The role of chief information security officer has never been more critical or in-demand, and the talent pool has not been able to keep up. For aspiring CISOs, that means there has never been a better time to hone skills and fill knowledge and experience gaps in order to take the next step in their careers. But where to start?
After conducting interviews with more than 100 CISOs and recruiters, we’ve developed a blueprint for security professionals to follow as they embark on the path to becoming a CISO. This article is based on a webinar: The Path to Becoming a CISO: 5 Things to Consider, 5 Things to Avoid led by CISO talent from Kudelski Security.
Modern CISO Roles and Responsibilities
Now that cybersecurity has the attention of executives and boards of directors, CISOs have assumed new responsibilities outside of managing the business’ security program.
The CISO must be able to connect the cybersecurity strategy to business drivers, and they must be able to communicate the strategy in a way that resonates with both the C-suite and technical audiences. They must also serve as security evangelists, collaborating with other organizational leaders to build a security agenda that is shared by all departments, not just IT.
In addition to increased executive visibility, “scope creep” is on the rise, expanding the CISOs role to include, for example, privacy, fraud, physical security, risk, and compliance. Hiring the right CISO “lieutenants” to oversee management of these new security domains as well as more traditional domains is a critical responsibility for modern CISOs.
CISO Job Requirements and Skills
Expanded CISO responsibilities have shifted the requirements and skills required of a CISO from technically focused to more of an even split of technical and business skills. Security leaders in our survey ranked business acumen and soft skills (e.g., empathy and communication) first and second, respectively, as the most important skills for today’s CISOs to possess.
Recruiters in our surveys noted that successful CISO candidates are often process-oriented. They understand metrics, and they have experience holding people accountable and seeing projects through to completion. Often, those candidates have a background in security operations, IT risk and compliance management, security consulting, network management, or IT engineering and infrastructure.
Your Blueprint to Becoming a CISO
If the role of the CISO as described above aligns with your career objectives, it’s time to start charting a course. As we spoke with security leaders, we identified the following five steps that each had in common on their path to becoming a CISO, more details of which can be found in the 8-page report Building the Future of Security Leadership
Step 1: Diversify your skillset beyond technical and operational skills
The modern CISO skillset should be split 50/50 between technical and business skills. This helps to maintain credibility within the security organization but also to build trust with other departments in the organization, including the C-suite and board of directors. Presentation skills are a must. Good CISOs should be able to present complex topics to senior and operational levels.
Top technical skills to acquire:
- Understanding of technology
- Technical security
- Governance, risk compliance
- Security operations
Top business skills to acquire:
- Leadership development
- Relationship management
- Presentation skills
Degrees and certifications can also be helpful for CISOs to have in their toolkit. It’s a good rule of thumb to obtain at least one of the following certifications to be considered for the role:
- CISSP – Certified Information Security Systems Professional from (ISC)2
- CISA – Certified Information Systems Auditor certification from ISACA
- CISM – Certified Information Security Manager
- ICT Security Expert (Swiss Federal Diploma, for those working in Switzerland)
Step 2: Find a leadership mentor to guide your development
Finding a mentor is a wonderful way to develop skills and receive guidance on your path to becoming a CISO. A good place to start is within your own organization. Are there security leaders you admire or would like to emulate?
You can also look externally to security leaders at other organizations or to professional coaches who specialize in the area you wish to further develop, e.g. relationship management, leadership, or presenting.
Whichever path you choose, be proactive in developing the mentorship. Be proactive with your outreach and your questions; don’t wait for the mentor to engage.
Step 3: Look out for new opportunities to build experience
Experience is often valued more than technical skill when evaluating C-level candidates, and it’s important to look for opportunities that give you exposure and visibility to the business, where you can learn how to connect security to business drivers and navigate the political environment.
That’s not to say you should ignore technical experience altogether. Instead, shift from gaining deep technical experience to becoming more of a technology generalist who has knowledge across security domains.
Step 4: Increase involvement in the cybersecurity industry
There are many avenues in which to participate in the cybersecurity industry, but all share a common goal of building your network and presence inside your organization and within the industry at large.
Top channels for building your industry network:
- Participate in research projects
- Be active in social media discussions about cybersecurity
- Participate in local security groups
- Seek out opportunities to speak at industry events
- Contribute articles or interviews in the press
Step 5: Apply and get hired or promoted to CISO
With Steps 1-4 in check, it’s time to seek out open opportunities. According to Jason Hicks, Kudelski Security’s Global CISO, your first CISO job likely won’t be at a large enterprise, unless you’re promoted from within, so it’s a good strategy to refine your search to openings at small and medium-sized enterprises.
Once you have identified the right opportunities, security recruiters we interviewed recommend to:
- Do your homework on the organization
- Understand and speak to the organization’s challenges
- Discuss security at a strategic level, rather than at a technical or operational level
And don’t forget to dress for success! It’s important for CISO hopefuls to have an executive presence that instills confidence at all levels of the organization.
