The role of chief information security officer has never been more critical or in-demand, and the talent pool has not been able to keep up. For aspiring CISOs, that means there has never been a better time to hone skills and fill knowledge and experience gaps in order to take the next step in their careers. But where to start?
After conducting interviews with more than 100 CISOs and recruiters, we’ve developed a blueprint for security professionals to follow as they embark on the path to becoming a CISO. This article is based on a webinar: The Path to Becoming a CISO: 5 Things to Consider, 5 Things to Avoid led by CISO talent from Kudelski Security.
Modern CISO Roles and Responsibilities
Now that cybersecurity has the attention of executives and boards of directors, CISOs have assumed new responsibilities outside of managing the business’ security program.
The CISO must be able to connect the cybersecurity strategy to business drivers, and they must be able to communicate the strategy in a way that resonates with both the C-suite and technical audiences. They must also serve as security evangelists, collaborating with other organizational leaders to build a security agenda that is shared by all departments, not just IT.
In addition to increased executive visibility, “scope creep” is on the rise, expanding the CISOs role to include, for example, privacy, fraud, physical security, risk, and compliance. Hiring the right CISO “lieutenants” to oversee management of these new security domains as well as more traditional domains is a critical responsibility for modern CISOs.
CISO Job Requirements and Skills
Expanded CISO responsibilities have shifted the requirements and skills required of a CISO from technically focused to more of an even split of technical and business skills. Security leaders in our survey ranked business acumen and soft skills (e.g., empathy and communication) first and second, respectively, as the most important skills for today’s CISOs to possess.
Recruiters in our surveys noted that successful CISO candidates are often process-oriented. They understand metrics, and they have experience holding people accountable and seeing projects through to completion. Often, those candidates have a background in security operations, IT risk and compliance management, security consulting, network management, or IT engineering and infrastructure.
Your Blueprint to Becoming a CISO
If the role of the CISO as described above aligns with your career objectives, it’s time to start charting a course. As we spoke with security leaders, we identified the following five steps that each had in common on their path to becoming a CISO, more details of which can be found in the 8-page report Building the Future of Security Leadership
Step 1: Diversify your skillset beyond technical and operational skills
The modern CISO skillset should be split 50/50 between technical and business skills. This helps to maintain credibility within the security organization but also to build trust with other departments in the organization, including the C-suite and board of directors. Presentation skills are a must. Good CISOs should be able to present complex topics to senior and operational levels.
Top technical skills to acquire:
- Understanding of technology
- Technical security
- Governance, risk compliance
- Security operations
Top business skills to acquire:
- Leadership development
- Relationship management
- Presentation skills
Degrees and certifications can also be helpful for CISOs to have in their toolkit. It’s a good rule of thumb to obtain at least one of the following certifications to be considered for the role:
- CISSP – Certified Information Security Systems Professional from (ISC)2
- CISA – Certified Information Systems Auditor certification from ISACA
- CISM – Certified Information Security Manager
- ICT Security Expert (Swiss Federal Diploma, for those working in Switzerland)
Step 2: Find a leadership mentor to guide your development
Finding a mentor is a wonderful way to develop skills and receive guidance on your path to becoming a CISO. A good place to start is within your own organization. Are there security leaders you admire or would like to emulate?
You can also look externally to security leaders at other organizations or to professional coaches who specialize in the area you wish to further develop, e.g. relationship management, leadership, or presenting.
Whichever path you choose, be proactive in developing the mentorship. Be proactive with your outreach and your questions; don’t wait for the mentor to engage.
Step 3: Look out for new opportunities to build experience
Experience is often valued more than technical skill when evaluating C-level candidates, and it’s important to look for opportunities that give you exposure and visibility to the business, where you can learn how to connect security to business drivers and navigate the political environment.
That’s not to say you should ignore technical experience altogether. Instead, shift from gaining deep technical experience to becoming more of a technology generalist who has knowledge across security domains.
Step 4: Increase involvement in the cybersecurity industry
There are many avenues in which to participate in the cybersecurity industry, but all share a common goal of building your network and presence inside your organization and within the industry at large.
