Four tips for aspiring CISOs
Most cybersecurity professionals have ambitions to rise to the chief information security officer (CISO) role. Very few, however, ever realize them. I have learned four critical insights from my experiences and collaboration with dozens of CISOs who pass through our Cyber Leadership Program.
Develop strong self-awareness
A few years ago, I was deeply frustrated by my career stagnation. I worked as a technology risk manager for a large financial services firm, but deep down, I knew I was tinkering on the edges of my potential. I possessed multiple cybersecurity certifications, and I was technically proficient. Back home, strong technical expertise and credentials guaranteed an unobstructed path to senior roles. But I made a terrible mistake; I foolishly assumed that those qualifications that set my career on fire years back were life-long career insurance.
Professional dynamics in Australia were starkly different. My proverbial cheese had moved, but I kept my head stuck in the sand like an ostrich. Success had very little to do with technical proficiency, but on the depth of one’s networks, the aptitude to influence critical players, skill to solve complex business problems under pressure, and ability to communicate persuasively. Who you knew mattered more than what you knew.
With none of these, I felt like, in the poetic words of Langston Hughes, "a broken-winged bird that couldn't fly, a barren field." Humbly admitting that my cheese had moved, and disproportionately focusing my energy and time towards honing the required leadership skills, turbo-charged my cyber career.
Don’t be confined by other people’s opinions
A few years ago, I felt I was ready to assume a senior position, but I made a terrible mistake. I allowed people who hardly knew me to define my worth. “I don’t think you are ready,” cautioned one recruiter who barely knew me. Some cybersecurity colleagues stereotyped me as “not technical enough” because I came from a technology risk management background.
When I mastered the guts to throw caution to the wind and detach myself from the imperfect labels, magic happened. Of course, cybersecurity has its roots in technology, but the CISO role has broadened over the past decade, the path to the top no longer runs in a straight line. As Natasha Passley recently blogged, an organization with immature capabilities will benefit most from a CISO with string program delivery skills. In contrast, a heavily regulated enterprise will benefit from a CISO with strong governance abilities. So, think broadly and don’t allow external labels to limit your ambition.
Don’t be shy to showcase your expertise
The mention of personal branding makes many tummies rumble. It reminds people of some self-anointed influencers who make a lot of noise on social media, but deep down, they don’t have much to offer. I am however talking of something different; developing deep and irrefutable skills in your domain that help you run away from the competition.
I see many professionals resist the idea of personal branding, but that’s a terrible mistake. Authority matters – recruiters, employers, and clients now place a huge premium on strong thought leadership record. The years of landing an executive cyber role solely on years of experience and a chronological description of your employment history are passed.
A strong thought leadership record – publishing compelling opinions and positioning yourself as a voice in demand - is the most definite weapon to weed off competition. There is certainly nothing wrong with having 20 years’ experience running security programs, but there are millions of such people.
Personal branding requires that you show up intensely and consistently. Strong and persuasive writing takes time, but with deliberate action, persistence, and patience, it’s certainly achievable. I come across so many professionals who spend months “drafting a social media plan.” As the old saying goes, to begin, begin. We learn better in the arena than tuning to endless podcasts. As David Roose warned in the NYTimes, “Don’t Scoff at Influencers. They’re Taking Over the World.”
Once you land a CISO Interview, please don’t mess up
Securing a quality CISO interview is quite difficult. So, when you eventually do, don’t blow it away. Remember that you will be going head to head with dozens of other highly decorated and experienced professionals. For instance, a CISO role advertised a week ago in the USA already has 139 applicants, 99 of whom have held very senior positions. So, if you show up unprepared, your chances are very slim.
These numbers are certainly not a counsel of despair. With deliberate and well-thought planning, you can quickly rise above the crowd. Before showing up for the interview, thoroughly research the company – understand its core products, value chain, values, strategic priorities, key executive players -etc. The next step is to arm yourself with a well-thought 100 days plan. You can download a free comprehensive CISO First 100 days Playbook here. The 100-day plan will markedly differentiate you from competitors because most candidates will just show up to answer questions. George Bradt agrees, “Shame on you if you walk into a late-round interview without a plan for what you are going to do leading up to and through your first 100 days. And shame on you if your plan is all about you.”
Please share your opinions in the comments section below.
You can check out my best-selling cyber strategy book here – https://www.amazon.com.au/Five-Anchors-Cyber-Resilience-enterprises/dp/0648007847
At the Cyber Leadership Institute, we have equipped dozens of cyber leaders from more than 13 countries with essential skills to influence the c-suite and the board. Please check out testimonials from CLP graduates here - https://cyberleadershipinstitute.com/leadershipprogram/