So there you have it, a blueprint for how to become a CISO. This is just a small sampling of the advice and recommendations we compiled as part of our recent report Cyber Business Executive Research: Building the Future of Security Leadership. To read the full report, visit: https://resources.kudelskisecurity.com/cisos-and-security-leaders
Kudelski Security recently carried out research with its Client Advisory Council on CISO communication with the board of directors. The full report – complete with advice from seasoned security leaders – can be found here, but in this blog, I’m going to cover some extra points that we weren’t able to include in the final document, relating to one of the top, most challenging questions that CISOs face when communicating with the C-Suite.
The issue in question is “How do we compare with our peers?” As with nailing all these questions, the starting point is to understand what the board wants to know.
According to a majority of Council members, it boils to investment and whether the organization is spending enough on security compared to peers. Interestingly, and as an aside, the boards indicated that they want to be equitable or even higher than peers within their industry but do not want to overspend in areas with diminishing returns on investment.
The response from Council members falls into 3 broad strategies.
Strategy number 1: Benchmark using an industry standard framework
Most of the CISOs we talked to suggest using this strategy:
- CISOs should communicate how the framework was selected and why they think the framework fits their company.
- Then CISOs should demonstrate how the company’s security program is measured against this framework, highlighting specifically where the start point was, and the progress made to the target state of maturity.
One piece of advice from one CISO to another “Always check whether investments are worthwhile from a risk reduction point of view”. One of our Council CISOs from a Fortune 1000 company told us he was asked by his board what it takes to increase maturity score from a 2.4 to a 3.2 in one area of their security program. In this case, they recommended that before taking any action, it needed to be determined whether taking that step was worth it in terms of investment and risk reduction.
Strategy number 2: Compare security spend with peers
A high number of our Members also pointed to this as a key strategy. Obviously, the key problem here is the fact data sharing on these matters is highly sensitive and confidential.
So where do CISOs need to look to find what their peers are spending on security?
- One CISO from the technology industry recommends first looking at research firms that can provide information related to verticals, such as Gartner, Forrester, 451 group, etc. “Start with the average security spend for a vertical, and then tweak the number based on the organization size and innovation, knowing that firms that are innovative will typically spend more on security than traditional firms.”
- Another valuable source of information is peer CISOs– some of the CISOs we interviewed meet their CISO peers regularly to discuss security and maturity, staff and budget topics. The general recommendation is “make friends with peers in cyber and do not try to be competitive when it comes to security.”
- Participate in forums and share information within peer groups – one CISO from the media and entertainment industry obtains their benchmarking information from an industry-specific cyber community. They meet monthly to get updates on industry cyber trends, compare cyber programs and maturity, and share the latest incidents that have impacted them.
Strategy number 3: compare maturity of individual program components
The third strategy focuses on a maturity comparison.
- Look at what functional or capability outcomes your peers are trying to achieve, what gaps they are trying to close and the steps they have taken to do so. This recommendation came from one Fortune 500 CISO, based on his experience that his peers gain a good idea about industry norms from the maturity assessments they run.
- As a general note, if you cannot answer don’t guess. Instead, use strategy number 1: pivot your answer to a framework, as this is something you can control and justify.
Did you find this useful?
For a more comprehensive guide to answering tough questions from the boardroom, read our Cyber Business Executive Research: Cyber Board Communications & Metrics in full.
In the first part of this series, I introduced the research Kudelski Security did on the subject of board communications and metrics in collaboration with our Client Advisory Council. The report is available in full here, but as with all meaty reports there’s a lot of content, so this article seeks to cover some interesting insight that didn’t make the final cut.
There were a few questions we explored in depth, based on a response from an initial survey on frequent questions CISOs are asked by the board.
The full list of questions that formed the basis of our research is listed below:
The broad consensus from our Council Members was that this question: “Are we secure? How do we know” was the most challenging and frequent question that boards ask CISOs. As with all strategies, there was not a one-size-fits-all approach, so the report ends up offering a range of strategies that need to be evaluated and implemented based on your unique organizational profile and board requirements. Worth noting that CISOs spend an average of 10-20 hours preparing their response to this question, so in the interests of saving time, it’s a useful question to consider.
Here are five key takeaways:
- One fortune 500 CISO suggests this is not a simple black or white answer as there is no such thing as 100% secure; we are always going to have more vulnerabilities, as the threats constantly change. He prefers to talk about security as a journey using a maturity model, a framework to measure progress.
- It was commonly agreed that this question needs to be bridged to an industry framework; the board needs to understand that you are measuring and aligning the maturity of your company’s capabilities to what the industry norm is.
- Start by presenting the cybersecurity maturity model – a best practice framework for your industry (like NIST CSF, ISO etc.) you are aligned to – and show where you’re at today on that journey, ultimately according to company’s maturity goals.
- Continue by presenting where you want to get to and pivot your answer to a risk management discussion by showing the level of current risk. You should be able to explain the board if this level is above, at or below the company’s risk profile, risk tolerance, or risk acceptance levels.
