Career path

VP of Security vs CISO: Titles, Scope, and Which to Take

How security-executive titles actually differ (officer status, board exposure, recruiter filters) and which title to take at your next jump.

Updated July 6, 2026 · 10 min read · Free, no paywall

If you are a Director or Head of Security staring at two offers (one with the CISO title, one without), you are probably overweighting the title and underweighting everything attached to it. I sit on the other side of this trade: I am a security executive at a large technology company, and in my own loops I interview candidates every quarter who took the wrong title for the right money, or the right title in the wrong construction. This guide is what I would tell any of them over coffee.

Titles are built by companies, not earned by you

Here is the uncomfortable part first. Security titles are not a standardized ladder that you climb. They are artifacts of decisions each company makes for its own reasons: org politics (the CIO refuses to have a peer-level CISO), officer-liability strategy (legal wants exactly one fewer named officer), customer optics (enterprise buyers ask “do you have a CISO?” on questionnaires, so one gets minted overnight), or founder ego (nobody gets a C-title until the founder does… something).

The consequence: the same job carries different labels at different companies, and different jobs carry the same label. I have interviewed “VPs of Security” who ran two-hundred-person orgs with direct audit-committee access, and “CISOs” who had four reports, no budget authority, and a dotted line into a Director of IT. If you evaluate the label, you will get fooled in both directions.

So the operating rule for this entire guide is: evaluate scope, not title. Scope means reporting line, budget ownership, headcount, board exposure, officer status, and whether you are in the room when the annual plan gets built. The title is the wrapping paper.

The taxonomy, honestly

With that caveat, the labels do cluster into recognizable patterns. Here is the ladder as it actually shows up in the market:

TitleTypical scopeReports toOfficer role?Board exposureCommon at
Director of SecurityOne or more security functions; execution-focusedVP Eng, CIO, or CISONoRare; maybe a slide in someone else’s deckMid-size and up; sub-function at large cos
Head of SecurityWhole security program, small teamCTO or VP EngNoOccasional, informalStartups, Series A–C
VP of SecurityWhole program, meaningful org and budgetCTO, CIO, sometimes CEOUsually notRegular presenter, often quarterlyGrowth-stage through public
CISOWhole information-security programCIO, CTO, CEO, GC, CFO (varies wildly)Sometimes, by deliberate choiceExpected; often audit committeeLate-stage private and public
CSOCyber plus physical, executive protection, sometimes fraud/investigationsCEO, COO, or GCMore often yesRegularLarge enterprises, regulated industries

A few of the labels deserve their own paragraph, because they behave differently:

Deputy CISO. A real role at large companies, and increasingly a deliberately constructed one: big security orgs create it partly for succession planning and partly so the CISO has a designated incident commander who can sign things while the CISO is testifying, traveling, or recusing. It is the single best-kept on-ramp to a first CISO seat, and I cover why below.

BISO. Business Information Security Officer: a divisional security leader embedded in a business unit, most common in banks and large financial institutions. It is a legitimate senior job with genuine P&L proximity, but understand what it is: influence without an org. You typically own risk decisions for a business line while the central CISO owns the tooling and the people. Great training for stakeholder management; weak training for running a large organization, which is what CISO searches actually screen for.

Field CISO. A vendor-side title. It is a pre-sales, evangelism, and customer-advisory role, not an operational one, and every recruiter and hiring committee knows this. It can be a wonderful job (high pay, high visibility, no pager), but it does not accrue toward an operational CISO seat, and if you hold it for more than a couple of years, searches will start reading you as a sales asset rather than an operator.

The officer question: why some companies won’t give you the C

This is the section generic articles get exactly backwards. They assume CISO is the prize and VP is the consolation. In reality, plenty of companies deliberately give their top security leader a VP title and withhold the CISO title, and the reason is legal, not political.

