I’m a security executive at a large technology company, and I’m currently in several CISO loops. Some of those seats are genuinely good jobs. At least two of them are traps that will end someone’s career in about eighteen months, and the companies running those searches would describe them, sincerely, as “a great opportunity for the right leader.”
The difference is not visible in the job description. It’s visible in the process, the role construction, the paperwork, and the way people talk. This guide is about reading those signals before you sign, because after you sign, every one of them becomes your problem.
What a scapegoat seat actually is
A scapegoat seat is a role constructed to absorb blame: accountability for breach outcomes without authority over budget, headcount, or the decisions that create the risk. You own the consequences of choices other people make. When the incident comes (and in these companies it comes), you are the named, titled, fireable answer to “who was responsible for security?”
Companies rarely build these seats out of malice. They build them out of pressure:
- Post-incident optics. Something happened, a customer or regulator asked hard questions, and hiring a CISO is the fastest visible response. The hire is the remediation, as far as leadership is concerned.
- Cyber insurance requirements. Renewal questionnaires increasingly ask whether the company has a named CISO. In searches I’ve seen, the timing of the req maps suspiciously well to the insurance renewal date. The underwriter wants a name in a box; nobody priced in what the name would need to succeed.
- Customer and auditor checkboxes. Enterprise deals stall on security questionnaires. “Do you have a CISO?” is question three. A title solves the questionnaire; it does not solve the security program.
And here is the uncomfortable part: these seats disproportionately catch first-time CISOs. If you’ve never held the title, you need it (the market rewards “was a CISO” heavily over “was almost a CISO”), and hiring committees know that. A seat no sitting CISO would touch gets filled by someone for whom the title is worth eating the risk. Sometimes that trade is rational. It should at least be made with open eyes, which is most of what my first-time CISO guide is about.
Red flags in the process
You start collecting signal before the first interview.
Nobody can say why the last CISO left. What it sounds like: “It just wasn’t the right fit,” delivered identically by three different interviewers, which means it was coached. The innocent explanation: a genuinely amicable departure with a standard non-disparagement clause. The test: ask “What will be different about this role compared to how it was scoped for my predecessor?” A healthy company answers specifically: reporting line changed, budget moved, the CTO who fought the program left. A vague answer means nothing changed, including the thing that ejected the last person. Related: if the role has had three owners in four years, the seat is the problem, not the people. Search firms know this: their fee agreements typically include a replacement guarantee if a placement fails inside a year, and a search that is quietly on its second free replacement is a known lemon inside the firm even while the partner sells it to you warmly.
You never meet the CEO. Innocent explanation: scheduling, and you’re early in the process. The test: ask directly, “Before an offer, I’d like thirty minutes with the CEO. Is that possible?” If a company won’t give its prospective top security executive half an hour of CEO time during courtship, extrapolate to how much you’ll get during a crisis. This one has no acceptable structural excuse at offer stage.
The loop is all technical interviews. Five rounds on cryptography and cloud architecture, zero on budget, board communication, or organizational conflict. Innocent explanation: an immature interview process, common at companies hiring their first CISO. The test: who is on the loop? If you’re only meeting engineers, the company thinks it’s hiring a senior engineer with a fancy title, and will treat you like one. Push to add the CFO or GC to the loop; a good company says yes without friction. I keep a list of what to probe in each of those conversations in the questions guide.
They can’t tell you who you’d report to “yet.” Innocent explanation: a genuine reorg in flight. The test: “What are the two options under consideration, and when is the decision?” A real answer names both options and a date. “We’ll figure it out once you’re here” means the org has already fought about it and you are the compromise nobody wanted to make.
The search has been open nine months or longer. The market has already priced this seat. Sitting CISOs looked at it and passed, in sequence, for a reason. Innocent explanation: a failed offer to one finalist plus a hiring freeze can legitimately eat two quarters. The test: ask the recruiter, not the company, “How many finalists has this search had?” Recruiters will usually tell you, because they’d rather lose one placement than a candidate relationship. Two or more declined offers is a pattern.
Back-channel it. The security leadership community is small and generous. A former holder of the seat will almost always take a call and tell you off the record what the interview loop never will. Not using this channel before signing is negotiating blind.