- Next, show the board how you reduced risk of compromise to critical assets using metrics that attest to improvement trends, as it is key to validate your state of security. Provide direct, fact-based answers that you can validate with metrics, such as event monitoring results, or with third-party audits. One of our CAC members, a CISO in the Computer Hardware industry said:
“Always have data to back up your recommendations. Stay away from opinions”
What was a particularly interesting outcome from our discussion with the Client Advisory Council CISOs was that a key metric and focus for the CISO must be the ability to respond and recover from attacks, and not just any attack, but the more targeted attacks.
This is a good way to confirm the defenses are operating well. As Pete Naumovski, VP and CISO, BCBSA states: “in a perfect world, the absolute metric for a CISO to have is the MTTD / MTTR of a more targeted attack”. Or as Ginny Davis, CIO and CSO Technicolor puts it: “Your ability to respond and recover is equally important to how secure you are”.
And while we are on presentations, here is a summary of the top-5 presentation tips:
- Keep the same format for each board presentation, a focused message on each slide and leave plenty of white space
- Use a heatmap to demonstrate risk drivers or a spider graph to show multiple data points
- Keep the message on each slide focused and leave plenty of white space
- Show progress over time, including trends, outcomes, and risk reduction
- Show improvements in ability to respond and recover from an attack with examples of dwell time reduction for threat actors like phishing or malware.
Read the full report and get Enterprise CISOs perspectives, examples, meaningful metrics and a range of strategies to prepare CISOs for the challenging questions from the Boardroom. Look out for part 3 of this series for a more detailed focus on peer comparison.
Cybersecurity incidents are increasing, and with it, the pressure on CISOs to get cybersecurity right. At the heart of this challenge is getting the full support of the board of directors. The board sets the tone for the organization, gives the green light for adequate resources, ensures alignment of investments to company business objectives, and provides leadership at the organizational level on the importance of cybersecurity.
CISOs have found themselves having to hone a new set of skills around board communication and in articulating the cybersecurity program in a way that resonates with board members. Recognizing that this may be a knowledge gap for many CISOs, especially those coming up through the technical ranks, Kudelski Security conducted a research project together with members of its Client Advisory Council. The research, titled Cyber Board Communications & Metrics, seeks to help CISOs facilitate those conversations and can be accessed here.
For this project, Kudelski Security surveyed around 80 CISOs about matters relating to board communication, such as the most common and challenging questions the board asks them. Their collective responses provide insight into what interests boards the most, what keeps them up at night, and what questions are toughest for CISOs to answer. We ended up focusing on a total of five questions in depth, covering the different paths and strategies to answer them, but here are a few highlights.
Four Key Takeaways
Across the responses we received for each question, we identified a few key takeaways. Here is a peek into best practices advice to improve CISO communication with boards and instill their confidence in the security program.
1. Get to know your board
In the long run, you’ll want to get to know your board members, their backgrounds etc. The more you understand the board members, the better you’ll be able to communicate, engage with them and get their support. As Robert Drawer, Global Director of IS, Mayer Brown LLP suggests, CISOs should have onboarding conversations with new board members, preferably face-to-face, to share the latest board presentation and metrics. Another Council member suggests discovering board members’ preferences to consume information, as some boards like visuals and others prefer dialogue. CISOs need to create a presentation that will resonate with their board.
2. Think Context
When preparing your board presentation, always provide context relating to the bigger picture, and focus on strategic elements with relevant business-centric metrics that enable to tell a story. Create a story that shows how you have aligned security program and investments to business priorities, how your controls are effective, how your strategies, investments, and outcomes make the company secure and enable business and demonstrate how your strategic plan is aligned to a framework and a maturity model and backed up by data. For example, one of our council members from the media and entertainment industry chose a spider graph to communicate the journey towards target maturity. This enabled him to provide the board with a quick view of previous maturity, current maturity, target into this year’s roadmap and goal.
3. Fail to prepare – prepare to fail (yes, that cliché)
Among the most important tasks to complete about a week before the board presentation are:
- prepare for as many questions as possible and get as much data as you can to show that you are informed,
- be prepared to talk only about the highlights of the presentation in case the board meeting is shorter in time than planned initially,
- and review and update your presentation with other senior executives to get feedback on the data points and plan to make adjustments that will improve your message. Always have data to back you up. “Before presenting to the board, get buy-in from one person in the meeting who will support what you are presenting” – Robert A. Drawer, Global Director of IS, Mayer Brown LLP
4. Tell the story the board would like to hear
And finally, during the board presentation, tell the board the story the way they want to hear it, a story that demonstrates control effectiveness and results, with related business outcomes. The most productive board interactions happen when presentations become conversations.
This is just a peek inside one part of the research. For a complete look at the research and recommended board communication strategies, click here to read our Cyber Business Executive Research: Cyber Board Communications & Metrics or look out for part 2 of this 3-part series for a more detailed focus on the top questions.