There are many skilled and intelligent people who aspire to become a Chief Information Security Officer (CISO). I have some career advice for them: Don’t aspire to be a CISO. Instead, seek to be the best professional at each step in your career.
Those of us who do become CISOs do so because we have a solid 10+ years leading Information Security programs. We have strong and proven legal, compliance, risk management, project management, strategic thinking, and technical expertise, along with business knowledge and the ability to see the corporate “big picture” in all of our decisions. You do not obtain that knowledge and expertise from taking a class or having a certification, even though those can assist you in a better understanding of the CISO role. (I have NEVER hired anyone in my career solely because they had a degree or a certification.).
What’s more, it takes a lot of personal hours beyond the normal work day to be a successful CISO. You can expect to put in consistent 55-60 hour work weeks, and depending on the company you work for, there could be extensive travel involved, too.
There are other personal considerations as well:
- If you are not a “big picture” thinker, then this is not the position for you.
- If you do not accept the fact that you may be the first person fired if there is a data breach, then this is not the position for you.
- If you want to be with one company forever, then this is not the position for you.
It wasn’t so long ago that the CISO role was primarily technical, with a focus on tasks such as fixing firewalls and patching vulnerabilities. In recent years, however, the CISO role has evolved significantly to a more business-oriented focus, especially in large organizations and heavily regulated industries. Today’s security chiefs are charged with juggling the day-to-day operations of their security team, and with meeting board expectations while also staying abreast of an ever-evolving threat landscape and a daunting regulatory environment.
One might argue that today’s CISOs have a Sisyphean task in that they are responsible for something they can never provide 100 percent assurance on, that being “securing the enterprise.” All it takes is one missed vulnerability, one careless or malicious insider, or one accidental “insecure” process. The average job can last 18 months or less because a CISO can be dismissed for any number of things, from a breach or a missed vulnerability to failing to align security operations with the board’s business goals. In short, CISOs have an incredibly difficult job.
A CISO needs to have a conscientious combination of hard and soft skills, such as:
Hard Skills
- Extensive knowledge about regulatory compliance rules and security frameworks and guidelines, including HIPAA, SOX, PCI, GDPR, NIST, CSF and others
- Extensive knowledge about third party auditing methodologies
- Strong knowledge in enterprise and security architecture, authentication, VPN, DNS, routing, etc.
- Programming languages such as .Net, Java, JSON, C, C++, C# and PHP and secure coding practices are an asset
- Extensive knowledge of prevention protocols around firewall intrusion and detection
- Strong knowledge of databases, APIs, web applications
- Strong knowledge and understanding of the Internet 4.0
Soft Skills
- Excellent communication skills
- Organization
- Interpersonal skills
- Negotiation
- Collaborative
- Leadership
- Strategic planning
- Public Speaking
The key to getting projects successfully completed on time and on budget is PARTNERSHIP. You have to be able to quickly sync with the C-Suite and other top leaders in the company. Personally, I’ve done all the “geeky” things, so naturally, I want to fix things. However, executives have strong business and strategic backgrounds; they’re committed to excellence. You have to speak their language.
One of the key pillars to successful partnership within an organization and leadership for those in your charge is communication. Here’s how I see that all-important business-critical function.
My communication framework:
- Communicate regularly, and in person when possible
- Be respectful of each position and its responsibilities
- Be ingrained in the business
- Avoid spreading fear without solutions
- Be immersed with the new technology
- Know the ever-changing threat landscape
- Learn to accept and embrace manageable risk
- Learn to protect data while enabling the business to run
- Know your scope, and your boundaries
- Be clear on the priorities
My recommendation is to do what you love and if you are in an enterprise setting, work for a company that appreciates you and will let you grow your talents. Talents are naturally developed when they are nurtured. Living a life with core values and supporting the things which are important for us will give us the possibility to feel our aptitudes in a more effective way. When we are true to ourselves, we discover more than we expect. Don’t settle for not being the best you can be. I don’t.
Named 2017 Cybersecurity Professional of the Year – Cybersecurity Excellence Awards, SC Magazine Chief Privacy Officer 2017 Award, and Global Privacy & Security by Design (GPSbyDesign) – International Council Member – Dr. Rebecca Wynn is a “big picture” thinker who brings nearly 20 years of experience in Information Security, Assurance & Technology. Recently she led the information security, privacy, and compliance pre-acquisition, acquisition, and post-acquisition of LearnVest, Inc. to Northwestern Mutual Life Insurance Company – a Fortune 100 company. She is well known for being a gifted polymath, having deep understanding of current cyber security challenges and privacy issues. Now with Matrix Medical Network as the Head of Information Security, she works with the talented and passionate team to take the company to the next level of excellence.