Top channels for building your industry network:
- Participate in research projects
- Be active in social media discussions about cybersecurity
- Participate in local security groups
- Seek out opportunities to speak at industry events
- Contribute articles or interviews in the press
Step 5: Apply and get hired or promoted to CISO
With Steps 1-4 in check, it’s time to seek out open opportunities. According to Jason Hicks, Kudelski Security’s Global CISO, your first CISO job likely won’t be at a large enterprise, unless you’re promoted from within, so it’s a good strategy to refine your search to openings at small and medium-sized enterprises.
Once you have identified the right opportunities, security recruiters we interviewed recommend to:
- Do your homework on the organization
- Understand and speak to the organization’s challenges
- Discuss security at a strategic level, rather than at a technical or operational level
And don’t forget to dress for success! It’s important for CISO hopefuls to have an executive presence that instills confidence at all levels of the organization.
So there you have it, a blueprint for how to become a CISO. This is just a small sampling of the advice and recommendations we compiled as part of our recent report Cyber Business Executive Research: Building the Future of Security Leadership. To read the full report, visit: https://resources.kudelskisecurity.com/cisos-and-security-leaders
The role of the CISO is changing. What makes a good security leader depends on a number of ever-changing factors. Jason Hicks, Global CISO at Kudelski Security, recently joined the UberKnowledge podcast to talk about the future of security leadership. He covers the challenges of managing a security team, communication skills for technical leaders, coping with scope creep, and the rise of the branded CISO.
Did you find the podcast interesting? You can learn more about what it takes to become a CISO in our latest executive research. Click here to download the report.
- 01:40 — It is critical to the success of a security program for the CISO to speak business.
- 04:14 — “You have to be one to lead one” still holds true.
- 06:41 — The rise of the branded CISO.
- 11:24 — The CISO tenure remains short and there are several reasons why.
- 14:29 — Coping with scope creep.
- 17:11 — Top three issues for CISOs right now.
The first year as a new CISO can be exhilarating and at times downright frightening. You have a lot to prove and minds to win over, but you also have the opportunity to start fresh and make a big impact.
Early on, the emphasis is on learning the lay of the land of your new organization, assessing the company’s security maturity level, developing a business-focused security strategy and building up the relationships and political capital needed to make it a reality. But what happens once your first month, your first quarter is under your belt? You have a solid strategy in place and you’ve survived your first board meeting … what’s next?
How Will You Put Your Plans into Action?
Security doesn’t happen in a vacuum. Even when you have sign-off and budget for your initiatives, executing consistently requires considerable political sway.
In other words, it’s time to cash in on the political capital you’ve been building from Day 1.
One of the biggest mistakes you can make as a new CISO is not maintaining strong lines of communication with key stakeholders, business leaders and risk owners. And we’re not just talking about IT leaders; senior executives in finance, personnel and operations all have a significant stake in the success of your security initiatives.
The level of friction you experience will be dependent on the political environment of your organization. Most organizations have a low appetite for change (even if they claim otherwise) and your best chance of overcoming the difficulties this can cause is to build and maintain strong relationships with key business stakeholders.
Be Seen as a Business Enabler
One of the most important tasks for any CISO, new or experienced, is the need for security to be seen as something more than a cost center. If your program is seen as not related to business objectives, it will be extremely difficult to get traction for your initiatives.
But what does it mean to be a business enabler? At a basic level, you can tie security to business objectives by asking questions such as:
- How much is our reputation worth?
- What impact would a breach have on our ability to do business?
However, these questions, while undoubtedly important to answer, are rooted in negativity. Seen in this light, security is still something that holds the organization back from doing valuable things.
To really be seen as an enabler, you need to go a stage further. For example:
- Could we enter new markets if we were confident in the security of our data and assets?
- Could we be early adopters of blockchain/IoT /something else if our house was thoroughly in order?
- Would it be easier to win government contracts if we could be sure of meeting regulatory requirements?
Managing stakeholder perceptions of a security program is exclusively the domain of the CISO. If you want your program to be seen in a positive light, you’ll need to do two things:
Are you a budding CISO? Read our latest executive research to learn how to make that final jump.
- Invest your energy in building the relationships and communication channels needed to engage with key business stakeholders.
