Skip links

The 5-Step Action Plan to Becoming CISO – Powerful Guide

The 5-Step Action Plan to Becoming CISO

The Path to Becoming CISO Isn’t Always Linear, There isn’t one definitive path to becoming a CISO.

Don’t be discouraged if your career path isn’t listed above or isn’t “typical.” If your end goal is to become a CISO, then you’ve come to the right place. Keep reading for a comprehensive action plan which will guide you from your current role in IT, IS or Cybersecurity and on the path to becoming a world-class CISO.

Source: CATO Networks

Step 1:

Becoming a CISO is About Changing Your Focus

The 5-Step Action Plan to Becoming CISO - Powerful Guide
The 5-Step Action Plan to Becoming CISO – Powerful Guide

Making The Shift from Security Engineer to Future CISO

The Path to Becoming CISO - Step 1
Becoming a CISO

The most common mistake that security engineers make when looking to become CISO is focus. To be successful as a security engineer the focus is on problem hunting. As a top-tier security professional, you must be the best at identifying and fixing vulnerabilities others can’t see.

How to Think and Act Like a Future CISO

While security engineers identify problems, CISOs translate the problems that security engineers find into solutions for C-suite, the CEO and the board. To be successful in the CISO role, you must be able to transition from problem-solver to a solution-oriented mindset.

A common mistake when transitioning to CISO is by leading with what’s most familiar – and selling your technical competency. While understanding the tech is crucial when interfacing with the security team, it’s not the skillset you must leverage when speaking with C-suite and boards. C-suite and boards care about solutions – not problems. They must feel confident that you understand the business with complete clarity, can identify cyber solutions, and translate them in terms of business risks, profit and loss. To be successful in securing your new role, focus on leveraging cyber as a business enabler to help the business reach its targeted growth projections.

The Skillset Necessary to Become a CISO

  • Translate technical requirements into business requirements
  • Brief executives, VPS, C-level, investors and the board
  • Understand the business you’re in on a granular level
    (The company, its goals, competitors, yearly revenue generated, revenue projections, threats competitors are facing, etc.)
  • Excellent communication: Send effective emails and give impactful presentations
  • Balance the risk between functionality and security by running risk assessments
  • Focus on increasing revenue and profitability in the organization
  • Focus on a solution-oriented mindset, not an identification mindset

Step 2:

Getting Clear on the CISO Role: So, What Does a CISO Actually Do?

Getting Clear on the CISO Role
Getting Clear on the CISO Role

Learn The CISO’s Role and Responsibilities (R&R)

The CISO is essentially a translator between the security engineering team and C-suite.

Step 3:

Set Yourself Up for Success in the Role: Measure What Matters

The Path to Becoming CISO - Step 3
Set Yourself Up for Success

What you measure in your role will ultimately determine your career success. Too often CISOs set themselves up for failure by playing a zero-sum security game.

  • This means any security incident = CISO gets fired = No one wins

But successful CISOs know that cybersecurity is a delicate balancing act between ensuring security and functionality.

  • 100% security means 0 functionality, and vice versa

Strategic CISOs understand this and set themselves up for success by working with the CEO and board to minimize exposure and establish realistic KPIs of success.

Establishing Your Metrics of Success in the CISO Role

What makes CIOs so successful in their role?

  • A single metric of success: 5 9s.

This allows CIOs to focus on the R&R necessary to achieve this goal.

Suggested CISO KPI & KPI Setting Process

  1. Run an analysis to see how many attempted attacks take place weekly at the organization, to establish a benchmark.
  2. Provide an executive report with weekly attack attempt metrics (i.e., 300.)
  3. Create a proposed benchmark of success: i.e., preventing 98% of attacks.
  4. Get management signoff on your proposed KPIs.
  5. Provide weekly reports to executives with defined attack metrics: attempted weekly attacks + prevented.
    (Ensuring security incidents are promptly reported to C-suite and board.)
  6. Adjust KPIs as necessary and receive management signoff.