Red flags in how the role is built
Role construction is where scapegoat seats are actually manufactured. The interview loop can be charming; the org chart doesn’t lie.
Reporting three layers down. CISO under a VP of Infrastructure under the CIO. Innocent explanation: honestly, there isn’t a good one for a role carrying breach accountability. The test: “When I need to tell the board something the CIO disagrees with, what’s the mechanism?” If the answer is “you’d raise it with the CIO,” you have no independent escalation path, which is the defining feature of a scapegoat seat.
“CISO” title, no officer status. This distinction is invisible until it’s everything. Many D&O policies define “insured persons” as duly elected or appointed officers of the corporation. A “Chief Information Security Officer” who was never actually appointed as an officer under the bylaws may not be an insured person at all, carrying the exposure of the title with the protection of a manager. The test: ask the GC, in writing, “Will I be an appointed officer of the company, and am I an insured person under the current D&O policy?” A competent GC answers in one email. Evasion here is disqualifying, because regulators have shown they will pursue security executives personally over disclosure and incident-handling decisions.
Security budget owned by IT. What it sounds like: “You’ll partner closely with the CIO on investment priorities.” Translation: every headcount req and tool purchase is approved by the person whose decisions generate the risk you’ll be blamed for. The test: “Is there a security cost center that I own?” Yes or no. “We’ll work that out” is a no.
No board or audit committee access. Innocent explanation: at smaller companies, the CISO briefing the audit committee genuinely isn’t established practice yet. The test: “Would the audit committee chair support a standing security session, and can I ask them directly?” A confident company lets you have that conversation before you sign. A company hiding you from the board is planning to summarize you.
Headcount that is all “next year.” What it sounds like: “The plan is to double the team in the next budget cycle.” Innocent explanation: you’re being hired mid-cycle and the money genuinely arrives in January. The test: “Which of these commitments survives a 10% company-wide budget cut?” Watch the face. Then get the committed reqs (numbers and quarters) into the offer materials. Anything not written down is a hope, not a plan.
Compliance accountability without engineering authority. You own the audit outcome; engineering owns the roadmap; the two never meet. The test: “When a compliance deadline conflicts with a product deadline, who decides, and can you give me an example from the last year?” The example is the answer. If the story is “product shipped, the finding got a risk acceptance nobody remembers signing,” you’ve just heard your future.
Red flags in the offer paperwork
The paperwork stage is where companies reveal whether the courtship was real. Everything above can be talked around; documents cannot.
No D&O confirmation. You want written confirmation (from the GC, not the recruiter) that you’ll be an appointed officer and an insured person under the D&O policy, plus the policy’s coverage limits and whether it includes Side A coverage that protects individuals when the company can’t or won’t indemnify. Innocent explanation: the recruiter simply didn’t know to include it. The test is whether the GC engages when asked. Engagement clears it; “our policy covers all employees” without specifics does not, because that phrasing usually means nobody checked.
No indemnification agreement. Distinct from D&O: a personal contract in which the company commits to defend and indemnify you. Directors get these routinely; CISOs increasingly should. Innocent explanation: the company genuinely has never done one for a non-director and the GC needs a template. That’s a fixable gap. Refusal to discuss it is not.
No severance, or none for termination without cause. A CISO’s dismissal risk is structurally elevated: you can be fired for an incident you inherited, predicted, and documented. What it sounds like: “We don’t do severance agreements at this level.” The test: “The role carries dismissal risk tied to events outside my control; how do you propose we price that?” A serious company negotiates. Severance belongs in the offer letter or a standalone agreement, not in a handbook the company can revise. Twelve months for termination without cause is a common ask in negotiated CISO packages; the details sit in the compensation negotiation guide.
Comp below market for the risk profile. Here’s the inversion to watch for: a post-incident, under-resourced, high-scrutiny seat should price above market, the way distressed-company CFO roles do. When a company offers a discount on a high-risk seat, it is telling you how it values the function, and betting that a title-hungry candidate won’t notice the risk premium is missing.
