CISO Recruitment

CISO Recruitment

Exec Capital recruits Chief Information Security Officers for regulated financial services firms, technology businesses, critical infrastructure operators, and organisations whose regulatory obligations or board risk appetite require a senior, accountable CISO. We recruit across permanent, interim, and fractional CISO mandates, with every search led personally by Adrian Lawrence FCA on a retained basis.

The regulatory drivers reshaping CISO demand

Three regulatory developments have structurally increased both the seniority and the urgency of CISO appointments across UK and European business since 2023.

DORA (Digital Operational Resilience Act) applies to UK firms with EU operations and to EU-regulated entities from January 2025. DORA creates specific ICT risk management requirements — including ICT risk frameworks, incident reporting, operational resilience testing, and third-party ICT provider management — that fall within the CISO’s remit and that the FCA has indicated it will expect UK-regulated firms with EU operations to address. The CISO at an affected firm is now a regulatory compliance figure as much as a technical one, and their ability to manage FCA and EU regulatory relationships directly is a qualification criterion alongside their technical expertise. See the DORA regulatory framework for the full scope.

NIS2 (Network and Information Systems Directive 2) extends cybersecurity obligations across essential and important entities in EU member states from October 2024, with UK equivalents under the Network and Information Systems Regulations 2018 being updated to reflect comparable obligations. Organisations within scope face mandatory incident reporting, supply chain security requirements, and board-level accountability for cybersecurity governance that places the CISO at the centre of regulatory compliance in a way that has no precedent in the pre-NIS2 environment.

FCA Operational Resilience (PS21/3) requires UK-regulated firms to identify their important business services, set impact tolerances, and demonstrate that they can remain within those tolerances during severe but plausible disruption scenarios. The March 2025 compliance deadline has passed, but the ongoing testing and Board reporting requirements make the CISO a permanent Board-reporting executive rather than an occasional presence at the governance level.

What the modern CISO appointment involves

The CISO mandate in 2026 combines four areas that most CISOs of five years ago would not have recognised as central to their role. Technical security leadership — threat intelligence, security architecture, incident response, vulnerability management — remains the foundation and non-negotiable. Regulatory compliance management — owning the firm’s response to DORA, NIS2, FCA PS21/3, and the broader data protection framework — has become equally important and requires different skills. Board and executive communication — translating technical risk into language that Board members and NEDs can act on, and managing the governance obligations that regulatory frameworks attach to information security at board level — is the dimension that most limits the CISO candidate pool. And third-party and supply chain risk management — assessing, monitoring, and governing the security posture of the organisation’s critical technology suppliers — has become a specific regulatory obligation under DORA and NIS2 that the CISO must own with demonstrable rigour.

For the FCA’s published operational resilience guidance, see PS21/3. For the broader NCSC cybersecurity framework, see the NCSC Cyber Assessment Framework.

How Exec Capital approaches CISO mandates

CISO searches require a precise understanding of the regulatory environment the firm operates in, the maturity of the existing security function, and the specific gap the CISO is being appointed to close. The brief for a CISO at a DORA-impacted financial institution is fundamentally different from the brief for a CISO at a scale-up technology business concerned primarily with customer data protection and product security. We establish this precisely before candidate identification begins.

We access the CISO candidate pool through direct outreach. The senior CISOs with direct regulatory experience in the relevant sector are not browsing job boards. Many are actively placed in demanding roles and moveable only through a credible and specific approach. We run CISO searches through the technology and security leadership network alongside the regulated financial services and critical infrastructure communities — combining both pools for mandates where the regulatory and technical requirements are both present.

The candidate pool

Experienced CISOs from regulated financial services are the primary pool for FCA-regulated firm mandates. Their combination of technical security depth, regulatory awareness, and board-level communication experience directly addresses all four dimensions of the modern CISO mandate. The pool of senior CISOs from comparable regulated environments who are actively moveable is constrained — DORA and NIS2 have increased demand for this profile faster than supply has grown.

Senior information security professionals below CISO level — Heads of Information Security, Security Architects, and Deputy CISOs from larger regulated organisations — represent the step-up pool for organisations that are appointing a CISO for the first time or that are scaling the function from a technical to a governance-level mandate. The assessment of their readiness for the board communication and regulatory relationship management dimensions is the primary qualification challenge.

CISOs from technology and critical infrastructure sectors are relevant for non-financial services mandates, particularly where the technical complexity of the security environment is the primary qualification criterion and the regulatory dimension is secondary. Their technical depth frequently exceeds that of financial services CISOs; the adjustment required is to the governance and board communication dimensions of the role.

Permanent, interim, and fractional CISO appointments

Permanent CISO appointments are the standard for organisations with mature security functions and ongoing regulatory obligations. Interim CISO arrangements bridge the gap between a departing CISO and the permanent appointment, or provide specialist regulatory crisis management capability when a serious incident or regulatory intervention requires immediate leadership. Fractional CISO arrangements are viable for smaller regulated organisations that require CISO-level governance and board reporting without the cost of a permanent senior appointment — the fractional CISO attends the Board or Risk Committee as a defined engagement, owns the regulatory compliance framework, and provides the accountability the regulatory environment requires within a cost structure the organisation can sustain.

Working with Exec Capital on a CISO mandate

Every CISO mandate is led personally by Adrian Lawrence FCA. For the broader technology and digital leadership cluster, see our Technology and Digital Leadership Recruitment hub. For the AI and data leadership appointments that increasingly intersect with the CISO mandate, see our AI Executive Recruitment page. For the CRO appointment that partners the CISO at board level in regulated firms, see our CRO Recruitment page.

Related Technology and Leadership Appointments

• CTO Recruitment — Chief Technology Officer for technology strategy and engineering leadership
• CRO Recruitment — Chief Risk Officer — the governance partner to the CISO at regulated firms
• AI Executive Recruitment — AI and data leadership increasingly intersecting with security governance
• Head of Compliance (SMF16) — Compliance leadership at FCA-regulated firms
• Technology and Digital Leadership — All technology executive appointments

Sources and Further Reading

• FCA PS21/3 — Operational Resilience policy statement and requirements for UK-regulated firms
• NCSC Cyber Assessment Framework — UK national cybersecurity standards for organisations
• DORA — Digital Operational Resilience Act regulatory framework
• ICO — UK GDPR guidance and data security obligations relevant to CISO responsibilities
• UK Government — Network and Information Systems Regulations and NIS2 implementation guidance

Organisations appointing a CISO may also require: CTO Recruitment | CRO Recruitment | Head of Compliance | AI Executive | VP Engineering | All Tech Leadership