Step 4

Mind the Gap: Bridge Your Current Technical and Business Gaps

The Path to Becoming CISO - Step 4

Recommended Technical Education

  • GIAC / GSEC Security Essentials
  • CISSP (Certified Information Systems Security Professionals)

OR CISM (Certified Information Security Manager) Certification
OR CISA (Certified Information System Auditor) Certification


Recommended Technical Experience

At least 3-5 years in IS, Cybersecurity, Networking or IT with a strong security focus

Recommended Business Education

  • An MBA or equivalent business degree, or relevant business experience
  • CPA or accounting courses

Recommended Business Experience

  • Approximately 3-5 years of business experience

Business Operations, Business Management, SOC Manager, or roles that demonstrate your business, management and leadership acumen

Recommended Understanding Of:

  • Industry security standards including NIST, ISO, SANS, COBIT, CERT, HIPAA.
  • Current data privacy regulations, e.g., GDPR, CCPA and any regional standards.

Step 5:

How to Get a CISO Job with Limited or No Previous Experience

The Path to Becoming CISO - Step 5

It’s the age-old dilemma – how do I get a job without relevant experience? And how to I get relevant experience without a job?

Take On a Virtual CISO Role at a Friend or Family Member’s Small Business

  • Offer 3 hours of virtual CISO service a week.
  • In exchange, ask for 3 recommendations a month and to service as a positive reference.

Can you receive mentorship from an existing CISO?

  • Do friends, family or former colleagues know any CISOs you can connect with? Start there.
  • Reach out on LinkedIn to CISOs and invite them to coffee or dinner.
    Ask them if you can meet up and receive mentorship over dinner once a month (they pick the location, and you pay.)

Remember: It’s a numbers game. Don’t get discouraged after a few “no’s” or a lack of responses.

Getting Your First CISO Job: Your Action Plan for Career Success

Applying For Jobs

Your resume has one and only one goal – to get you the interview.
Week 1:

  • Send out 20 resumes for CISO jobs with your existing resume
  • How many respond and request interviews (within 2 weeks)?
  • If you get under a 50-70% success rate, you need to revise your resume.

Your goal is to repeat this process until you get a minimum of 10 positive responses for every batch of 20 resumes you send out (giving recruiters 1.5 – 2 weeks to respond.) Be ready to adapt and adjust your resume as many times as necessary (using the defined process above,) until you hit your benchmarks of success.

Revising your Resume for Success

If you’re not hitting a 50-70% interview rate on your resume, it’s time to revise your resume.

But what do you change?

The Most Common Mistakes Found on CISO Resumes (Don’t Fall into a Trap)
Your resume should not only highlight your technical abilities but your business acumen.

Review the strategic skills highlighted earlier and emphasize those (in addition to any other relevant educational, professional, or career achievements.)

  • Have you briefed executives and boards?
  • Have you given effective presentations?
  • Have you created risk management programs and aligned the entire organization?
  • Do you lead an online forum on Cybersecurity best practices?

Think of ways to highlight your business and leadership savvy, not just your de facto technical abilities.

The Interview Rounds

  • The CISO interview process is generally between 5-7 interview rounds.

The goal of your first interview is only to receive a second interview. The goal of your second interview is to receive a third interview, and so on. Be prepared for interviews with legal, finance, the CEO, CIO, HR, and more.

You’ve Got This: The Road to Landing Your First CISO Role

Abraham Lincoln once said, “the best way to predict the future is to create it.” And we hope this guide gives you a running start towards your new and exciting future as a CISO. We believe in you and your future success. Good luck! And feel free to forward this guide to a friend or colleague who’s hunting for a new CISO role, if you feel it’s been helpful.