Resistance to putting the plan of record in writing. Everything promised verbally (budget, headcount, reporting line, board cadence) goes into a side letter or the offer itself. What it sounds like: “We don’t want to over-formalize; there’s a lot of trust here.” Trust is precisely what written commitments create. The offer-evaluation checklist in the templates pack walks through every document to request and what each should say; the point of the checklist is that you evaluate paper, not vibes.
Red flags in the conversation
Some tells are pure language.
“We just need to get compliant.” The ceiling of the company’s ambition, stated out loud. Innocent explanation: a concrete compliance deadline is genuinely the near-term forcing function, and the speaker is being practical. The test: “And after the audit passes, what does year two look like?” If there’s a real answer, fine. If the room goes quiet, the role expires the day the certificate arrives.
“We need someone to own security,” said with relief. Listen to the tone. Relief means the executive team is planning to hand you a problem and stop thinking about it. The test: “What will you still own after I start?” The right answer names things: the CEO owns risk appetite, the CTO owns secure-by-default engineering. “That’s why we’re hiring you!” delivered cheerfully is the sound of accountability leaving every other office in the building and arriving in yours.
Hostility to the severance discussion. Not reluctance, hostility. “Why are you planning to fail?” is a real sentence candidates hear. A company that treats downside protection as disloyalty is a company that intends to use the downside.
“Security hasn’t been a priority, but now it is,” with no number attached. From a CEO, this sentence is either the best or worst thing you can hear, and the difference is whether a budget figure follows it. The test is one question: “What’s the security budget for next year?” A CEO who has genuinely made security a priority knows the number, or at least the range, because prioritization at that level is resource allocation. “We’ll invest appropriately” means the priority is rhetorical. Whatever number you do get becomes the baseline for your 90-day plan, so this question earns its awkwardness twice.
Fixable gap or structural trap
An honest counterweight: every company has some of these flags. I have never seen a clean loop. If your bar is zero flags, you will never take a CISO job, and you’ll pass on some genuinely great ones.
The distinction that matters is response to the flag, not the flag itself.
- No indemnification agreement, but the GC says “we haven’t done one before. Send me a form you’ve seen and I’ll turn it around”: fixable gap. The gap was ignorance, and it closed when touched.
- No indemnification agreement, and the GC goes quiet, or the recruiter comes back with “they don’t want to set a precedent”: structural trap. The gap was a decision.
Run every flag through that filter. Budget owned by IT, but the CFO agrees to carve out a security cost center effective at close: fixable. Reporting line “to be determined,” but the CEO commits in writing to a direct line for year one: fixable. The same items met with deflection, delay, or annoyance: structural. Companies fix what they consider broken. What they defend, they built on purpose.
A rough threshold from loops I’m in right now: one or two flags that move when pushed is a normal company. Three or more that don’t move is a constructed seat, and the construction will outlast your tenure.
Walking away well
Declining a bad seat is a skill, and doing it badly costs more than the seat was worth.
First, decline to the search firm before the company, and give the recruiter the real reason in structural terms: “I couldn’t get comfortable with the officer status and indemnification questions, and the budget authority wasn’t there.” Never make it personal to the executives you met. Recruiters remember candidates who articulate crisp, professional reasons: it makes their next pitch to you easier and it gives them ammunition to fix the mandate.
Second, understand the recruiter’s incentives. A placement that blows up in a year triggers that replacement guarantee and costs the firm money and reputation with the client. A candidate who spots a doomed placement before it happens has just done the firm a favor, even if it stings that week. In practice, declining a bad seat for well-argued structural reasons raises your stock with search firms. You become the candidate they call for the good mandates, precisely because you demonstrated judgment on a bad one. The candidates who take anything get offered anything.
Third, leave the door open with the company. “The timing and structure weren’t right, but I’d be glad to revisit if the role evolves” costs nothing and occasionally pays out: some companies do fix the seat after the second or third decline, and the candidate who explained why they passed is the first call when it’s fixed.
Walking away from a title you want is genuinely hard, especially the first time the title is on the table. But the market does not remember the offers you declined. It remembers, vividly and searchably, the breach that happened on your watch in a seat that was built for exactly that purpose. Before you’re anywhere near an offer, the broader CISO interview guide covers how to run the whole loop so that most of these questions get answered long before paperwork, which is where they’re cheapest to ask.