We recently reviewed 343 job specifications, after deduplication, for cybersecurity leadership roles. They were all advertised in the UK, but included Europe or global wide roles. Before we get to the findings, a methodological caveat: while all of these were cybersecurity leadership roles that mentioned the phrase "Chief Information Security Officer", only about 6% of these roles explicitly had the title "Chief Information Security Officer." The majority were adjacent roles; Head of Cyber Security, Director of Information Security and similar. Roles that sit in the same talent pool and demand overlapping capabilities. We have treated them as a single market because that is how hiring managers think about them.
The data was collected from UK publicly listed roles across multiple sectors, and seniority levels. It is not a perfect sample, but it is large enough to separate signal from noise. Here is what the market is actually asking for.
AI Is Now a Leadership Requirement
Roughly three in ten security leadership roles now reference AI in some form. That is a rapid shift for a capability that barely appeared in job specs two years ago.
| Metric | % |
|---|---|
| Any AI / ML / LLM mention | 29% |
| AI Governance / AI Risk | 4% |
| AI Security / LLM Security | 4% |
| Agentic AI | 2% |
| Generative AI | 1% |
| AI Strategy / Roadmap | 1% |
The headline figure is striking, but the more interesting number is the subset. Only around 4% explicitly ask for AI governance or AI security expertise. That is where the premium sits. Most hiring managers are still figuring out what they need; the ones who know are willing to pay for it.
If you are positioning yourself for a security leadership role, having a coherent narrative about AI risk - not just awareness, but governance frameworks, model evaluation, and supply chain implications - puts you in a small but growing and certainly valuable cohort.
The Hierarchies within Certifications, Frameworks, Standards and Regulations
Employers still use certifications as a filter. The distribution is revealing: a small number of credentials dominate, and everything else is niche.
| Rank | Credential | % |
|---|---|---|
| 1 | ISO 27001 | 43% |
| 2 | CISSP | 39% |
| 3 | NIST | 36% |
| 4 | CISM | 33% |
| 5 | GDPR | 22% |
| 6 | Cyber Essentials | 12% |
| 7 | CISA | 11% |
| 8 | CRISC | 11% |
| 9 | SOC 2 | 10% |
| 10 | ITIL | 7% |
| 11 | CCSP | 6% |
| 12 | PCI DSS | 6% |
| 13 | COBIT | 4% |
| 14 | TOGAF | 3% |
| 15 | CEH / CIISEC | 2% |
| 16 | IEC 62443 | 2% |
| 17 | CISMP | 2% |
| 18 | SABSA / GICSP | 2% |
| 19 | SOC 1 / ISO 42001 | 1% |
| 20 | ISO 27005 / CSSLP / ISO 9001 | 1% |
The pattern is clear. ISO 27001, CISSP, NIST, and CISM form what one might call the Big Four. Together they cover roughly 80% of credential requirements. If a candidate holds certification or relevant experience two of these, they are competitive for the vast majority of roles. Everything beyond the top five is either sector-specific (Cyber Essentials for UK public sector, PCI DSS for payments) or a differentiator rather than a hard requirement.
One observation: NIST and ISO 27001 appear in over a third of specs despite being a framework rather than a certification. This suggests hiring managers value fluency in risk management methodology over certificate collection. Knowing how to apply NIST CSF or NIST SP 800-53 matters more than having passed a multiple-choice exam.
Cloud Platform Expectations Are Moderate but Specific
| Platform | % |
|---|---|
| AWS | 19% |
| Azure | 18% |
| GCP | 8% |
| Any major cloud (AWS/Azure/GCP) | 24% |
| Cloud-native | 5% |
| Multi-cloud | 2% |
Around one in four roles name a specific hyperscaler. AWS holds a narrow lead, but Azure is nearly at parity - a reflection of UK public-sector and enterprise incumbency. GCP is relevant but niche, concentrated in fintech and AI-heavy firms.
