Today’s top CISOs come from many different backgrounds: some have held more technical roles and decided to switch gears and learn the art of business, while others came from a strong compliance and policy background and were inspired by the machinations of security.
Whatever their origin, each CISO has its own blend of qualifications, experience, and hard-won skills. As a result, there’s no strictly defined career path for aspiring CISOs.
Where to start? Understanding the CISO Role
If you plan to ascend the ranks of security leadership, everything starts with understanding what new responsibilities you will have to undertake and your willingness to step up even before landing the job. Be proactive in finding solutions to the problems your organization is currently facing. Security practitioners that take on additional responsibility will demonstrate their added value, and in return, will gain skills and experience that are essential in a security leader.
The typical CISO oversees four main security pillars that include security architecture and engineering, operations, cyber resilience, and regulatory and IT compliance. However, they are increasingly taking ownership of other tasks such as risk and governance, business continuity, identity and access management (IAM), fraud prevention, and more.
Being a CISO isn’t just about being responsible for security functions A recent study by Kudelski Security discussed the need for modern CISOs to display a broad range of skills and expertise that go beyond technology. A CISO needs to guide the organization towards a proactive approach to security, manage risk tolerance, and advise the board on cyber risks while providing a security strategy.
In addition, today’s CISO has to be well-versed in business acumen and promote security as a business enabler with a clear return on investment (ROI). They will have to build relationships with other key stakeholders across the organization to identify opportunities to add value. A CISO also has to act as an educator, coaching, and empowering both technology teams to understand the business goals and business leaders to understand the value of security.
The Pathway to Becoming a CISO
While the career progression to become a CISO is far from linear, there are some steps that help create your own path. Among CISOs, CIOs, and security recruiters, there’s a clear consensus on the steps prospective security leaders should take to ready themselves for the role:
- Get a mentor: A mentor will be critical in helping develop the skills and experience you need. Ideally, you will rely on your current CISO. If they are not suitable, your first step is to identify possible mentors outside the organization.
- Build your skillset: Seek out opportunities to develop yourself, in both technical and ‘soft’ skills. Take advantage of any opportunity to expose yourself to a new aspect of security and leadership. Don’t wait to be asked, proactively seek ways to get involved in new projects within your team and others that might interest you.
- Get education and certifications: Your organization should provide some support, but don’t rely on that exclusively. Ask your mentor and peers for advice on the best training to pursue and invest in yourself. Certifications might not be a requirement for some organizations, but they showcase the technical level of a candidate.
- Work on your soft skills: The biggest differentiator between security practitioners and leaders is their ability to build relationships across the organization. Take every opportunity to develop your soft skills and expose yourself to situations that demand skills like communication, relationship building, and public speaking.
- Get involved in the industry: The saying goes that ‘it’s not what you know, it’s who you know’. In this case, it’s both. Building your network and becoming known in the security industry is a great way to open opportunities for yourself and learn from the people that have gone through the same experience.
- Boost your visibility with executives: Look for opportunities to assume responsibilities associated with a more senior role than you are currently in. The more exposure you have to senior-level business and executives, the more comfortable you’ll be in that environment.
At all stages of your path, express your career objectives clearly to your leaders, and ask them for development opportunities. If you do this consistently, you’ll gain the experience you need much more quickly than if you sit back and wait for a chance.
Building the Future of Security Leadership
The security field is growing rapidly, and CISOs are taking on an increasingly wide range of responsibilities. As cybercrime continues to grow, and organizations rely even more heavily on their digital infrastructure, strong leadership will be critical to ensuring the effective management of cyber risk.
The next generation of modern CISOs will have to face new challenges. Identifying and nurturing their hard and soft skills will be paramount as both their knowledge of security and the business will help them navigate a constantly evolving security landscape and become the bridge between technologists and business executives.
This article was originally featured in Infosecurity Magazine.
It is no secret that finding and recruiting strong Chief Information Security Officer (CISO) candidates is far from easy. Many CISOs typically stay in a role for a few years and subsequently are not able to dedicate adequate time to the development of junior leaders who could become the next wave of security leaders.
Most organizations are forced to look externally for the experience they require. However, looking for outside hires also contributes to the shortage of potential internal leaders, as skilled professionals are often overlooked. For the security industry to thrive, this needs to change, and it starts with grooming the next generation of leaders.
The Role of the Security Lieutenant
A CISO needs a strong bench of lieutenants to take control of the different security areas within the company. These leaders will play a critical role in the success of the security team, as well as the organization as a whole. The strongest of these leaders are ideal candidates to be groomed into future CISOs.
