiating called Never Split the Difference, by Chris Voss. At that moment, I recalled three things that Voss had written about negotiations. First, is that any time someone makes a request of another, they are entering into a negotiation. Second, information is currency in a negotiation. The more you understand about the other person’s position, the stronger your position can become. Lastly, time is critical. Use time to your advantage in a negotiation.


Recognizing that we had just begun a negotiation, I opted ask questions instead of offering up my own immediate thoughts. I asked about the CFO’s vision for the expanded role, and how it would fit into the organization. I asked for clarification around the full scope of responsibilities in the new role. Finally, I asked how he thought we could ensure that my new responsibilities would not interfere with my existing responsibilities.


I learned a bit about why he felt the need to formalize the IT department now, at this stage of the company’s growth. He revealed his desire to eliminate waste resulting from the lack IT governance, and a strong desire to formalize vendor management and procurement processes. He indicated that he recognized the need to resource my department appropriately, and I was further encouraged by the larger scale re-organization that he described.


I smiled, nodded, and said, “This sounds very interesting. As you know, it is a big opportunity, and I want to take a little time to reflect on it. I’ll set up some time for us to continue this discussion and start ironing out the details.”


I had done it! I had managed to stay calm and gather information about the CFO’s motivations and strategy, without revealing any of my own thoughts. More importantly, I had bought myself time to step back, reflect on the situation, and plan my strategy.


Planning my strategy

In the time before our next meeting, I knew that I needed to collect my thoughts and plan my strategy. Here is what I came up with:


Be willing to walk away

Everyone will tell you that you can’t negotiate effectively if you aren’t willing to walk away. It is true, but it isn’t always easy. When you are buying a car, or negotiating for a new job, knowing your current job is safe, walking away presents a relatively low risk. When you are negotiating with your current employer, walking away may mean giving up your employment. I discussed this at length with my wife and determined that I was willing to walk away if trust was violated or I determined that I was being set up for failure.


Negotiate with honesty, integrity, and in good faith

I am an honest person. I do not like being lied to, and I do not lie to others. I committed myself to staying positive. Everything about this negotiation would have to be without reproach from my side. If it became clear that my employer was being dishonest in any way, trust would be broken, and I would walk away.


Listen, a lot

Listening is a key part of negotiating. In his book, Chris Voss repeatedly highlights how important listening is. Listening builds trust, as the other party feels they are being heard and taken seriously. It allows you to mirror them, label, and use calibrated questions (how, what, why) to draw them towards your position and encourage them to solve your problems for you.


Get them to anchor first

In this negotiation, I was not going to be the first to put my stake in the ground when it came to salary. If they asked, I planned to respond that I would consider a fair market offer consistent with full scope of the new combined role.


Negotiate for what is important

Compensation is only one piece of the puzzle. I set high standards for myself, and my primary concern was whether or not I was being set up for failure. I would set minimum criteria by which I could accept and walk away if we could not come to an agreement that I felt was my best interest.


What is it that I want?

There were five things that I decided would play into whether I accepted the promotion or not. Two of those five things were about me, but the other three were about the company and the environment in which I would be working. Those three were the most important, as they were the things that I felt would define success or failure.


Career alignment and progression

The first step would be to spend more time defining the role with my leadership. My job was big enough already, and here they were, offering to expand it. Exciting as that was, I needed to make sure that the role was aligned with my own career goals and strengths. If the role was not a good fit for me, I would have to be honest about that and shape the role as part of the negotiation, or decline.


Compensation

Compensation packages are interesting. It is easy to focus on base salary, but there are other forms of compensation that also have value to varying degrees. These included bonus structure, vacation time, remote work options, equity, company paid perks, and so on. I intended to look at the package as a whole and accept if it reflected a fair market rate.


Budget

As is typical with most CISOs, my budget has been a source of concern for me. I spent a lot of time and energy educating and managing up to secure what little budget I had. There were several important items that had been recently struck from my budget for the year and I wanted to see those items restored. Without them, I had some critical holes in my roadmap, and I was left wondering if my security program could ever really mature beyond checkbox compliance.


