CISO by Design: A Blueprint for Becoming a CISO

The role of chief information security officer has never been more critical or in-demand, and the talent pool has not been able to keep up. For aspiring CISOs, that means there has never been a better time to hone skills and fill knowledge and experience gaps in order to take the next step in their careers. But where to start?

After conducting interviews with more than 100 CISOs and recruiters, we’ve developed a blueprint for security professionals to follow as they embark on the path to becoming a CISO. This article is based on a webinar: The Path to Becoming a CISO: 5 Things to Consider, 5 Things to Avoid  led by CISO talent from Kudelski Security.

Modern CISO Roles and Responsibilities

Now that cybersecurity has the attention of executives and boards of directors, CISOs have assumed new responsibilities outside of managing the business’ security program.

The CISO must be able to connect the cybersecurity strategy to business drivers, and they must be able to communicate the strategy in a way that resonates with both the C-suite and technical audiences. They must also serve as security evangelists, collaborating with other organizational leaders to build a security agenda that is shared by all departments, not just IT.

In addition to increased executive visibility, “scope creep” is on the rise, expanding the CISOs role to include, for example, privacy, fraud, physical security, risk, and compliance. Hiring the right CISO “lieutenants” to oversee management of these new security domains as well as more traditional domains is a critical responsibility for modern CISOs.

CISO Job Requirements and Skills

Expanded CISO responsibilities have shifted the requirements and skills required of a CISO from technically focused to more of an even split of technical and business skills. Security leaders in our survey ranked business acumen and soft skills (e.g., empathy and communication) first and second, respectively, as the most important skills for today’s CISOs to possess.

Recruiters in our surveys noted that successful CISO candidates are often process-oriented. They understand metrics, and they have experience holding people accountable and seeing projects through to completion. Often, those candidates have a background in security operations, IT risk and compliance management, security consulting, network management, or IT engineering and infrastructure.

Your Blueprint to Becoming a CISO

If the role of the CISO as described above aligns with your career objectives, it’s time to start charting a course. As we spoke with security leaders, we identified the following five steps that each had in common on their path to becoming a CISO, more details of which can be found in the 8-page report Building the Future of Security Leadership

Step 1: Diversify your skillset beyond technical and operational skills

The modern CISO skillset should be split 50/50 between technical and business skills. This helps to maintain credibility within the security organization but also to build trust with other departments in the organization, including the C-suite and board of directors. Presentation skills are a must. Good CISOs should be able to present complex topics to senior and operational levels.

Top technical skills to acquire:

• Understanding of technology
• Technical security
• Governance, risk compliance
• Security operations

Top business skills to acquire:

• Leadership development
• Relationship management
• Presentation skills
• Adaptability

Degrees and certifications can also be helpful for CISOs to have in their toolkit. It’s a good rule of thumb to obtain at least one of the following certifications to be considered for the role:

• CISSP – Certified Information Security Systems Professional from (ISC)²
• CISA – Certified Information Systems Auditor certification from ISACA
• CISM – Certified Information Security Manager
• ICT Security Expert (Swiss Federal Diploma, for those working in Switzerland)

Step 2: Find a leadership mentor to guide your development

Finding a mentor is a wonderful way to develop skills and receive guidance on your path to becoming a CISO. A good place to start is within your own organization. Are there security leaders you admire or would like to emulate?

You can also look externally to security leaders at other organizations or to professional coaches who specialize in the area you wish to further develop, e.g. relationship management, leadership, or presenting.

Whichever path you choose, be proactive in developing the mentorship. Be proactive with your outreach and your questions; don’t wait for the mentor to engage.

Step 3: Look out for new opportunities to build experience

Experience is often valued more than technical skill when evaluating C-level candidates, and it’s important to look for opportunities that give you exposure and visibility to the business, where you can learn how to connect security to business drivers and navigate the political environment.

That’s not to say you should ignore technical experience altogether. Instead, shift from gaining deep technical experience to becoming more of a technology generalist who has knowledge across security domains.

Step 4: Increase involvement in the cybersecurity industry

There are many avenues in which to participate in the cybersecurity industry, but all share a common goal of building your network and presence inside your organization and within the industry at large.

Top channels for building your industry network:

• Participate in research projects
• Be active in social media discussions about cybersecurity
• Participate in local security groups
• Seek out opportunities to speak at industry events
• Contribute articles or interviews in the press

Step 5: Apply and get hired or promoted to CISO

With Steps 1-4 in check, it’s time to seek out open opportunities. According to Jason Hicks, Kudelski Security’s Global CISO, your first CISO job likely won’t be at a large enterprise, unless you’re promoted from within, so it’s a good strategy to refine your search to openings at small and medium-sized enterprises.

Once you have identified the right opportunities, security recruiters we interviewed recommend to:

• Do your homework on the organization
• Understand and speak to the organization’s challenges
• Discuss security at a strategic level, rather than at a technical or operational level

And don’t forget to dress for success! It’s important for CISO hopefuls to have an executive presence that instills confidence at all levels of the organization.

So there you have it, a blueprint for how to become a CISO. This is just a small sampling of the advice and recommendations we compiled as part of our recent report Cyber Business Executive Research: Building the Future of Security Leadership. To read the full report, visit: https://resources.kudelskisecurity.com/cisos-and-security-leaders