- Actively look for ways to tie your initiatives to important business objectives.
Demonstrating Business Value
As you settle into your role as a CISO, one of the most important functions of program measurement is using metrics to tell a story—specifically, the story of where the organization is in the security journey.
- Have your initiatives led to a reduction in wasted time for IT staff because they aren’t constantly having to rebuild PCs that have been infected with malware?
- Is the uptime of vital IT systems higher as a result of improved security controls?
- Have phishing awareness tests reduced malware outbreaks and reduced incident management needs?
Identifying and communicating the business benefits of a security program is often difficult, but it can make a substantial difference in the way security is seen by the business.
When it comes to communicating with the board, make sure you’re staying on top of the “latest and greatest” threats—particularly those that have featured heavily in the media. Demonstrating that you’re proactively preparing for new threat vectors is an excellent way to win board trust in your security program.
Handling Changes to the Business Landscape
Changes to the business environment—mergers and acquisitions in particular—can have an important impact on your security strategy and program.
Depending on the scale of change, you may need to conduct a new assessment and develop an entirely new security strategy. This is particularly likely if your organization moves into a new industry that’s heavily regulated. Buying a government defense contractor, for example, is a surefire way to turn a security program on its head.
Fortunately, security also has a valuable part to play in major business change projects. If your organization is considering adopting new technology or buying a company, having a seat at the executive table as a CISO gives you the opportunity to add significant value.
- How much will it cost to securely adopt a new operational technology (OT) solution?
- What is the state of security at a company you’re acquiring? How much will it cost to reach an acceptable level of security? Can that amount be negotiated off the purchase price?
Of course, getting a seat at the table for major change initiatives is far from guaranteed. As usual, you’ll need to campaign for the access you need to add this type of value and continue building on the relationships and political capital you’ve been accumulating since Day 1.
Non-Negotiables of an Effective CISO
Fundamentally, being an effective CISO boils down to two things:
- Building and maintaining relationships with key business stakeholders.
- Being able to evidence the business value of your security program.
If you can do these two things consistently throughout your first year, you’ll pave the way for a strong, business-focused security program.
This article was originally featured in Security Boulevard.
Good security programs start with a mindset that it’s not about the tools, it’s what you do with them. Here’s how to get out of a reactive fire-drill mode with vulnerability management.
The basis of a good security program starts with a mindset that it’s not about the tools, it’s what you do with them. This mindset is most evident when critical vulnerabilities are released and everyone scrambles to mitigate exploitation.
Most recently, we saw this following the release of the latest critical Windows vulnerability (CVE-2020-0610 and others), which some folks have nicknamed CurveBall. The vulnerability affects Windows CryptoAPI and how Windows handles Elliptical Curve Ciphers (ECC) as part of this service. Microsoft also released two Remote Code Execution (RCE) bugs that are equally important.
It’s critical that companies get out of a reactive fire-drill mode and work toward cyber resiliency. Here are five recommendations for getting there.
Develop a VTM Strategy
One of the most important business strategies for a security program should be around vulnerability threat management (VTM). VTM strategies should include effective, timely, and collaborative reporting of actionable metrics. Avoid simple items such as the number of vulnerabilities on Windows systems and focus on meaningful items such as remediation rates of exploitable vulnerabilities on critical systems.
It’s important to keep in mind that VTM is a culture and an operational mindset. An effective VTM program should be implemented in concert with the larger security operations organization to mitigate threats and reduce threat actors’ overall attack landscape. It goes beyond scanning for vulnerabilities and telling IT ops to “not suck at patching.”
I recommend splitting your VTM strategy into two phases: detection and response. Detection aims to ensure effective, risk-based reporting and prioritized vulnerability mitigation by gathering all your data, validating the results, and applying a business risk. Automation can make this process easier. Further, using the Observe-Orient-Decide-Act (OODA) loop continually reduces the time it takes to locate and inform IT ops and development teams where corrective action needs to take place.
Response is where the rubber meets the road and where many of us pass on the work to other businesses to assist in applying patches or hardening systems. To that end, ensure the correct solution (mitigation or corrective action) is recommended by the VTM team and that the agreed-upon solution has been tested and won’t break production.
