Getty Images/iStockphoto
Negotiating a golden parachute clause in a CISO contract
If a CISO becomes the company scapegoat after a security incident, a strong golden parachute clause can mean the difference between a soft landing and a hard crash.
The sad truth is that the CISO sometimes becomes the scapegoat for any security-related event that adversely affects a company's image. And, while the security leader may indeed be at fault, many times, an incident happens despite the CISO having taken every appropriate action.
CISOs would be wise to understand this reality and prepare themselves accordingly. When push comes to shove, you'll likely get what is written in your contract and nothing more.
A golden parachute is a clause in an employment agreement that protects the employee in the event of termination. The best time for CISOs to set up golden parachute clauses is before being hired. This is when demand for prospective employees is highest and when employers are most willing to make concessions in their favor.
Ask
While top organizations with high-profile CISO roles are likely to present candidates with great contract conditions, do not assume similar benefits are unavailable in smaller companies and less prominent positions.
The most important thing to remember: You get what you negotiate. As Wayne Gretzky said, "You miss 100% of the shots you don't take." You are unlikely to get something if you don't ask for it, so ask. The worst someone can do is say no.
Plan ahead
As a prospective CISO, you can increase the likelihood of getting a good severance package if you plan ahead and negotiate strategically. Consider the following:
- what you need
- what you would like
- what the employer needs
Weighing these factors ahead of time enables you to prioritize your demands and gives you clarity on what items are essential and where you are willing to make concessions.
8 elements of a CISO golden parachute package
Thinking beyond just dollars and cents can help CISOs maximize the size and scope of their golden parachute packages. Money is easiest to quantify and calculate and tops most people's lists, for good reason. But other negotiable items may be equally valuable and, in some cases, easier for a company or manager to offer.
Consider all potential elements of a CISO severance package, including the following.
1. Severance pay
Companies typically have a standard policy for calculating severance pay, such as a week's salary per year employed. In that case, a CISO who has been at a company for 10 years could expect 10 weeks of severance pay, which, with a $104,000 salary, would be $20,000 severance. If that same person was able to negotiate for one month's salary per year employed, however, severance would jump to nearly $87,000.
I have seen executives get twice their annual salaries at severance, so don't be afraid to open negotiations high. And don't forget to add average annual bonus pay into severance calculations.
2. Vacation compensation
Vacation usually has a monetary value directly tied to salary. Some companies have a use-it-or-lose-it policy and do not offer compensation for unused vacation time, but it is certainly advisable to ask for it.
In the case of severance, a CISO should be legally entitled to unused vacation time for the year, one way or another. One option is to negotiate that the last day of employment is the day after any accumulated vacation is over.
3. Unemployment benefits
Depending on the nature of severance, a CISO may or may not be entitled to unemployment benefits. Security leaders who are fired for cause could be ineligible.
If an organization is using you as a scapegoat for something that is not your fault, however, you should be able to collect unemployment. If the company contests your unemployment claim, you might need to hire an employment lawyer. You are likely to win unless there is unassailable proof of your personal culpability in an issue related to your termination.
4. Health insurance benefits
It is standard for companies to offer health insurance coverage only to the end of the current employment month, with coverage occasionally extending to the following month. And, while the federal law known as the Consolidated Omnibus Budget Reconciliation Act, or COBRA, requires companies to offer former employees ongoing coverage for up to 18 months, they don't have to continue paying their premiums.
Companies usually show some flexibility in offering additional medical benefits, however. I have seen people secure as much as two years of fully paid insurance coverage in the event of termination. One option is to ask for a month of insurance coverage for every year employed, similar to many severance payment models. At costs of up to $2,000 a month or more, extended paid insurance coverage can represent an additional $20,000-per-year benefit.
5. Stock grants and options
Sometimes, companies offer stock grants and options at the beginning of employment contracts. Pay close attention to the terms and conditions of any such offering. Usually, stocks and options are vested over a period of anywhere from one to five years. Consider the following asks:
- First, ask for stock grants or options. Public companies usually offer options rather than grants. This is better for the employee from a tax perspective, since options are taxed as income on exercise, while stock grants are taxable at the grant value.
- After negotiating for stock, focus on reducing the vesting period as much as possible. Then, if a severance action happens, maximum vesting has already occurred.
- Finally, try to get a contractual clause that accelerates vesting to 100% in a termination event not of your choosing. In most companies, employees lose any unvested stock if they elect to leave early. If your company forces termination, however, you might be able to get accelerated vesting and walk away with as much as possible.
6. Training
Many organizations pay for employees to participate in third-party training programs. When negotiating a golden parachute package as an incoming CISO, ask if the company would cover training in the event of severance.
Typically, such training focuses on resume writing, interviewing and getting hired. In some cases, however, skills training may also be available. This can be especially valuable when markets for IT skills shift, as they often do. Yesterday's Unix guru has been replaced by today's AWS container creator. While security-specific skills are likely to always be in demand, new subject areas are constantly emerging, such as zero-trust architecture and quantum cryptography.
7. Job referral services
Many companies include job referral services in their severance agreements. Make sure to inquire about these and ask that they be a part of any contract, as they can be invaluable in navigating the next chapter of a CISO career.
8. Miscellaneous asks
Consider anything else related to a potential job that has value and could work to your benefit in the event of termination. For example, you might ask to retain any company-issued property -- such as a car, computer, phone, software or hardware -- for personal use. In most cases, such items would first need to be digitally wiped and sterilized. Still, having an old, familiar item could be better than having to buy a new one.
What if I already signed a contract?
All the negotiation advice mentioned above may be of little help for those already employed as CISOs. In this case, do not despair. With a little strategic planning, there is always hope for expanding and strengthening golden parachute benefits while on the job.
Closely review your current contract
In their excitement to start working, many CISOs sign employment agreements quickly, focusing largely on salaries and bonuses in making job decisions. Take the time now to revisit your existing contract and look for benefits to which you may not realize you're already entitled. It might also be worthwhile to have an employment attorney review your already-signed agreement and advise you of any benefits or pitfalls.
Sitting CISOs may also have opportunity to renegotiate their existing contracts. A good time to ask to make changes and request new benefits is during annual performance reviews.
Maximize existing benefits
Many working CISOs are likely to find their contracts do contain available benefits not previously on their radar, such as stock purchase programs, tuition reimbursement programs, upskilling and reskilling training opportunities, and 401(k) matching funds.
Most companies do match retirement contributions, which amounts to free money. As CEO of a company for over eight years, I was sad to see how many employees did not take full advantage of the 401(k) program. Learn what is available, and use it; the sooner you do, the more you gain. Knowing and maximizing available benefits could go a long way in increasing the size and scope of a golden parachute.
Finally, remember that good managers always do what they can to accommodate and retain talented people. So, again, do not be afraid to negotiate for a benefit that isn't yet available. Your parachute can only grow when you do.