Life After Landing the Coveted CISO Role

Congrats! You’ve Been Hired as a CISO

Life After Landing the Coveted CISO Role
You’ve Been Hired as a CISO

You did it. You’ve landed your first CISO role. We couldn’t be prouder of the hard work and dedication that it took to get you to this point. Before you begin in your new role, here are a few best practices to guide you on your way to career success.

Ensuring Your Success in the CISO Role: Things to Keep in Mind

After speaking with 1000s of CISOs since 2016, it’s important to keep the following in mind:

Your Network Security Architecture Will Determine Your Focus and Impact


No matter the organization or the scope, your CISO role is dependent on meeting if not exceeding your promised KPIs. So, you’ll need to decide, do you want a reactive or a proactive security team? Do you want your team to spend their time hunting and patching security vulnerabilities and mitigating disparate security policies? Or devoted to achieving your larger, revenue-generating missions through cybersecurity? Accordingly, you’ll need to ensure that your network security architecture minimizes your enterprise’s attack surface, so you and your team can devote your attention accordingly.

To achieve this, your team must have full visibility and control of all WAN, cloud, and internet traffic so they can work on fulfilling your business objectives through cybersecurity. Otherwise, your function will revert to tactical, instead of focusing on serving as a business enabler through cybersecurity.

For more Cybersecurity Leadership articles click here

Source : CATO Networks

Vanessa Perplies is the Director of Content at Cato Networks and a 10+ year veteran of the B2B SaaS space. With deep-seated experience writing for the IT industry at companies like SysAid and Sisense, Vanessa is keenly familiar with the challenges faced by modern IT professionals. She is thrilled to continue serving the IT community by sharing the benefits of converged networking and security into one converged, cloud-delivered SASE* service. Vanessa is a proud University of California Santa Barbara alumni and Gaucho, and enjoys hiking and spending time with her animals.

How to Become a Successful CISO: Advice from Amit Spitzer

Before You Begin: Why Do You Want to Become a CISO?

The first step to becoming a CISO is getting clear on why you want to become one. Whether you’re planning to be a CISO at a disruptive technological company or a paper manufacturing facility, the underlying role and responsibilities of the CISO are ultimately the same: protecting the organization from bad actors who are trying to get their hands on sensitive data. If reading this description got your heart beating faster, then security is the right domain for you. Within security, the difference between a C-level security professional (a CISO) and other security professionals is the vision. A CISO envisions how she or he will impact the company’s goals and milestones, contribute to the company’s interests and protect its assets. While this keeps many a CISO up at night, it is also exciting and exhilarating, since you are involved in major company milestones, like IPOs. Are you ready to actively participate in these types of business activities? If the answer is ‘yes’, you’re in the right CISO mindset.

A CISO’s Perspective on Security | Cybersecurity Master Class: Episode 5

Starting Your CISO Journey: Taking a Hands-On Approach

In the past, CISOs from legacy enterprises focused on building the organization. This first generation of CISOs was not involved in technologies. Instead, they set the stage for today’s CISOs, who are in the trenches and taking a hands-on technical approach, while also contributing to business-related goals, like their predecessors.

Such deep technological experience is gained by building yourself from the bottom-up. While a CISO is a C-level position, a good CISO will still be passionate about learning and understanding technologies. This means learning all the specifics of threats and risks and how to mitigate them. You know you’ve succeeded when you’re able to swap out all members of your team.

At the same time, a good CISO also needs to be involved in business aspects like growth, revenue, quarterly sales, etc.

Maintaining the Balancing Act Between Security and Functionality

The built-in challenge between Security and Business departments revolves around how to ensure an apt layer of security while maintaining business operational agility. Let’s face it, there is no ideal solution or global truth for answering this challenge. If the pendulum swings too far in one direction, either business or security, the risks will be too high or the business won’t be able to function, and the board might as well close the company.

In the past, the “block everything” approach was commonly implemented by companies. First generation CISOs piled up security solutions that blocked any technology or traffic that could potentially be a risk. But in a fast-growing startup that needs to be agile, this approach could quickly become the kiss of death to the business.

