So, you want to accelerate your career and land that top cyber leadership role, the question is, how exactly do you get in? In our professional roles and experience training hundreds of cybersecurity professionals, we have perfected the end-to-end process of preparing for (and being successful in) interviews for the top position. From how to create a winning resume to the importance of preparation, you'll learn the five secrets to landing the top CISO role.
1. FOCUS ON DIFFERENTIATING SKILLSETS
Traditionally, most CISOs rose through the ranks from technical roles: network managers, software development, S.O.C. managers, penetration testers or I.T. engineers. But as many CISOs can attest, today's leading CISOs need much more than technical expertise to thrive.
October 2020 PwC's Global Digital Trust Insights Survey revealed that 40% of executives prefer a chief information security officer who can successfully lead complex transformation. ISACA's 2022 State of Cybersecurity Survey also highlights the increasing demand for CISOs with robust soft skills. The survey shows that 57% of respondents value communication (listening and speaking) as the top soft skill security professionals need.
To stand out in a crowded marketplace, you need to posit yourself as a business-savvy CISO. This means a cyber leader with a holistic understanding of the business value chain, deep insight into the business's major revenue lines, big picture perspective about cyber risk and its implications on business growth, mergers & acquisitions, regulatory compliance, and personal liability to corporate directors.
Equally important is the cyber leader's proven record of embedding cyber resilience into digital transformation, reducing cyber risk while helping the business tap into innovation's benefits.
A prominent CISO I am familiar with deployed this differentiating strategy with great success. When his organization embarked on a complex, multi-vendor cloud transformation program years ago, he refused to play it safe. The aspiring CISO put his hand up to lead the cyber risk stream of this high-visibility program. This move was a significant bet on his career. At that time, cloud security best practises were emerging; there wasn't much precedence for large enterprises migrating their digital workhorses into the public cloud. Regulations were non-existent to fuzzy at best.
The emerging CISO felt like he was paving the way alone. Through this high-risk move, the aspiring CISO had unconstrained access to senior executives, global I.T. vendors' expertise and a well-regarded financial services regulator. By stepping up and taking on a complex role most colleagues feared, he landed his first-ever CISO / Head of Cyber Security role at a prominent company only two years later, much sooner than he ever anticipated.
In sum, don't sit and wait for the right opportunity to show up. Venture out of your comfort zone and intensely pursue differentiating skillsets. If asked to sit on key cross-business risk committees or mission-critical projects, don't hesitate to roll up your sleeves.
2. GET YOUR HANDS DIRTY
A growing number of CISOs are hired for the top role to salvage serious problems: clean up messes following damaging data breaches, restore dented customer trust, respond to pressure from major shareholders or the board to ramp up cyber resilience capabilities, replace a fired CISO, or address serious regulatory undertakings.
Cyber leaders with practical experience containing and cleaning up complex cyber intrusions and responding to crises calmly and who have demonstrated personal resilience are highly sought-after. You gain great experience from setbacks and doing hard things, not merely success or the passage of time. As the good old saying goes, 'always sail with mariners who have been shipwrecked, for they know where the reefs are'.
To improve your chances of differentiation, you need to muster the guts to lead cyber crisis response exercises, facilitate tabletop exercises with difficult stakeholders, and build robust assurance practices, such as red teaming and threat hunting. When the right opportunity shows up, you will be ready.
3. BE HIGHLY INTENTIONAL ABOUT PERSONAL BRANDING
One of the biggest mistakes many make during the early phases of a career is to resist the idea of personal branding. But personal branding isn't self-anointed influencers lacking real depth, and it isn't synonymous with your reputation. It is entirely different and extremely powerful. It's how you want others to see you.
A recent article in the Harvard Business Review provides an example of a high-performing well-respected employee with an M.B.A. called Mike. When seeking a promotion, Mike was turned down because, according to his manager, nobody knew him. While he was known for being a good worker (his reputation), no one actually knew the values he stood for. Your personal brand is about visibility; it's the values that you outwardly represent.
A strong thought leadership record — publishing compelling opinions in peer-reviewed magazines, speaking at conferences and being featured on popular webcasts — is the most definitive weapon to weed off the competition.
In most life domains, authority matters, and cyber leadership is no exception. Recruiters, employers, and clients now place a huge premium on strong thought leadership records. The years of landing an executive cyber role solely on years of experience and a chronological description of your employment history have passed. Personal branding requires that you show up intensely and consistently. Powerful and persuasive writing takes time, but with deliberate action, persistence, and patience, it's certainly achievable. The idea is to focus on skills that set you apart from the crowd.
If you rock up for an interview for the CISO role with several pieces of high-quality publications, a newspaper article that quoted you, or even better, a cybersecurity book, you are likely to blow competitors out of the water.
As Caroline Castrillon said in a recent Forbes article, "You never get a second chance to make a first impression—make it one that will set you apart, build trust and reflect who you are."
Additionally, a strong track record of thought leadership will also boost your confidence during the interview and demonstrate an in-depth understanding of specific domains, allowing you to feel well-informed about what is being discussed.
According to research conducted on Fortune 500 companies, first-time CISOs promoted from within are rare. Organizations often reach out externally to fill this senior role. Some of these roles are not even publicly advertised. An effective thought leadership record will boost your visibility outside of your corporate circles. Great candidates are often overlooked because they light their lamps, only to place them under a bushel.
