Operations
10/20/2014
04:30 PM
Connect Directly
Twitter
RSS
E-Mail

How To Become A CISO, Part 1

Think you're ready for the top job? Here's part 1 of a series to help you land that prime chief information security officer position.



So you want to be a CISO, huh? Think you're ready to lead a small band of white knights into battle against a countless, hidden enemy? Ready to play both savior and scapegoat, depending on what the day brings? Ready to beg, borrow, and steal for the resources you need to protect your company?

Yes? OK, then, you're ready to do the job... but can you get the job? For the next several weeks, we're dedicating Mondays to helping you find the path to the big job, which won't be easy to define.

"There's not a standard path [to the CISO job] like so many other professions," says Mark Aiello, president of the Boston cyber security staffing firm Cyber360 Solutions. "We can't even agree on how to spell cyber security." (Cybersecurity? Cyber-security?)

Even the words "engineer" and "administrator" don't mean the same thing from company to company. The bad news, then, is that it is hard to know what career steps to take next.

The good news, though, is that the ladder you're already climbing could lead you to the CISO seat.

Despite the variety of routes to the top, Aiello does identify a few consistent trends:

Most CISOs are hired from outside the company.
Following the perplexing logic that somebody you don't know must be smarter than somebody you do know, "the vast majority" of organizations look outside their walls for a CISO, Aiello says. However, they will be more likely to hire an insider for the CISO job if it's a newly created position.

So being in the right place at the right time may help you get that newly minted CISO gig, but beware...

A company's first CISO has less power than its subsequent CISOs.
"That first CISO tends to not have as many teeth as the second one," Aiello says. They're likely to be a step below the true C-suite and report to the chief information officer.

Aiello thinks the CISO should be separate from the rest of the IT organization, because security not only impacts technology. "Security organizations are still relatively small [in size], in comparison to the IT department, but huge in terms of importance."

Most companies want to hire a CISO who's already a CISO somewhere else.
This raises a question: How do you get that first CISO job if you can only get one if you already have one? Aiello says you may convince a new employer to take you on if you've reached the highest security position at your current company -- like director or vice president of security -- as long as you have experience within the appropriate industry vertical: finance, healthcare, etc.

CISOs are more likely to come from a technical background.
Though there are people who rise to the security job from outside the IT department -- we'll hear some of their stories in the course of this series -- Aiello says that most of today's CISOs began their careers in an information techology job of some ilk. As the field matures and more IT functions are outsourced, that may change.

A CISSP certification isn't necessarily required for a CISO.
In order to have climbed the infosecurity ladder high enough to be eligible for the "chief" title, you probably will have needed a CISSP already. However, if you've made it this far without one, you probably won't need one now, says Aiello. A four-year college degree, however, is something a prospective employer will want.

[Is there a cyber security skills shortage? Hear what Mark Aiello and Julie Peeler of ISC(2) said on Dark Reading Radio.]

As the CISO job grows bigger and more important, Aiello says, the key is proactively gathering all the knowledge and experience you can.

"Raise your hand. Volunteer," he says. If you've spent most of your career outside of the nitty-gritty, hard-core IT security world, spend more time learning about the tactical side -- the day-to-day tasks of securing a business. If you are from a heavy technical background, learn as much as you can about the business side.

"Understand the problems your technology is there to solve," he says. "Understand what [the company is] securing and why they're securing it."

In the coming weeks, we'll spin out the origin stories of men and women currently holding the CISO position at a variety of organizations. Come back to Dark Reading next Monday for the first "how I became a CISO" tale.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
russellnomerconsulting
50%
50%
russellnomerconsulting,
User Rank: Apprentice
6/29/2015 | 5:33:47 PM
Re: How to Become a CISO
The article also speaks to needing to beg, borrow, and steal resources when taking on the role of CISO.  I propose in many instances this constraint is largely self imposed as a direct result of not appropriately managing expectations and building the required trusting relationships at the beginning.   Furthermore, do we really want to position the CISO as a professional scapegoat?  Or does it make more sense to position the CISO as someone with the professional integrity and intestinal fortitude needed to hold their ground while leveraging soft skills for effectively building and managing a balanced security program?
ekwisca
50%
50%
ekwisca,
User Rank: Apprentice
10/24/2014 | 5:21:08 PM
Re: extremely excited
@ODA155, I completely understand. Thank you for the advice. I am currently studying for my CISA to add it to my credentials. There's no end point to me studying. I continuously try to plug myself into different things in my profession for the exposure and experience. I'm looking to do all I can to have a wholly understanding of information security. Just for the benefit of being able to talk the talk of security to a wide range of business professionals. Becoming a C level executive is end my goal, me learning is a forever journey. Thanks again for the advice. Another thing to think about to help me through these tough studying times. Good thing I live in Chicago and it's almost winter. The temperature here is bound to keep me in the house with nothing to do but study.
ODA155
100%
0%
ODA155,
User Rank: Ninja
10/24/2014 | 4:31:21 PM
Re: extremely excited
@ekwisca, Why is it "the end goal"... may I also recommend getting your CISA. In my opinion, the second most helpful trait of a successful security professional after a very good technical foundation is understanding IT audit, its language, the people who conduct them and navigating and using the audit report to you advantage. What you'll find, especially in smaller organizations is that you, the security pro will most likely be standing between management, admin\tech and auditors, juggling everyones needs and requirements against your own. And that is where the third most useful trait comes in... effective communication skills.
ekwisca
50%
50%
ekwisca,
User Rank: Apprentice
10/24/2014 | 10:01:26 AM
extremely excited
I couldn't be more excited about this new series of articles on becoming a CISO. As a young professional in the security world, the CISO position is my end goal. Currently holding my CISSP and CCNA I hope I am on the right track for learning business as well as the technical side of the IT World. Looking forward to next Monday.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/23/2014 | 4:23:16 PM
Re: How to Become a CISO
@ArthurK439  I agree with this: Information protection is crucial to the operations and success of the business, and to have it subordiante to a role that is primarily operational is a recipe for disaster.  But I also just spoke to a CISO who reports to a CIO, and he said that it isn't a problem with this CIO, because they understand and respect security. I wonder if, ultimately, it all depends upon the specific people, not their titles or organizational structure.
savoiadilucania
50%
50%
savoiadilucania,
User Rank: Moderator
10/23/2014 | 11:13:14 AM
Re: Disagree, surprise there
@Sara Peters

