One question I am frequently asked is, “How do you help aspiring CISOs on their journey?”
My first bit of advice to aspiring CISOs is know your why. You have to know why you’re in this. When things get tough, you’re not always going to get your way. You’re going to have to compromise a lot. There are going to be difficult days, and you’ve got to be able to get through that.
I recommend interviewing a few CISOs to really understand what the job entails. Shadow a CISO for a day or two to make sure this is something you want to do.
The CISO’s job is to be a risk manager for the organization. We’re on the front lines every day looking at cyber risks, evaluating information, and helping to advise the organization how to protect itself. When compliance issues are at stake, we need to make sure that we’re meeting the requirements.
It requires a broad skill set.
Communication is a key tool that an aspiring CISO needs to develop. You have to be able to sell your strategies and plans so you can get the right funding. You need to be able to tell an effective story so people understand the risk. Learning how to quantify risk and be able to articulate it appropriately to others is crucial.
You’ll also want to learn how to network appropriately because you’re going to need to forge relationships to help the organization advance its cyber strategy.
CISOs are no longer just technologists. We are also business leaders. It’s important to have really good business acumen. We need to speak the language of the business, and specifically, the financial language. That requires understanding how the finances work.
Educate yourself. Take some business classes. Get the technical skills you don’t have. Learn how to write policy.
It’s also important to have varied experiences. Take roles that are going to help you understand the different security disciplines. Get experience in governance, architecture and engineering, security operations and cyber defense. You need to have a broad brush to be an effective CISO.
CISOs are a giving community, so I urge aspiring CISOs to take advantage of that. Find a mentor who will support you in your journey and help you understand where your blind spots are and where you need to improve.
It’s also important to develop a community of colleagues who can serve as sounding boards. These would be people you can call up to discuss issues you’re having to see how they might handle them.
Sometimes we’ve got to make tough calls, so decision making is extremely important. Making the tough call is really about being a leader, so once you make a decision, stick by it.
And finally, you need to build with purpose. Build a diverse team with diverse thoughts, because you don’t want everybody to think like you. At the same time, you want a team that’s going to stand by you when a decision is made.
There’s no doubt. It’s a demanding, high-pressure job. But it’s also rewarding. I love the work because I love helping people. I love the work because there’s a direct impact.
We can see the impact that we’re making on an organization every day through the work that we do. That’s a gratifying thing.