In deploying the solution, it’s critical that IT ops and development get prioritized patching and that we provide as few false positives as possible. Trust is earned through transparency and repetition, but it can be destroyed through bad data in an instant.
Know Your Inventory
Knowing where your assets are and who owns them is the basis of an effective and efficient VTM program. Inventory management is a common struggle, partially because VTM teams use a combination of sources to identify where assets live. There are widely available tools to automate and integrate inventory systems so you can avoid time-consuming inventory pulls or maintaining manual spreadsheets. I also recommend partnering with the leaders across your business lines to ensure that when new systems are spun up, the VTM program is effective.
Implement, Then Continually Improve
Don’t wait for the sky to fall to realize that you needed to practice. Just like any other part of an effective security organization, your VTM program should constantly improve. I’ve been a big fan of OODA loops for years.
They are highly effective when leveraged to continually improve an operational program where every initial Observation exits the loop with an Action to adjust the next Observation. If you’ve seen the same thing twice, you’re failing. Leverage cyclical processes to continually improve VTM operations and continually measure your own effectiveness.
Step Up Your Vendor Management
While we cannot simply run vulnerability scans or penetration tests against our vendors, we can put contractual obligations in place with vendors that have access to our sensitive data to secure it appropriately.
Rights to audit are key in any contract. I see many large financial institutions conducting audits on client programs. It’s a great way to validate how effective a program is, but keep in mind that it’s also very expensive to operationalize.
Finally, don’t be shy in working with your vendors. Build relationships with their security and IT organizations so that when a critical vulnerability is released, you know whom to call, and it’s also not the first time you have spoken.
Build a Professional Network
When I first entered the security field several decades ago, collaboration between security organizations in different companies was taboo. Today, it’s required. This sounds simple but is key: As a CISO or security leader, you must have an external network of peers to collaborate with. We must put egos aside and ask each other simple questions around the common problems we all face.
The release of new security vulnerabilities is only going to continue in the coming weeks and months. The most successful (and secure) companies will be able to look outside their network for actionable information and develop internal strategies to stay ahead of increasing threats.
This article was originally published in Dark Reading.
Microsoft Chief Security Advisor and former Coca-Cola Company CISO, Jim Eckart, spoke at Kudelski Security’s Sales Kick Off in January. Below is a summary of his presentation.
Every new year brings a glut of articles on industry predictions and with it, inevitable questions from the board about how the CISO will address (all 42 of) them. The real challenge in building a credible program is less about correlating program to trend but more about a fine balancing act. The CISO must referee between the IT department that drives procurement, technologists who want to buy the latest best-of-breed and their own perennial mission to get basic sound security practices in place. Against a backdrop of a more complex, fragmented technology landscape, below are some core challenges and observations about the security trends that will stay the course.
The Rise of AI and Machine Learning
If harnessed intelligently, the power of AI and machine learning will drive significant value to the CISO, helping remove complexity, risk, and build resilience. Regulatory compliance will become easier to prove and achieve because the identification of risky behavior will be automated. CISOs will have more accurate and universal visibility of incidents; the exponential rise in threats will continue apace and it will be machines that help separate signal from noise and trigger incident response and remediation actions. Talent shortage is a reality, yes, but AI and machine learning will help mitigate the impact.
Best-of-Breed vs Technology Integration
Best-of-breed security infrastructure is complex and growing exponentially. With the growing array of technology, security staff often end up working to support platforms rather than doing security. This is not sustainable for obvious reasons (talent gap, notably) and will drive demand for integrated platforms that facilitate technology consolidation.
Innovation and the Cloud
DevOps and agile are enabling developers to wander off the ranch. With speed to market being the common mantra, developers can end up provisioning hardware incorrectly. This has driven the types of policy-based capabilities that you find in cloud offerings like AWS and Azure, enabling developers to get it right the first time and get it within policy. The benefit gap between cloud and on-premise will widen. With the cloud, CISOs will more easily be able to remediate incidents – everything from updates and patches to endpoints and servers can be pushed or spun up quickly on tap.
From Cybersecurity to Cyber Resilience
In a nutshell, 2020 is all about moving from a narrative of cybersecurity to one of cyber resilience. CISOs will look to remove complexity and get back to basics. And behind it all, we can expect to see Cloud, AI, and machine learning occupying center stage.