Staffing

Up to this point as CISO, I had been subjected to a hiring freeze that has left me critically understaffed. Lifting the hiring freeze and agreeing on a staffing plan would be a hard requirement for acceptance. There was no way that I could take on the full scope of the new role without a team. I was confident that I needed to hire three people this year, and another two next year.


Reporting structure

In the past few years, I have learned how critically important reporting structure is, especially as I have moved up into senior leadership roles with a great deal of responsibility. I knew that If I was going to be successful owning both the Information Security program and the IT department, I needed to make sure that the reporting structure allowed me sufficient visibility into the business as a whole, including access to senior executives and inclusion in senior leadership discussions. Reporting to the board is not an option here, so, that means reporting directly to the CFO or CEO. Either would be acceptable.


Continuing the discussion

The next week, I sat down with my CFO to continue the discussion. My goals for this meeting were two-fold. First, was to make sure that both of us fully understood gravity of the role that he was offering me. I needed to make sure that he was not underestimating the scope, and that I was not overestimating it. Before we could move on, we had to be on the same page. Second, I needed to gauge his willingness to discuss budget and staffing plans.


I took careful notes as he talked through the role in detail. It was clear that he had put some thought into it, but I could tell that he had only a high-level understanding of the role entailed. I spent most of the next hour at the whiteboard clarifying details, explaining IT and security, and answering his questions about the role.


The CFO sat back in his chair and smiled. “Thank you,” he said. “Now, I’m even more convinced that you need to take this on for me. Is it still something that you are interested in discussing?”


I paused for a moment, looked at the whiteboard, and said, “yes, I think it is well aligned with my experience, strengths, and career goals. That isn’t to say that I don’t have any concerns, but I’m sure we can work those out.”


“What sort of concerns?” he asked.


“Given the full scope of responsibility that we’ve discussed, I’d like to revisit the IT and security budgets to make sure that my department is funded and staffed for success.”


“I have another meeting that I need to go to, but we can sit down and look over the budget in about an hour if you’re available. Anything else?”


The company has a history of promoting people internally without offering any bump in compensation, and I had to let him know that I expected a raise with this promotion. I had been thinking about how I would phrase this for a few days. I took a slow deep breath and said, “We are talking about a significant increase in my responsibilities and the impact that I will have on the overall success of the company. I’m sure you understand that I can’t consider accepting this role without an increase in compensation.”


He nodded and asked, “What do you feel is reasonable for the role?”


“I’m not sure yet,” I said. “Now that we have defined the role, we can research fair market compensation. I’ll write up a job description that reflects everything we have discussed today and send it over to you by the end of the day tomorrow”


“Thank you, that will be very helpful. I’ll work with HR to put an offer together by the end of the week. I’ll see you in an hour to review the budgets.”


As agreed, we sat down to review the budget and staffing plans. I had done my homework ahead of time and found some alternative options that allowed me to reduce costs and combine items. He agreed to add some of them into the budget. Although they were second choice solutions, I would still be able to keep my road map mostly intact. Furthermore, after our earlier discussion, he recognized my need to hire two to three people by the end of the year, though he did not commit to it.


Overall, I considered the day to be a success. I was comfortable with the role and the reporting structure, and my budget was looking better. Now we needed to come to an agreement regarding compensation and staffing.


An offer arrives

My phone rang, and I could feel my heart rate quicken. I was both looking forward to this call and dreading it at the same time. I wasn’t overly optimistic that we could reach an agreement.


The CFO outlined the offer. It amounted to roughly 5% increase in base compensation. In addition, it included some funds to cover the books for my coursework. The numbers were disappointing, but at least we had a starting point. I wanted time to think about a counteroffer, and I needed to know where we stood on staffing and budget.