The interesting finding perhaps is what's missing. Despite the industry noise about multi-cloud and cloud-native architecture, explicit demands for these capabilities are rare. Hiring managers appear to assume that a competent security leader can adapt their cloud knowledge across platforms. They care more about whether you can secure a cloud environment than which badge you hold, as you would hope.
Hybrid Is the Default Operating Model
Hybrid work is the baseline expectation for security leadership. Pure remote roles clearly exist but they are relatively few at around 14%, and even those usually come with strings attached; occasional travel to headquarters, board meetings, or incident response on-site.
For candidates, this means pitching yourself as remote-only is a hard sell unless you bring genuinely rare specialisation. Operational technology security, critical national infrastructure expertise, or deep government clearance may justify remote arrangements. For most security leadership roles, the employer expects presence and sometimes it is precisely because the application of such specialist expertise is considered so sensitive that employers require work to be carried out on site.
The Modern CISO Is Strategic, Board-Facing, and Resilience-Owning
This is where the data gets interesting. We extracted thematic keywords from the leadership and strategic requirements sections of each spec.
| Theme | % |
|---|---|
| Strategic / Strategy | 82% |
| Compliance | 69% |
| Governance | 63% |
| Risk Management | 48% |
| C-suite / Executive | 41% |
| Stakeholder | 41% |
| Resilience | 40% |
| Incident Response | 34% |
| Transformation | 32% |
| Board | 28% |
| Hands-on | 23% |
| GRC | 16% |
| Supply Chain | 10% |
| Third-party Risk | 10% |
| Secure by Design | 9% |
| Crisis Management | 6% |
| M&A | 6% |
| DevSecOps | 5% |
| Zero Trust | 3% |
| SOX | 3% |
| Tabletop exercises | 2% |
| IPO | 2% |
Over 80% of roles describe the position as strategic. Roughly seven in ten require compliance expertise. Governance, risk management, C-suite engagement, and resilience all appear in 40% or more of specs.
The tension is explicit. Around one in four roles still demand "hands-on" capability alongside the strategic mandate. This is the classic CISO paradox: boards want a leader who can articulate cyber risk in business terms, but many organisations are not large enough to separate strategy from execution. The Head of Cyber Security at a mid-market firm is expected to write policy in the morning and investigate an alert in the afternoon. This breadth of skill sets and the difficulty in balancing them goes some way to explaining why CISO roles can be hugely interesting, well-paid and yet also suffer high burnout rates.
Board exposure appears in 28% of specs explicitly, and C-suite engagement in 41%. These numbers understate the reality. Most hiring managers assume that a security leader at this level will interact with the board; often it only gets a mention when they have had a bad experience with a predecessor who fell short.
Security Operations and Technology Capabilities
| Capability | % |
|---|---|
| SOC | 24% |
| Vulnerability Management | 20% |
| Data Protection | 18% |
| Privacy | 17% |
| IAM / Identity & Access | 12% |
| SIEM | 11% |
| Penetration Testing | 11% |
| Threat Intelligence | 10% |
| Encryption / Cryptography | 6% |
| SOAR | 6% |
| EDR | 6% |
| Digital Forensics | 4% |
| Quantum / Post-Quantum | 3% |
| XDR | 3% |
| DLP | 2% |
| Red Team | 1% |
| PAM | 1% |
| Purple Team | 1% |
SOC and vulnerability management lead the operational requirements, which is unsurprising. These are the capabilities that hiring managers can see and measure. They're outside the usual CISO role itself but well within the scope of responsibility.
The more revealing entries are at the bottom of the table. Quantum and post-quantum cryptography appears in 3% of specs. That is small in absolute terms, but significant given how niche the topic is. Organisations in finance, government, and long-lifecycle infrastructure are already asking about cryptographic agility. In three to five years, this could be a standard area in interview questions.
