How to Become a CISO
AS DATA BREACHES SOAR, SO DO CISOS’ PAYCHECKS
In recent years, the role of the chief information security officer has catapulted into executive committees and boardrooms, spurred by a relentless surge in crippling cyber-attacks orchestrated by well-resourced and resolute threat actors. Predictably, as cyber threats soar, so do CISOs’ salaries. According to Cybersecurity Ventures, CISOs’ bank accounts will continue to fatten, with more organizations likely to move the needle to the US$500,000 to US$1 million range over the next five years. A smaller subset of distinguished CISOs already command total annual compensation packages in excess of US$2million.
These mouth-watering numbers, combined with access to the board and lifetime opportunities to build fully-fledged cybersecurity functions from scratch, are enticing experienced cyber professionals to aim for the coveted chief information security officer role.
Despite the rising appetite, very little clear-cut guidance exists to help aspiring cyber leaders accelerate their path to the top. Most cybersecurity professionals feel stuck in functional roles; their careers are rising at a slower pace than a snail trailing across the wet cement.
When you search the phrase ‘How to Become a CISO’, Google will return more than 1.5 million articles and web pages. Sifting through this content, most of which substandard, is tedious and overwhelming. Granted, the domain of cyber leadership is vast and complex; there is no one path to the chief information security officer position. We have written this blog to share some practical insights for aspiring cyber leaders to accelerate their path into the c-suite and excel in those executive roles.
THE SHIFT TOWARDS THE BUSINESS SAVVY CISO
About a decade ago, the CISO role was largely confined within the corridors of the IT function. IT Security managers (most senior cyber leaders) deployed and maintained a portfolio of technical solutions, such as firewalls, internet proxies, intrusion detection systems, email security gateways and endpoint security. The role of the CISO certainly looks very different today. It has now expanded beyond compliance focus into a strategic role that anchors business growth and long-term brand success.
The rapid shift in competencies that determine success was confirmed by the October 2020 PwC's Global Digital Trust Insights Survey, which revealed that 40% of executives prefer a chief information security officer who can successfully lead complex transformation. Corporate directors’ expectations are aligned — they prefer CISOs who exhibit solid soft skills, primarily persuasive communication, the ability to analyze complex matters, creativity, and critical thinking.
In a recent interview with Security, Phil Zongo, CEO of the Cyber Leadership Institute, underscored that curiosity, determination, and self-awareness are better predictors of a cyber leader’s success when compared to technical proficiency. The PwC survey also cited that CISOs who are innovative with proven leadership skills, strategic thinking, and the ability to take smart risks are highly sought after by executives compared to their technical counterparts.
WHAT EXACTLY DO CISOS DO?
Before we dive deep into the nuances of cyber chiefs’ career paths, it’s important to understand the nature of the role. Based on our combined 70 plus years in cybersecurity trenches and training cyber leaders from more than 30 countries, there are six critical responsibilities that underpin a CISO’s success.
- Politician – Influence critical stakeholders to throw their full weight behind cybersecurity transformation.
- Trusted advisor – Translate deeply technical matters into the language of the business - helping executives and boards make confident, quality and risk-informed decisions.
- Change agent - Embed cyber-savvy culture into the veins of the enterprise and inspire everyone — from the board to frontline personnel — to go beyond the call of duty to protect the enterprise.
- Leader – Build an inspired and bonded team of diverse and complementary expertise and nurture a culture of constant learning, innovation and active collaboration.
- Marketer – Evangelize cybersecurity capabilities to regulators, client prospects, insurers, and business partners — helping win new business, lower cost of capital and maintain the licence to operate.
- Strategist – Ruthlessly prioritize initiatives and execute a transformation program tightly linked to business strategy.
Obviously, CISO responsibilities are much broader, but the six essentials above suggest that soft skills are better predictors of CISO success than pure technical proficiency.