Making someone a named corporate officer changes things: it can trigger disclosure obligations, it affects who is presumed to speak for the company in regulatory filings and to regulators, it can put the person within reach of officer-level liability theories, and it increases what the company pays for directors-and-officers insurance. After the SEC’s cyber disclosure rules and the first cases where regulators pursued a security executive personally over statements the company made about its security posture, general counsels started running this calculation explicitly. Some concluded: give the security leader full authority, a seat at the executive table, and a VP title, while keeping the officer designation off them.

Which produced a shift I now see in candidates: sophisticated ones sometimes prefer VP-with-authority over CISO-without-protection. A CISO title at a company that will not make you an officer, will not name you on the D&O policy, and will not indemnify you contractually is the worst of both worlds: you carry the public accountability of the title with none of the legal apparatus that is supposed to accompany it.

So in diligence, ask four questions, in this order: Is this an officer role? Am I a named insured or otherwise covered under the D&O policy? Is there a separate indemnification agreement, not just the boilerplate in the handbook? Who, exactly, reviews and signs the cyber-related disclosure language? If the answers are no, no, no, and “you do,” you have found the construction I describe at length in the guide on CISO offer red flags: a scapegoat seat with a nice nameplate.

Which to take, by situation

VP of Security at a growth company vs CISO at a smaller company. Take the VP job more often than your ego wants to. A VP of Security at a well-known growth company with 40 reports, real budget, and quarterly board exposure will out-position you in three years against a CISO title at a 200-person company where “the program” is you and two engineers. The counterintuitive part: the VP job usually pays more too, so you are not even buying the smaller CISO title at a discount. You are paying a premium for it.

When the CISO title is worth a comp discount. Sometimes it genuinely is. Title compounds: every future search will index on it, every future comp negotiation anchors on your current level, and the “sitting CISO” filter (next section) opens doors that “VP” only mostly opens. If the smaller-company CISO seat comes with real scope (you report to the CEO or CFO, you present to the board, you own the budget), taking a modest one-time comp haircut to convert your trajectory can be rational. I walk through how to price that trade in the compensation negotiation guide. What is never rational is taking the discount for a hollow title: comp discount plus scapegoat construction is paying to assume someone else’s liability.

The title upgrade at signing. Here is the negotiation detail that surprises people: companies grant title changes far more easily than money. A title costs the company nothing this quarter: no budget line, no comp-band exception, no CFO signature. If you are being offered “VP of Security” at a company where the role clearly is the CISO role (you would own the program, present to the board, sign the customer-facing security narrative), ask for the CISO title at signing, or a written commitment to it at a defined milestone (“upon the next board cycle” or “at 12 months, subject to standard review”). In my experience the ask succeeds much more often than an equivalent-value comp ask, because the only people who have to approve it are the hiring executive and sometimes the GC. The one legitimate refusal is the officer-liability rationale above, and if they cite it, that is actually a good sign, because it means they have thought about the legal construction of the role, and you should pivot to negotiating the protections instead of the letters.

What recruiters actually do with your title

Executive search firms run on databases, and databases run on strings. When a company commissions a CISO search, the spec very often says “sitting CISO or proven equivalent,” and the first pass is mechanical: the associate pulls everyone whose current title matches. This is where “first-time CISO” filtering happens in practice: not as a considered judgment about your readiness, but as a query that either returns your name or does not.

Three things follow from this. First, a VP-of-Security title at a company people have heard of clears the filter almost as well as the CISO title itself. Search partners know the taxonomy in this guide better than anyone; “VP of Security at [recognizable company]” reads as “sitting CISO with a legal-department haircut,” and they will present you. Second, Director-level titles mostly do not clear it, regardless of actual scope, which is the strongest practical argument for getting to VP or Head-of before you start aiming at CISO searches. Third, if you are a Director trying to jump straight to a CISO seat, your realistic path runs through companies too small to retain a search firm, or through the deputy route below. The first-time CISO guide covers how to run that jump; the interview guide covers what the loop looks like once you are in it.

One more insider note: when search firms present a slate, they annotate candidates as “sitting,” “step-up,” or “stretch.” You want to know which bucket you are in, and you can simply ask the partner. A “step-up” candidate on a strong slate gets real consideration; a “stretch” candidate is usually there to make the slate look thorough.