Selecting one of your leaders for grooming starts with those who are already the head of a primary security function such as operations, engineering and architecture, or IT compliance. But the CISO role is larger than those areas and a lieutenant should be able to handle duties that can range from supporting risk management across security domains to understanding business and technology needs, as well as supporting education on cyber risks.
Potential future CISOs also need a set of ‘soft’ skills that can be further developed in-role. Candidates should have the ability to manage relationships and communicate with leaders outside of the security function. An understanding of how security fits into wider business objectives is also important, and it helps if a candidate has already displayed non-technical leadership ability and a desire to take on additional responsibilities.
Security is a constantly evolving field, so above all, lieutenants must have the drive to continually develop their skills and gain experience from all interactions, both inside and outside their own department. An understanding of financial concepts and portfolio management are also essential skills to develop.
Challenges Recruiting Security Deputies
Recruiting for security roles is never easy. The challenge stems from an evolving threat landscape that increases pressure from internal stakeholders, outside parties and customers. In order to meet new industry requirements, security programs are growing in scope and the leadership roles have to spread over multiple domains such as fraud, privacy, risk and physical security.
While recruiting for lieutenant roles, expect to come up against at least four challenges:
- Recruitment Timeline: On average, it takes seven months to recruit the right security leader. During that time, the team will have to manage the same amount of work and responsibilities with less support.
- Recruitment Costs: For years there has been a continual upward trend in the cost of recruiting and retaining security roles. Strong candidates are in high demand, and organizations are willing to pay the market price for strong expertise. If you want to attract and retain the best talent, it’s important to be competitive and understand what other companies offer in terms of benefits and on the job perks.
- Finding the Right Skill Mix: Being an effective leader requires a fine balance of technical expertise, soft skills, business acumen and the ability to remain calm in stressful situations. Unsurprisingly, few candidates possess this balance. Successful candidates will need to develop those skills and current leaders will need to provide situational training and exposure to upper management. This experience is critical in their development and isn’t widely available to prospective security leaders.
- Cultural Match: It is also important to recruit candidates that are a good cultural fit for your organization. To help ensure this, include HR and other internal experts in the evaluation process. It’s important that all levels of the CISO organization are represented in the interview process. Just having a candidate meet with the management team does not provide a sufficient picture of how they will fit with the full team. For the same reason, it’s also a good idea to have them interview with business customers.
Internal vs. External Recruitment
There’s an age-old argument about whether internal or external recruitment is a better source of security talent. And generally, it comes down to the preferences of the incumbent CISO. However, the availability of internal resources, the type of expertise, and/or experience needed for the role also plays an important role. The Cyber Business Executive Research: Building the Future of Security Leadership report, lays down some of the main traits CISOs and some of the top security leadership recruiters in the industry believe may help identify and recruit strong security deputies:
- For internal recruitment:
- It is critical to always hire candidates with solid technical competencies.
- Look for candidates with the ‘soft’ skills needed for leadership and a readiness to be trained.
- Identify likely successors to your current security leadership and create a plan for their development.
- Identify potential deputies early to allow them time for growth. It can take years to prepare a promising candidate for even junior leadership roles.
- For external recruitment:
- Use your current CISO’s network to identify candidates. It helps if your CISO has an established following in the industry.
- Maintain a continuous pipeline of potential candidates, as security roles turn over frequently.
- Proactively hunt for candidates. Many organizations have aspiring candidates, but no leadership positions for them to fill.
- Build relationships with career advisors that provide continuous cybersecurity education, they have constant access to experienced applicants.
Building the Future of Security Leadership
The security field is growing rapidly, and CISOs are taking on an increasingly wide range of responsibilities. As cybercrime continues to grow, and organizations rely even more heavily on their digital infrastructure, strong leadership will be critical to ensuring the effective management of cyber risks. Finding, recruiting, and developing the next generation of modern CISOs is not an easy task, but will pay dividends if done right.
Kudelski Security’s client advisory council recently released a report devoted to finding the next generation of security leaders. Download the report today if you’re looking to take that next step in your career.
This article was originally featured in Security Magazine.
The role of the CISO is changing. What makes a good security leader depends on a number of ever-changing factors. Jason Hicks, Global CISO at Kudelski Security, recently joined the UberKnowledge podcast to talk about the future of security leadership. He covers the challenges of managing a security team, communication skills for technical leaders, coping with scope creep, and the rise of the branded CISO.
Did you find the podcast interesting? You can learn more about what it takes to become a CISO in our latest executive research. Click here to download the report.
- 01:40 — It is critical to the success of a security program for the CISO to speak business.
- 04:14 — “You have to be one to lead one” still holds true.