ACADEMIC AND TECHNICAL CERTIFICATIONS
By nature, most CISOs graduate with information technology or computer science degrees. These undergraduate degrees helped them get their foot in the door. During the course of their careers, most chief information security officers attain multiple professional CISO certifications, most notably the following two:
- CISSP (Certified Information Systems Security Professional) – Long considered the gold standard technical cybersecurity certification, CISSP is heavily focused on network security, architecture, operations, access management, asset management and secure systems development. CISSP is administered by the International Information System Security Certification Consortium (ISC)².
- CISM (Certified Information Security Manager) – Offered by ISACA, CISM focuses on the governance, program development and management, incident management and risk management aspects of cybersecurity.
It can take anywhere between 6-12 months to study and pass both exams. While each requires at least five years’ experience in a related discipline, passing the exam can deepen knowledge in essential cybersecurity pillars and demonstrate passion to potential employers.
Granted, there is a variety of cybersecurity certifications, but these two, both of which were rated the best InfoSec and Cybersecurity Certifications of 2020, are most relevant to the CISO role.
As more and more CISOs acknowledge their blind spots, they are adding MBAs to the academic portfolios to blend their technical expertise with entrepreneurship, strategic thinking, and leadership skills. An MBA from a reputable university can be a differentiating factor in the crowded market. Furthermore, MBAs provide a solid ground to develop strategic relationships, broadening one’s career prospects.
A study conducted by Kaspersky Lab, which polled the perspectives of 250 security directors globally, found that 68% of CISOs held a master’s degree of sorts, with an increasing trend among them to pursue MBAs in a quest to sharpen their business acumen, a prerequisite to success.
At the Cyber Leadership Institute, we created an intensive and highly collaborative eight-week course that has empowered chief information security officers and cyber leaders from more than 30 countries with practical strategy design, influencing, governance, board communication, and leadership skills.
The path to the CISO role, however, isn’t linear, neither should it be. A recent study by McAfee suggests that filling cybersecurity roles from those in business, finance, arts, and science, can boost diversity of thought and infuse new creative ideas. Based on our interactions with leaders who go through the Cyber Leadership Institute, there are several plausible career paths for aspiring CISOs, but the following four stand out:
- Experienced techies, such as cybersecurity architects, network security engineers or IT Security Managers, are often hired by companies with heavy reliance on complex IT infrastructures or in the formative stages of the cybersecurity journey. It’s important for highly technical professionals to quickly pursue programs that instil leadership, stakeholder management, strategy design, and executive communication skills.
- An experienced technology risk manager hired by a company in a heavily regulated space to embed robust risk management practices into vital business processes, address regulatory compliance matters, and create board-level cyber governance structures. To succeed, risk minded new CISOs must build a team that complements their lack of technical depth, especially cybersecurity engineering, operations, and architecture.
- An experienced program delivery manager with extensive experience leading complex technology and cyber transformation programs hired by an organization to help prioritize change, accelerate transformation, and manage a multi-million dollar and multi-vendor transformation program. Similarly, project delivery CISOs must surround themselves with complementary technical professionals to boost chances of success.
- A CIO or technology leader with extensive experience building high performing teams, driving digital transformation, and sitting on executive committees, looking for a lateral career change into a CISO role. Traditionally, most heads of cybersecurity have reported to the CIO, which makes the CIO to CISO transition relatively straightforward.
Again, it’s important to emphasize that the path to the chief information security officer role is not limited to the above four scenarios. Professionals from varied backgrounds, such as product development, legal, and risk management, can aim for the rapidly evolving role. Here are two strategies aspiring CISOs can deploy to increase their prospects of standing out in the crowd.
- Raise your hand and invest time working in varied roles to develop a holistic understanding of the business value chain, deep insight into the business’ major revenue lines, big picture perspective about cyber risk and its implications on business growth, mergers and acquisitions, regulatory compliance, and business realities.
- Those that accelerate their paths to the top never sit and wait for the right opportunity to show up. On the contrary, they deliberately venture out of their comfort zones and intensely pursue differentiating skillsets. If asked to lead data breach clean-ups, sit on key cross-business risk committees, or participate in mission-critical projects, they never hesitate to roll up their sleeves and jump into the arena.
