How to become a CISO in 2022?
The chief information security officer’s role is growing in profile and importance. Explore six actionable tips for aspiring CISOs as they work toward cybersecurity’s top job.
Cybersecurity issues continue to pervade all areas of business, which means having a great security organization — and a capable CISO to lead it — is essential for almost every company. But it takes a certain kind of person, with a special set of capabilities, to thrive in the demanding, tense environments in which CISOs often find themselves.
Must-have CISO traits
A CISO, or Chief Information Security Officer, is primarily responsible for an organization’s cyber security initiatives. CISOs are technologists, who can participate in high-level initiatives as business strategists. CISO’s ensure that IT systems comply with security and regulatory requirements. In summary a C(I)SO is the top Cyber executive of an organization. The Role CISO requires a combination of technical and soft skills, such as business acumen, leadership, communications and relationship building.
Consider the following qualities that make a great chief information security officer (CISO).
Clear thinking under pressure
The single most important attribute in security’s top role is the ability to think clearly under pressure. Unlike most professionals, the CISO must be prepared to handle significant business issues at the drop of a hat, in any area of the enterprise.
For this reason, the CISO, above all, cannot be a person who panics. In a security incident, this is the one person who must always be present, understand the dynamics of the situation and act calmly in the face of incomplete information — even under pressure from executive management to offer immediate answers where they may not exist. Calmness in the face of catastrophe establishes a mood in which everyone can perform better under pressure.
Ability to prioritize
CISOs need to be able to strategically prioritize among myriad necessary actions during a crisis. Competing priorities in a security event might include isolating the system, segregating the network and informing diverse stakeholders — from management and employees to clients and law enforcement. A security leader must be able to set priorities that most effectively and efficiently minimize the risk to the business in any given situation.
Love of learning and new challenges
The cybersecurity environment will continue to evolve much faster than institutions can develop security policies or vendors can develop mitigating technologies. New threats emerge almost daily, and staff must constantly adapt to this changing environment. A good CISO anticipates these shifts. A great CISO looks forward to and embraces the opportunity to increase the company’s security effectiveness in the face of these never-ending challenges.
Great communication skills
A CISO must be an exceptional communicator. Security touches every cross-section of an enterprise, from application development and testing to operations and customer service. The CISO must therefore be able to reach managers across all areas of the business and discuss security issues in language they understand.
CISO education backgrounds
The typical CISO career journey starts with an undergraduate education, and many security leaders also have master’s degrees. Historically, CISOs don’t necessarily have educational backgrounds in computer science or information technology, although that has proven controversial.
Some institutions today have cybersecurity programs, but a background in engineering or science fundamentals will arguably better serve an aspiring CISO.
The problem with getting an undergrad degree in cybersecurity is that much of the technology under discussion in class may no longer be relevant 10 years after graduation. A broad understanding of engineering principles and the scientific method, on the other hand, will position one to keep learning, questioning and problem-solving as technology evolves.
For graduate studies, a cybersecurity degree may be useful. But one could get just as much, if not more, value from an MBA, which can offer a better education in the business effects of technical decisions.
Remember, for a CISO, broadly understanding many technical domains and how they tie into business needs is more valuable than detailed expertise in configuring firewalls and setting up multifactor authentication. Ideally, those technical experts work for security leaders.
Certifications have their place in cybersecurity career development, but they are not a fundamental requirement for being a CISO. Cybersecurity certifications are most useful for establishing one’s professional credibility and getting a foot in the door at a new company.
The certification that seems to enjoy the widest recognition today is the CISSP, which has optional concentrations in architecture, engineering and management. This (ISC)2 certification has broad applicability in the development of security policies and procedures.
Other reputable certifications include the EC-Council’s Certified Ethical Hacker or CCISO designation and ISACA’s Certified Information Security Manager. While these and other security designations are helpful to build professional credibility, certifications alone are not sufficient to guarantee a CISO position.
1. Cybersecurity Leadership Demystified
A comprehensive guide to becoming a world-class modern cybersecurity leader and global CISO
- Discover tips and expert advice from the leading CISO and author of many cybersecurity books
- Become well-versed with a CISO’s day-to-day responsibilities and learn how to perform them with ease
- Understand real-world challenges faced by a CISO and find out the best way to solve them
The chief information security officer (CISO) is responsible for an organization’s information and data security. The CISO’s role is challenging as it demands a solid technical foundation as well as effective communication skills. This book is for busy cybersecurity leaders and executives looking to gain deep insights into the domains important for becoming a competent cybersecurity leader.
The book begins by introducing you to the CISO’s role, where you’ll learn key definitions, explore the responsibilities involved, and understand how you can become an efficient CISO. You’ll then be taken through end-to-end security operations and compliance standards to help you get to grips with the security landscape.
In order to be a good leader, you’ll need a good team. This book guides you in building your dream team by familiarizing you with HR management, documentation, and stakeholder onboarding. Despite taking all that care, you might still fall prey to cyber-attacks; this book will show you how to quickly respond to an incident to help your organization minimize losses, decrease vulnerabilities, and rebuild services and processes. Finally, you’ll explore other key CISO skills that’ll help you communicate at both senior and operational levels.
By the end of this book, you’ll have gained a complete understanding of the CISO’s role and be ready to advance your career.
2. Modern Management and Leadership
In one modest-sized volume, this book offers three valuable sets of knowledge. First, it provides best practice guidance on virtually every large-scale task a modern manager may be involved in—from recruiting and hiring to onboarding and leading teams, and from employee engagement and retention to performance management and working with difficult employees.