CISO vs CSO, and where they are converging

Classically: the CISO owns information and cyber security; the CSO owns physical security, executive protection, workplace violence, and often fraud and corporate investigations. At companies that have both, the CSO frequently outranks the CISO or sits beside them under the GC or COO.

The convergence trend is real but lumpy. Technology companies increasingly hand the whole portfolio (cyber plus physical plus insider risk) to one executive and call them CSO, on the theory that badge systems, cameras, and insider threat are all just data problems now. Regulated and industrial companies converge more slowly, because their physical security functions are older, unionized, or tied to safety regimes that cyber leaders have no background in.

For your decision: a CSO title that includes cyber is a scope expansion and generally a career upgrade over CISO: you become harder to replace and eligible for a wider set of future seats. A CSO title that means only physical security is a different profession. Read the job description, not the acronym; a meaningful minority of companies use CSO to mean precisely what everyone else means by CISO, usually because the CISO acronym collides with an existing Chief Strategy or Chief Sales Officer.

Deputy CISO: the deliberate stepping stone

If you are a Director or senior leader at a large company and your goal is a CISO seat in two to four years, the Deputy CISO role at a bigger or better-known company is arguably a stronger move than a small-company CISO title. Here is why. You inherit the CISO’s exposure at scale (board prep, regulator interaction, incident command, disclosure review) with a safety net under you. Search firms treat “Deputy CISO at [major company]” as a step-up candidate, not a stretch. And critically, you learn the parts of the job that sink first-time CISOs: the political economy of budget season, and what a board actually wants in eight minutes.

Take the role only if the CISO is a sponsor rather than a bottleneck. Ask directly in the interview what the last deputy went on to do. And negotiate for the visible reps: you want to present at least one board or audit-committee session per year under your own name, because that becomes the story you tell in every future loop. When you do land the top seat, your first quarter is where the title either consolidates or unravels; the 90-day plan exists for exactly that window.

How to decide

Strip the label off both offers and score what is left: reporting line, budget authority, headcount, officer status and indemnification, board cadence, and whether the security narrative the company tells customers and regulators is one you would sign. Use a structured scorecard rather than vibes. There is an offer-evaluation worksheet in the templates library built for this comparison.

Then, and only then, put the titles back on and apply the tiebreakers: the CISO title compounds and is worth a modest premium when the scope is real; the VP title is the better trade when it comes with authority the C-title lacks or protection the C-title strips; and no title is worth taking when the construction makes you the named owner of outcomes you lack the power to change. The people interviewing you for your next seat will decode all of this instantly. Make sure you decoded it first.

Frequently asked

Is VP of Security higher than CISO?

Neither title is inherently higher; it depends entirely on the company. At many growth-stage companies the VP of Security is the top security executive with more scope than a CISO at a smaller firm. Compare reporting line, budget, and board exposure rather than the label.

Is CISO an officer role?

Sometimes, and this is decided deliberately by legal counsel, not by HR. Some companies designate the CISO a corporate officer with associated liability and disclosure obligations; others intentionally keep the security leader at VP level to avoid that designation. Ask directly whether the role is an officer position and whether you are covered under the D&O policy.

What is the difference between CISO and CSO?

A CISO typically owns information and cyber security, while a CSO usually owns physical security, executive protection, and sometimes fraud and investigations in addition to cyber. The titles are converging as more companies fold physical security under the cyber leader. Read the job description, because plenty of companies use CSO to mean exactly what others call CISO.

Should I take a VP title instead of the CISO title?

Take VP if it comes with real authority, executive committee access, and legal protection you would not get as a titled CISO. Take the CISO title if the scope is genuine, because the title compounds into every future search. Never take a CISO title that comes with accountability but no reporting line, budget, or indemnification.

Free template

Steal the 90-Day CISO Plan

The exact 90-day plan structure hiring panels expect: the single asset every CISO candidate gets asked for. Free, editable, yours in one click.

Instant access, no confirmation hoops. Occasional emails on landing the seat; unsubscribe anytime.