The mention of personal branding in cybersecurity makes many tummies rumble. It may sound reminiscent of self-anointed influencers, always fishing for likes on LinkedIn but lacking real depth in anything. But ignoring your personal brand will cost you dearly.
Whether you like it or acknowledge it, you have a personal brand. Peers, recruiters, and employers have strong views about what value you bring to the table. Recruiters often use these perceptions to throw people into ridiculous pay and dismiss their CISO ambitions. Phil Zongo, who successfully built his cyber executive career around personal branding, offers five timeless tips:
- Develop a strong thought leadership record — publishing compelling opinions in peer-reviewed magazines, speaking at conferences, and being featured on popular webcasts. Quality and distinctive thought leadership trumps decades of experience and dozens of certifications. Being a voice of demand within your niche is the most potent weapon to weed off competition.
- Find the sweet spot where your passion and differentiating skills converge. To stand out in a crowded marketplace, you must develop deep, specific, and valuable skillsets. Get into a specific niche, and then carve out a niche within a niche. By attempting to be great at many things, you end up appealing to no one.
- Resist the myth of perfectionism and fear of negative judgment and actively post some original ideas and content.
- Get into the arena, experiment, fail, learn, and constantly refine your work. A strong personal brand is a result of a steady stream of small, consistent, and compounding efforts, not a sprint.
- Join local chapters of global professional associations, such as ISACA and ISC2, show up consistently at events and develop authentic relationships with peers. When any of your networks are looking for a new cyber leader, you will quickly come to mind.
Personal branding means having significant clout and being known for consistently offering an enormous amount of value in a specific niche, helping real people solve their most pressing challenges — in life or business. In short, people with strong personal brands have extensive knowledge about their subjects of interest.
CREATE A KILLER RESUME THAT GETS YOU THE CISO INTERVIEW
There is no point in accumulating years of experience and being good at what you do but never being invited to an interview because of a one-size-fits-all chronological resume that tediously narrates your journey from high school to present.
Your resume is your sales copy; it’s what gets you in the door. It's all about context. Carefully study the job specification and problems the company is facing, then craft a resume that highlights your specific strengths that align with their needs. For example, if the CISO role results from a regulatory undertaking, highlight your experience in implementing cross-business cyber governance committees. If the company frequently engages in mergers and acquisitions, talk about your expertise in simplifying redundant and complex security architectures, as well as combining disparate cultures.
- De-emphasize technical skills because they are a given. Instead, highlight your experience on skills such as building high-performing teams, influencing decision-makers, communicating with impact, delivering complex change, and leading through crisis. Strong strategy, leadership, and influencing skills are the hallmarks of a leading cyber executive.
- Scrap the traditional objective / personal goals statement and write a gripping summary of your career achievements. Clarify straightaway why you are the best candidate for the job. Remember, the most comfortable thing for someone reviewing your resume is to stop reading and trash it. So, you must write every sentence with impact, leaving the reviewer itching to move to the next sentence.
- Remember, less is more. Prune each sentence and paragraph to its cleanest form. Even more important, back your resume with a short and concise cover letter. As Mary Elizabeth Bradford wrote for Forbes, “Be sure to get right to the point [with the cover letter]. Share your focus of direction, respectfully call out a few examples of success, then invite them to learn more by looking at your resume.”
All signs indicate that business executives and corporate directors are starting to feel the scourge of cybercrime and are taking lessons to heart. We can easily predict that the demand for business-centred CISOs will keep soaring as companies seek to provide assurance to their strategic business partners, regulators, and customers that their cybersecurity capabilities are robust and fit for purpose. While technical proficiency still has its place, our experience suggests that professionals that develop strong personal brands, a deep understanding of business realities, persuasive communication, and an ability to influence powerful stakeholders will undoubtedly rise above the din.
Please check out our additional resources.
CISO Playbook: First 100 Days Setting the CISO up for success - a complete set of end-to-end strategic initiatives and a framework to build a first 100-day plan for a new CISO.
Check out our premium Cyber Leadership Program that helps cybersecurity professionals accelerate their path to the CISO role and excel at the highest levels.