- 06:41 — The rise of the branded CISO.
- 11:24 — The CISO tenure remains short and there are several reasons why.
- 14:29 — Coping with scope creep.
- 17:11 — Top three issues for CISOs right now.
The first year as a new CISO can be exhilarating and at times downright frightening. You have a lot to prove and minds to win over, but you also have the opportunity to start fresh and make a big impact.
Early on, the emphasis is on learning the lay of the land of your new organization, assessing the company’s security maturity level, developing a business-focused security strategy and building up the relationships and political capital needed to make it a reality. But what happens once your first month, your first quarter is under your belt? You have a solid strategy in place and you’ve survived your first board meeting … what’s next?
How Will You Put Your Plans into Action?
Security doesn’t happen in a vacuum. Even when you have sign-off and budget for your initiatives, executing consistently requires considerable political sway.
In other words, it’s time to cash in on the political capital you’ve been building from Day 1.
One of the biggest mistakes you can make as a new CISO is not maintaining strong lines of communication with key stakeholders, business leaders and risk owners. And we’re not just talking about IT leaders; senior executives in finance, personnel and operations all have a significant stake in the success of your security initiatives.
The level of friction you experience will be dependent on the political environment of your organization. Most organizations have a low appetite for change (even if they claim otherwise) and your best chance of overcoming the difficulties this can cause is to build and maintain strong relationships with key business stakeholders.
Be Seen as a Business Enabler
One of the most important tasks for any CISO, new or experienced, is the need for security to be seen as something more than a cost center. If your program is seen as not related to business objectives, it will be extremely difficult to get traction for your initiatives.
But what does it mean to be a business enabler? At a basic level, you can tie security to business objectives by asking questions such as:
- How much is our reputation worth?
- What impact would a breach have on our ability to do business?
However, these questions, while undoubtedly important to answer, are rooted in negativity. Seen in this light, security is still something that holds the organization back from doing valuable things.
To really be seen as an enabler, you need to go a stage further. For example:
- Could we enter new markets if we were confident in the security of our data and assets?
- Could we be early adopters of blockchain/IoT /something else if our house was thoroughly in order?
- Would it be easier to win government contracts if we could be sure of meeting regulatory requirements?
Managing stakeholder perceptions of a security program is exclusively the domain of the CISO. If you want your program to be seen in a positive light, you’ll need to do two things:
Are you a budding CISO? Read our latest executive research to learn how to make that final jump.
- Invest your energy in building the relationships and communication channels needed to engage with key business stakeholders.
- Actively look for ways to tie your initiatives to important business objectives.
Demonstrating Business Value
As you settle into your role as a CISO, one of the most important functions of program measurement is using metrics to tell a story—specifically, the story of where the organization is in the security journey.
- Have your initiatives led to a reduction in wasted time for IT staff because they aren’t constantly having to rebuild PCs that have been infected with malware?
- Is the uptime of vital IT systems higher as a result of improved security controls?
- Have phishing awareness tests reduced malware outbreaks and reduced incident management needs?
Identifying and communicating the business benefits of a security program is often difficult, but it can make a substantial difference in the way security is seen by the business.
When it comes to communicating with the board, make sure you’re staying on top of the “latest and greatest” threats—particularly those that have featured heavily in the media. Demonstrating that you’re proactively preparing for new threat vectors is an excellent way to win board trust in your security program.
Handling Changes to the Business Landscape
Changes to the business environment—mergers and acquisitions in particular—can have an important impact on your security strategy and program.
Depending on the scale of change, you may need to conduct a new assessment and develop an entirely new security strategy. This is particularly likely if your organization moves into a new industry that’s heavily regulated. Buying a government defense contractor, for example, is a surefire way to turn a security program on its head.
Fortunately, security also has a valuable part to play in major business change projects. If your organization is considering adopting new technology or buying a company, having a seat at the executive table as a CISO gives you the opportunity to add significant value.
- How much will it cost to securely adopt a new operational technology (OT) solution?
- What is the state of security at a company you’re acquiring? How much will it cost to reach an acceptable level of security? Can that amount be negotiated off the purchase price?
Of course, getting a seat at the table for major change initiatives is far from guaranteed. As usual, you’ll need to campaign for the access you need to add this type of value and continue building on the relationships and political capital you’ve been accumulating since Day 1.
Non-Negotiables of an Effective CISO
Fundamentally, being an effective CISO boils down to two things:
- Building and maintaining relationships with key business stakeholders.
- Being able to evidence the business value of your security program.
If you can do these two things consistently throughout your first year, you’ll pave the way for a strong, business-focused security program.
This article was originally featured in Security Boulevard.