Second, it explains the essential concepts and practice of a range of effective leadership styles—including (but not limited to) servant leadership, crisis leadership, change agent leadership, and diversity and inclusion leadership. Third, it offers brief case studies from select CISOs and CSOs on how these management and leadership principles and practices play out in real-life workplace situations.
The best practice essentials provided throughout this volume will empower aspiring leaders and also enable experienced managers to take their leadership to the next level. Many if not most CISOs and other leaders have had very little, if any, formal training in management and leadership. The select few that have such training usually obtain it through academic courses that take a theoretical, broad brush approach. In contrast, this book provides much actionable guidance in the nitty-gritty tasks that managers must do every day.
Lack of management practical knowledge puts CISOs and CSOs at a disadvantage vis-a-vis other executives in the C-suite. They risk being pigeonholed as “security cops” rather than respected business leaders. Many articles on these subjects published in the press are too incomplete and filled with bad information. And combing through the few high-quality sources that are out there, such as Harvard Business Publishing, can take hundreds of dollars in magazine subscription and book purchase fees and weeks or months of reading time. This book puts all the essential information into your hands through a series of concise chapters authored by an award-winning writer.
3. Certified Chief Information Security Officer All-in-One Exam Guide
Take the challenging CCISO exam with confidence using the comprehensive information contained in this effective study guide.
CCISO Certified Chief Information Security Officer All-in-One Exam Guide provides 100% coverage of all five CCISO domains. For each domain, the information presented includes clear explanations, examples, background information, and technical information explaining the core concepts. The book also contains stories, advice, and experiences from CISOs that help describe the challenges of the CISO in the real world. Written by information security engineers with over 50 years of combined experience helping organizations manage their risk by protecting their assets from cyber threats.
How to become a CISO?
Consider the following six tips for becoming a CISO:
1. Develop hard skills
While the CISO is the ultimate cybersecurity generalist, a security professional is unlikely to be a serious contender for the position if they don’t bring technical expertise to the table. Anyone aspiring to the CISO role should therefore build mastery in a specific domain, demonstrating their professional aptitude and readiness for more responsibility.
It’s less important which subdomain of security one specializes in — management of firewalls, the design and operation of SIEM systems, etc. What matters is the ability to position oneself as a credible expert in the subsystem or systems where one has invested considerable time and energy.
2. Develop soft skills
As security leaders progress in their careers, soft skills become increasingly important. These include the ability to be a team player, understand the big picture and accept responsibility when something goes wrong. A great CISO also cultivates a culture of transparency and openness, readily sharing information with executive leadership, peers and junior managers.
CISOs must also understand how cybersecurity fits into risk management and be able to make strategic decisions accordingly.
3. Anticipate future security requirements
Cybersecurity, like technology, is constantly changing. A CISO must be able to credibly run a security organization today, while also anticipating how it will need to evolve tomorrow.
As an aspiring CISO, learn to identify, understand and embrace future challenges — and demonstrate that forward-thinking mindset to management. The top security job will often go to the person with one eye on the horizon.
4. Work to improve areas of weakness
It is naturally tempting to play to one’s strengths and avoid using underdeveloped skills. But while CISOs don’t need to be experts in all things, they should be well-rounded. Everyone has shortcomings, and up-and-coming security leaders should acknowledge theirs and work to overcome them.
5. Keep learning
The best CISOs have a passion for learning and view continuing education as an integral part of their ongoing professional development. This includes attending security conferences, where participants can learn about emerging technologies and connect with their peers.
6. Prepare to be expendable
Some people achieve job security by obscurity. Their thinking is, “If I’m the only person who understands this hardware, software, system, procedure, etc., then I’m too important to replace.” But, on the other side of the coin, that person’s indispensableness could also keep them from getting promoted.
Be expendable. Train subordinates how to do your job, so you can get promoted out of it — while also helping others get promotions and winning their loyalty.
The CISO is a big job, full of risks. It is also an exciting job, and more necessary now than ever. While CISOs can seem superhuman, they are human beings who got to where they are with dedication, training, planning and passion.
What is a chief information security officer? WHAT EXACTLY IS A CISO?
Before we dive deep into the nuances of cyber chiefs’ career paths, it’s important to understand the nature of the role. So here are the 6 Facts you need to know about CISO role:
- Trusted “security” advisor – As a CISO you need to translate technical matters into the language of the business – helping non technological executives and boards understand the technical matters and help them make risk-informed decisions confidently
- Strategist – As a CISO, you need to get involved setting goals, determining actions to achieve the goals, and mobilizing resources to execute the “prioritized” actions which needs to be tightly linked to businesses strategy.
- Leader – As a CISO you need to have leadership skills not just to build an inspired and bonded diverse team but also set an example as a role model to create culture of constant learning, innovation, and active collaboration.
- Modern Marketer –Modern marketing is the ability to harness the full capabilities of the business to provide the best experience for the customer and thereby drive growth. As a CISO you need to evangelize cybersecurity capabilities to regulators, client prospects, insurers, and business partners — helping win new business, lower cost of capital, and maintain the license to operate.
- Change agent – CISO’s should be able to create a cyber culture where everyone in the organization understands cyber risks and helps you to mitigate them
- Influencer – CISO’s should be able to influence critical stakeholders to support the cybersecurity transformation.
More CISO related articles can be found here
How to become a CISO in 2022?
Cybersecurity Leadership Demystified by Dr Erdal Ozkaya
CISO in the real world.
Must-have CISO traits
Discover the path
to become a ciso
A career in cybersecurity
The Role of CISO