Instead, it is best to understand that there is no security without sales and there are no sales without security. A CISO and the security teams are here to serve the business and be growth enablers. This means understanding that every security decision made can impact the company and its development processes and therefore needs to be taken carefully.

When making decisions, I recommend building a decision tree that displays various routes of decision-making and their business outcome. Let’s think of an extreme example. If a CISO needs to determine whether or not to approve Zoom, some of the negative business outcomes of prohibiting Zoom could be:

  • Impacting internal communication
  • Hindering communication with external entities: customers, vendors, partners, etc.
  • Spending more IT resources on finding and procuring a different communication solution
  • Taking up employee resources for implementing and training on the new communication solution

On the other hand, the responsibility for understanding the risks of new technologies and tools is the CISO’s domain. When implementing a solution, don’t settle on visibility through advanced monitoring capabilities. You and your team need to be able to track incidents and mitigate them before they become breaches with a significant blast radius.

Goal-setting, Roadmap Creation and KPI Planning

A CISO’s goals and KPIs are derived from their main mission: protecting the organization from threat actors who are attempting to access the company’s assets. This means different things in different organizations, which makes it hard to create a global benchmark for CISOs.

For example, a KPI in one company could be to reduce the percentage of clicks on phishing emails from 5% to 3%. But in another, phishing emails are not a prominent attack vector, so such a KPI would not be considered a high priority.

I recommend you build and approve your CISO goals, roadmap and KPIs with your leadership team and board. This serves two purposes. First, ensuring that these metrics are aligned with business needs. Second, evangelizing the CISO’s role and responsibilities, and therefore creating a higher chance for you to succeed.

Tips for Getting Hired as a First-time CISO

Finding a first-time CISO role can take some time. Here’s how to make yourself stand out with recruiters and CEOs who are reviewing your CV, comparing you to other applicants or considering you for a first-time role:

  • Become an expert – Specialize in a security or organizational aspect and make yourself the go-to person for that field. This could be a certain application or how a practice is implemented in an organization. This becomes a strong driver for organizations to hire you and want to include you in their organization.
  • Build confidence in your abilities – Create a sense of trust in your abilities to handle various situations, in your technological capabilities and of your business acumen. By doing so, you will be the person who is handed opportunities when they arise.
  • Combine technology and business capabilities – Build up your business experience by taking a business-oriented approach. Don’t be afraid to hop on customer calls, answer customer questions and participate in cross-departmental brainstorming sessions where commercial questions are discussed. You can also become involved with marketing and sales processes to help them streamline their processes.

Take projects from idea to execution – Find an idea that can help the business and bring it to execution. This includes research, building rapport with colleagues, resource allocation and project management. Comprehensive project management will not only show off your leadership skills, it will also help you hone your combination of technological and business capabilities, to help you build yourself up for the role.

Next Steps for Future CISOs of Tomorrow

Your CISO journey might not be the same as your colleagues’, or it might be a textbook career path from security professional to CISO. Either way, your unique characteristics as a CISO are what will make you stand out, not how you got there. By being enthusiastic about what you do, finding creative ways to solve problems and constantly maintaining an understanding of tech and business growth, you will be able to lead security and make the best decisions for your company, which is the real indicator of success.

Credir :Amit Spitzer

Amit Spitzer is the Chief Security Officer at Cato Networks. With 15 years of experience in the world of Networking and Cyber Security, Amit has served as ControlUp’s CSO and also has worked at Dome9 (acquired by CheckPoint), ClickSofware (acquired by Francisco Partners and SalesForce), and for the Israeli Government (

Building a Cybersecurity Strategy for CISO’s

There are two types of organizations, the one they know has been hacked and the ones they don’t. It’s not the matter if but when the hack is going to happen ! So you are responsible for securing your organization, what do you need to do?

The 5-Step Action Plan to Becoming CISO – Powerful Guide –