The issue is the varying interpretations of what comprises someone that is "technical". For some, it's a candidate that can conceptually walk through technical subjects and enumerate the relevant risks. For others, it's someone that can furnish a detailed explanation of the end-to-end packet delivery process and enumerate the attack vectors along that path. I tend to favor those with a more robust command of security as a discipline, as they can make informed decisions. They are otherwise reliant upon delegation, which isn't the best strategy during times of crisis...
ArthurK439
50%
50%
ArthurK439,
User Rank: Apprentice
10/22/2014 | 2:01:33 PM
Re: How to Become a CISO
I think we have seen the risks where having the CISO reporting to the CIO (Target comes to mind). As long as the CISO is viewed as being IT centric, and not about risk management, there will be an inclination to pidgeonhole it in the former category. At a minimum, it should be reporting to the CFO, and ideally to the CEO. Information protection is crucial to the operations and success of the business, and to have it subordiante to a role that is primarily operational is a recipe for disaster.

As for certifications, having a CISSP as a requirement to being a CISO is not mandatory. That being said, there are significant benefits in possessing it. Primarily, it ensures a common baseline, standardization of knowledge and common language. Secondly, it (and complimentary certifications such as the CISM, CISA and CRISC) is as close as currently we have as profesional designations. Both the ISC2 and ISACA have an ethics requirement, and with privacy and information being so tightly coupled these days, ethical and professional conduct considerations are crucial for a business leader. Just as I woul expect the CFO to be a CPA/CA, a Chief Counsel being a lawyer/JD, I would expect a CISO to be a CISSP/CISM/CISA/CRISC.

The fact is, the CISO role is hibrid in nature, requring both business acumen, technical knowledge, legal/regulatory, etc. Although I do not expect a CISO to configure a firewall, they should understand what it provides as a security control, after all.

 
SDiver
100%
0%
SDiver,
User Rank: Strategist
10/21/2014 | 4:39:59 PM
Certificates and reporting to the CIO
Regarding certificates, I think that they do more than demonstrate competence.  After getting two certs myself I found them invaluable in separating the security 'fact' from 'fiction.'  Any good skill set requires an understanding of a foundations and I believe that the CISSP achieves that requirement.   I would agree with the 'no-cert' requirement if you can independently verify your skill set if you served in the military or law enforcement.


As for reporting to the CIO, the only logical reason I would agree is if you're the CISO of a data center.  I would be wary if the CISO reported to the CIO either in a regulated business such as health or financial.  Implementing the separation of duties concept in reasonable scenarios is the preferred method in a regulated environment.
GonzSTL
100%
0%
GonzSTL,
User Rank: Ninja
10/21/2014 | 2:11:47 PM
Re: Disagree, surprise there
@ODA155 You probably find yourself preaching to the choir as much as I do. Don't you wish you could have a captive audience composed of exactly the right people who need to hear the message?
Marc Eggers
50%
50%
Marc Eggers,
User Rank: Strategist
10/21/2014 | 2:01:55 PM
Re: Disagree, surprise there
@Marilyn Cohodas, I can say after having a number of discussions with HR personell in different industries that is a primary reason for it.  

I do not advocate certifications for certification sake, and I do understand how they are one measure of demonstrating competence prior to obtaining the position.  I used to be one of those who said "if they give me half a chance, I can prove that I can do that", but as time has gone on, I began to understand the position of "I need something to base this chance on other than the person says they can do it".  The certification is an independent mile marker that the person has at least put in the time and effort to learn that much about that subject(s).  
Page 1 / 3   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.