Sector Distribution and Security Clearance
Sector identification was approximate, based on keyword matching rather than employer classification. The results are inflated by generic terms but still directional.
| Rank | Sector | % |
|---|---|---|
| 1 | Government / Public Sector | 67% |
| 2 | Critical Infrastructure / Energy | 64% |
| 3 | Financial Services | 60% |
| 4 | Manufacturing / Engineering | 38% |
| 5 | Healthcare / Pharma | 28% |
| 6 | Consulting / Professional Services | 24% |
| 7 | SaaS / Cloud Product | 18% |
| 8 | Retail / E-commerce / FMCG | 16% |
| 9 | Tech / Software (specific company references) | 8% |
| 10 | Crypto / Web3 | 3% |
| 11 | Telecom / Satellite | 2% |
| 12 | Startup / Scale-up | 4% |
| 13 | Gaming / iGaming / Betting | 1% |
Government, public sector, and critical infrastructure are the most heavily represented sectors. SaaS and cloud product companies at 18%, and specific tech or software firms at 8%. These are the sectors where security leadership is non-negotiable rather than optional.
Security clearance remains a hard gate for UK public-sector pipelines.
| Clearance | % |
|---|---|
| SC Clearance | 6% |
| DV Clearance | 3% |
| BPSS | 2% |
These figures are concentrated in government, defence, and critical national infrastructure roles. If you do not hold SC clearance and you are targeting UK public-sector CISO positions, you are competing for a minority of the available roles.
Most Roles Are Not Titled CISO
This is the most important finding for anyone navigating the security leadership job market. True CISO titles are rare. Most organisations hire a Head of Information Security or a Director of Cyber Security and only elevate the role to CISO at scale, in regulated industries, or in publicly listed companies.
This has practical implications. If you are a Head of Cyber Security at a 500-person firm, you may already be doing CISO-level work without the title. The gap between "Head of" and "CISO" is often organisational maturity rather than capability. When you interview for CISO roles, you will be competing against candidates with the same responsibilities and a different job title.
What This Means for Candidates
If you are positioning yourself for a security leadership role, the data suggests three priorities.
First, stack the Big Four. ISO 27001, CISSP, NIST fluency, and CISM cover 80% of credential requirements. You do not need all four, but you need at least two, and you need to be able to talk about how you have applied them rather than just that you hold them.
Second, develop an AI narrative. One in three specs mention AI. Only a small fraction ask for deep expertise, but the ability to discuss AI governance, model risk, and supply chain implications separates you from candidates who treat it as a buzzword.
Third, demonstrate board readiness. Nearly half of roles mention C-suite engagement. If you have presented to a board, write about it. If you have not, find opportunities - advisory roles, non-executive positions, or internal steering committees - that give you exposure to senior leadership conversations.
What This Means for Hiring Managers
If you are writing a job specification, the data also contains warnings.
The most common mistake is asking for a strategic leader and a hands-on technician in the same role. Around 23% of specs explicitly demand both. That is not inherently wrong, but it is unrealistic at the salary bands where most of these roles sit. If you genuinely need both, either split the role or pay at the top of the market.
The second mistake is over-specifying cloud platforms. Around one in four roles name a specific hyperscaler, but security leadership is about architecture, governance, and risk management rather than console proficiency. A CISO who understands cloud security fundamentals can adapt across AWS, Azure, and GCP. A CISO who only knows AWS as a product set will struggle in a multi-cloud environment.
The third mistake is treating certifications as a proxy for capability. CISSP appears in 39% of specs, but it is a breadth exam that does not test deep expertise or practical judgement. Use certifications as an indicator of baseline knowledge, not as a guarantee of performance.
The Bottom Line
The CISO job market is larger than the CISO title suggests. Most security leadership roles sit adjacent to the CISO position - Head of, Director, Lead - and demand the same strategic, board-facing, resilience-owning capabilities.
The employers who know what they want are asking for a specific stack: ISO 27001 and CISSP, NIST as methodology, cloud security as operational competence, and AI is now established, with governance as an emerging differentiator. Hybrid work is the baseline. Board exposure is expected. Hands-on capability is still demanded more often than it should be.
For candidates that meet the baseline, the opportunity is in the gaps. AI governance expertise, quantum-readiness, and the ability to translate technical risk into business language are all scarce relative to demand. For hiring managers, the challenge is writing specs that reflect reality rather than aspiration.