4. MAKE YOUR RESUME STAND OUT.
Michael Porter once said 'Competitive strategy is about being different. It means deliberately choosing a different set of activities to deliver a unique mix of value'. In line with Porter's enduring wisdom, your resume has to stand out among hundreds of competitors and be convincing enough to land you the first interview. Your resume is your potential hirer's first impression of you. That's why we've developed the step-by-step guide, How To Create A Killer Resume.
1. Ditch the one-size-fits-all chronological resume that tediously narrates your journey from high school to the present. It's all about context. Carefully study the job specification and problems the company is facing, then craft a resume that highlights your specific strengths that align with their needs. For example, if the CISO role results from a regulatory undertaking, highlight your experience in implementing cross-business cyber governance committees. If the company frequently engages in mergers and acquisitions, talk about your expertise in simplifying redundant and complex security architectures, as well as combining disparate cultures.
2. De-emphasize technical skills because they are a given. Instead, highlight your experience building high-performing teams, influencing decision-makers, communicating with impact, delivering complex change, leading through crisis, etc. Strong strategy, leadership and influencing skills are the hallmarks of the leading CISO.
3. Scrap the traditional objective/personal goals statement and write a gripping summary of your career achievements. Clarify straightaway why you are the best candidate for the job. Remember, the most comfortable thing for someone reviewing your resume is to stop reading and trash it. So, you must write every sentence with impact, leaving the reviewer itching to move to the next sentence.
4. Remember, less is more. Prune each sentence and paragraph to its cleanest form. Even more important, back your resume with a concise cover letter. As Mary Elizabeth Bradford wrote for Forbes, "Be sure to get right to the point (with the cover letter). Share your focus of direction, respectfully call out a few examples of success, then invite them to learn more by looking at your resume."
5. The truth is, when hirers hear of a prospective candidate's name, they will likely jump onto your LinkedIn profile. Your LinkedIn profile represents your professional brand, so make it stand out. First, write an eye-catching headline, the proverbial elevator pitch. Second, complement the captivating profile with a high-resolution professional portrait. Simply cropping your wedding photo comes across as sluggish. Third, stick to facts and make sure your LinkedIn and resume are entirely in sync. I have seen exaggerated achievements come back to bite their masters at incredible speeds. Finally, and maybe most importantly, don't get entrapped by the habit of spewing negativity on LinkedIn.
Using these simple techniques can help set you apart from the crowd and land you that interview.
5. ONCE YOU LAND A CISO INTERVIEW, PLEASE DON'T MESS UP.
Remember that you will be going head-to-head with dozens of other highly decorated and experienced professionals. If you show up unprepared, your chances are very slim. You need to thoroughly research the company and arm yourself with a First 100 Days plan.
Preparing For An Interview
Executive interviews are stressful events. Like an unregulated sport, the rules keep changing as recruiters evolve their interview methods. Knowing how to respond to whatever you're asked can help you project competence, sell yourself effectively and develop an easy rapport. But crafting ideal answers to specific executive interview questions is, quite frankly, a challenging game. Focus too broadly, and you could be unprepared and focused too narrowly, and you get caught off guard when the interviewer throws a curveball with a question you just didn't even consider.
Prepare A 100 Day Plan
Prepare a 100 Day Plan in PowerPoint, no more than two pages. It not only helps you think about what you do in the early stages of the job that you're applying for, but it also gives you an important tool or artifact to leave behind with the interviewer that they can read over later.
Consider Who You Are
Of course, you need to prepare. But to maximize your chance of impressing employers, you need to reflect on the broader themes of who you are as a leader, not just your cybersecurity skills. And rather than rote learning specific answers to commonly excess questions, you need to probably think about the core principles and values you hold dear. And that might help you direct a more authentic you in those interviews.
Be Authentic In Your Interview
The most important thing to remember is to be yourself. Authenticity resonates deeply. Equally important, remember to be curious and listen. Don't answer more than the question being asked, and be as direct as possible. Going off on a tangent about a subject you are knowledgeable and passionate about won't add credence to your interview. Many times, that's the one thing that can actually catch you out.
Apply The STAR Method
The STAR method stands for Situation, Task, Action, Result and is an effective tool when answering behavioral interview questions, ensuring you stay focused and don't ramble. It's wise to familiarize yourself with the STAR method, and a quick online search can achieve this.
Practise Makes Perfect.
Don't let the fear of failure stop you from trying. Remember, practise makes perfect. The more you interview, the better you get. Even interviews for jobs you aren't qualified for are good opportunities to put what you have learnt into practice, and you will gain invaluable feedback.
With careful consideration, adequate preparation, and focusing on our five secrets, not only will you get that interview, but you will nail it. For more tips on how to advance into cyber leadership and land the CISO role, see our article How To Become A CISO and consider arming yourself with our CISO PLAYBOOK: First 100 Days to ensure you succeed in the role.
Phil is an experienced head of cybersecurity, strategic advisor, author, and public speaker. He is the Amazon best selling author of The Five Anchors of Cyber Leadership, a practical cyber strategy book for senior business leaders. 2017 winner of ISACA International’s Michael Cangemi Best Book/Article Award, for major contributions in the field of IS Audit, control and security.