“Thanks for putting this together for me,” I said. “I need a little time to think through the numbers.” Redirecting the conversation, I asked, “Where did you land on the headcount item?”


“You can open one role on your team immediately,” he replied. “In the second half of the year, you can hire one or two more people, provided that business performance remains strong.”


Steering the conversation again, I asked “How about the last budget item that we discussed?”

“I wasn’t able to work it into this year’s budget, but I put the full amount you requested into the budget for next year,” he said.


I was pleasantly surprised, but I decided to push for more. From my earlier conversations with him, I knew that he was looking to reduce waste. I saw this as an opportunity to appeal to one of his needs and stress my desire to be a good steward of company resources.


I took a shot. “If I can save enough money by eliminating waste in existing spend, can I reinvest those funds within my budget to cover this initiative?”


“Yes, see what you can do,” he replied. “If you can free up money in your budget, we can certainly revisit this initiative mid-year.”


Before we ended the call, I asked one last question that would help me to evaluate the non-compensation portion of the offer. I wanted to know how my success in the role would be measured. The CFO walked me through his list. It was clear that he had put some prior thought into it. I was encouraged by that.


Evaluating the offer

When I hung up the phone, I opened Microsoft Excel and built a spreadsheet help me evaluate the offer. I created columns of cells side by side to calculate and compare my compensation package. I also included yes/no fields to capture my non-compensation requirements.

  • Base salary

  • Base increase

  • Calculated increase %

  • 401k match

  • Health and other insurance benefits

  • Tuition reimbursement

  • Vacation time

  • Bonus plan

  • Total compensation

  • Career alignment

  • Reporting structure

  • Budget

  • Staffing

I sat back and began to think through each of the requirements. It was clear that the new position was well aligned to my strengths and my career goals. Reporting directly to the CFO would give me the visibility with and access to other senior leaders that I needed to play a larger role in the business. I felt that it set me up well for success in that regard.


My staffing plan was contingent on business performance, which was understandable. Everything in business is contingent on business performance. Through some prior conversations with the CEO and the VP of sales, I had enough insight into the sales pipeline to be comfortable with the arrangement.


The budget plan was also acceptable to me. The CFO had added my alternative options into the budget. He had also agreed to allow me the flexibility to reinvest any savings that I could realize. I was already formulating a plan to optimize our current spend.


To my amazement, everything was acceptable to me, except for the compensation. I wrote a quick email to the CFO to signal that I wanted to negotiate. In it, I thanked him for putting together the offer, expressed my enthusiasm for the new role, and said that I would like to further discuss my compensation for the new role.


Preparing for the next meeting

Before the next meeting, I researched salary ranges for similar roles. I googled for salary calculators and found many. I used several different sources to find the information for both national and local averages. I also reached out to my personal network. I spoke about the negotiation and my findings with a few trusted friends in the industry. Those conversations served as a good sanity check.


I found that a 15-20% raise would put me in the middle of the range when looking at national averages, excluding outliers like the San Francisco Bay area or New York City. Adjusting for local pay scales, I estimated that an increase of 10% would place me in the middle of the band. There was a wide variation in the local pay range. Experience, industry, and company size influenced pay greatly.


Although the 5% number was disappointing, there are a few things that I needed to take into consideration. First, I was already relatively well paid for the region. Second, the startup that I work for is small and we are not profitable yet. Third, I am still early on in my journey as a senior leader, and they are paying me to learn as I make the transition from technical leadership to business leadership All things considered, I decided that at 10% raise was at the low end of what I considered to be fair based on my market rate research.

Further Negotiation

The CFO and I met in person the next week to resume our conversation.


“I’m feeling very good about the new position,” I said as we sat down at the conference table. “It is pretty clear that the company needs me in this role, and I’m looking forward to the opportunity have an even greater impact. I think we just need to recalibrate on where this role sits in the market.”


I had chosen the word “recalibrate” very carefully. It indicated that we were not on the same page. More than that, it did not suggest which of our positions were out of line and implied that there was some sort of scientific or external truth that determined what was fair, rather than our own individual opinions.