The single most important thing you can do is to start building the relationships and political capital you’ll need to run your security program. Here’s how.
In any new job, it’s important to assess the lay of the land. But when you start a new CISO role — whether it’s your first or fifth — there’s more to it than getting to know new co-workers. You need to appraise the political landscape of the organization.
Why did this organization need a new CISO? Did the last person simply move on, or was there an incident? Often, CISOs are asked to move on in the event of a serious breach. In these cases, whoever is next in line typically has a lot more license to make changes than they would in an organization that had not recently been breached.
Alternatively, were you promoted from within? If so, you should already understand how things work, but you’ll need to quickly accustom yourself with the political realities of being a security leader.
Once you understand your starting point, there are four key questions you’ll need to answer during your first 30 days on the job:
Question 1: How does the organization view the CISO role? Are you part of the executive team, or is it a less senior, more operational role? The amount of “power” associated with your position will have a big impact on your ability to make changes.
Question 2: Who does the role answer to? Is your boss the CEO, or an executive who answers to the CEO? If so, you’ll have a lot more political sway than if you’re reporting to somebody lower down the food chain.
Question 3: What is the organization’s tolerance for risk? Find this out by speaking with your boss and/or the CEO, members of the board, and even your predecessor, if possible. Have there been any recent security or privacy incidents, or negative media attention? Are any regulatory bodies involved? Understanding the organization’s risk tolerance — both culturally and what’s needed to satisfy compliance — will help you determine the foundation of your security program’s risk management and investment strategy.
Question 4: What is the organization’s appetite for change? This will determine how ambitious you can be with your plans to improve the security program. Keep in mind that most organizations don’t have much appetite for change, even if it’s fashionable to claim “innovation” and “reactiveness” are part of the organization’s DNA. Ironically, a quirk of the CISO role is that life is often easier if your organization has recently been breached, especially if it was publicized in the media. Why? Because the appetite for change in an organization that has suffered a breach is typically much higher than in an organization that hasn’t.
Assessing the Current State of Security
Before you can think about improvements, you will need to assess the maturity of your security program. This should be done with a recognized industry framework in mind, for two reasons:
- Ultimately linking to a framework people know will give your assessment credibility; and,
- Even if done only at a high level, linking to a framework helps to compare your maturity with other comparable organizations and/or industries.
The framework you choose will depend on your industry and geography. Since many frameworks are “control” focused, your maturity assessment may need to extend beyond just the bounds of those controls and include elements that are more strategic. For example, how you align to the business or your ability to get funding and resources allocated across the organization to improve controls outlined in the chosen framework.
Ideally, you should have your program assessed by an external organization. Having an external assessor makes life much easier politically when issues are raised versus “the newbie” pointing out problems. If, for a variety of reasons, external assessments aren’t possible due to a lack of resources or a company’s predisposition against external assessments, you’ll need to arrange for an assessment to be completed internally.
If an assessment was completed before you were hired, you will need to consider:
- What was the purpose of the assessment?
- Was it internal or external?
- Can you rate the quality of the assessors?
- Was it comprehensive and in line with an industry framework?
- Is there any discernible bias to the results?
Whatever happens, you’ll also want to conduct your own private assessment. So long as the formal assessment matches approximately with your own, you should be in a good position to move forward.
Building Relationships and Political Capital
The single most important thing you can do as a new CISO is start building the relationships and political capital you’ll need to run your security program. This is going to require a lot of your time — particularly if this is your first CISO role — and the first month is critical.
Speak with key players in the business — members of the executive team, in particular — to understand how security is perceived and what you can do to ensure your program is seen to enable the business instead of holding it back. The CISO who is perceived as a business enabler will instill confidence in his or her leadership and program within the organization.
Your ability to make these connections will depend on your standing. If you are a C-level executive (or your boss is) it will be much easier to arrange the meetings you need to introduce yourself and start building key relationships. Lower down in the hierarchy, you may need to look for other ways to make contact — for example, by setting up a risk committee that includes senior members of each department.
This article was originally featured in Dark Reading.