The CFO looked a little uncomfortable, which surprised me. “I’ve already offered as much as I could. What do you have in mind?” he asked.


Having committed the numbers to memory, I stood up, stepped over to the whiteboard, and drew a simple number line. I marked my current compensation as well as the regional and national averages that my research had uncovered and then explained where I had found the information and how I had validated it with other industry professionals.


I took a deep breath and then I started my push. “I want the team to be successful as much as you do. We both know that I am the right person for this role. I have the experience and drive that the company needs.”


The CFO nodded his head but didn’t say anything.


I continued, “I will ramp up in this new role faster than anyone else because I already know the company from the inside. We aren’t far off from a fair market rate. I recognize that we aren’t profitable yet, but there is a huge benefit to not having to hire someone from the outside to run IT.”


“My hands are tied. I’m going to have to speak with the CEO,” the CFO said, looking a little disheartened.


“I fully understand,” I said. “Just so you know, I will look at the package as a whole. If base salary is a sticking point with the CEO, we could explore things like additional PTO, equity, greater tuition reimbursement, or an improved bonus structure.”


He smiled and said, “I’ll see what I can do.”


Overall, I felt that the conversation had gone well. It had remained positive, comfortable, and polite. I had stood firm, saying “no” without saying “no”, as Chris Voss discusses in his book. I framed my request for a better compensation package in terms of organizational success and defined multiple levers that he could pull to adjust the package to make it more attractive to me. Lastly, I had held back two levers in the case the next offer was still unacceptable. Both would cost the company nothing but be valuable to me. The first was a formal VP level title, that would look great on my resume. The second was a flexible work arrangement that officially included working from home a few days each week.


An updated offer arrives

It took over a week for the CFO to present me with an updated offer.


“Check your inbox, I just sent you an email with the updated offer,” he said as soon as we were on the phone. “I’m sorry it took me so long to get this back to you.”


I opened the email and he stepped through the offer that was on my screen. He had increased the rase from 5% to 10%, which just met the minimum threshold that I had set. In addition to the bump in base salary, he went on to tell me about my new bonus structure with a 10% bonus target. That might not sound like much, but in our unprofitable startup, bonuses have not been a thing.


“I couldn’t get HR to budge on PTO. They insisted that we stay consistent with the policy that is based on tenure,” the CFO said. “However, as you can see, I had them add a flexible work arrangement to the offer so that you can work from home at least one day a week.”


I was a little disappointed that they had only come up another 5% in my base salary, but I was happy to have a formalized bonus structure. I was also excited for the flexibility to work from home on a regular basis. Before I accepted the offer, I confirmed with him that the staffing plan and budget flexibility that we had previously discussed were still in effect. He acknowledged that they were and suggested that I begin drafting a job description for my first hire immediately.


“Let’s do this!” I said. “I’m really looking forward to how this new role will allow me to have a much larger impact here. I’ll sign this and get it back to you shortly.”


What will I be watching for?

Overall, I am happy with how the negotiation went. Now that I have accepted the role, I will be watching closely to make sure that my leadership keeps up their end of the bargain. My success will be contingent upon several important things.

  • Latitude to do my job

  • Hiring plans proceed as agreed

  • Budget commitments are upheld

  • Leadership provides adequate support

  • Open and transparent communication regarding the business

In the time that has elapsed while writing this article, I have been satisfied with what I have seen. I was able to quickly hire the first member of my team and begin executing on my IT and Information Security roadmap for the year. My leadership has handled the COVID19 crisis remarkably well, and while it has changed many of our plans, I have had a voice in those changes and played a key role in ensuring the company’s continued success under extraordinary circumstances.


Click the "follow" button at the top right corner of the page to follow me on twitter and start a conversation. I would love to hear what you think. If this post has been helpful to you, please share it!

0 views

© 2020 by Accidental CISO