Operations
10/20/2014
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

How To Become A CISO, Part 1

Think you're ready for the top job? Here's part 1 of a series to help you land that prime chief information security officer position.

So you want to be a CISO, huh? Think you're ready to lead a small band of white knights into battle against a countless, hidden enemy? Ready to play both savior and scapegoat, depending on what the day brings? Ready to beg, borrow, and steal for the resources you need to protect your company?

Yes? OK, then, you're ready to do the job... but can you get the job? For the next several weeks, we're dedicating Mondays to helping you find the path to the big job, which won't be easy to define.

"There's not a standard path [to the CISO job] like so many other professions," says Mark Aiello, president of the Boston cyber security staffing firm Cyber360 Solutions. "We can't even agree on how to spell cyber security." (Cybersecurity? Cyber-security?)

Even the words "engineer" and "administrator" don't mean the same thing from company to company. The bad news, then, is that it is hard to know what career steps to take next.

The good news, though, is that the ladder you're already climbing could lead you to the CISO seat.

Despite the variety of routes to the top, Aiello does identify a few consistent trends:

Most CISOs are hired from outside the company.
Following the perplexing logic that somebody you don't know must be smarter than somebody you do know, "the vast majority" of organizations look outside their walls for a CISO, Aiello says. However, they will be more likely to hire an insider for the CISO job if it's a newly created position.

So being in the right place at the right time may help you get that newly minted CISO gig, but beware...

A company's first CISO has less power than its subsequent CISOs.
"That first CISO tends to not have as many teeth as the second one," Aiello says. They're likely to be a step below the true C-suite and report to the chief information officer.

Aiello thinks the CISO should be separate from the rest of the IT organization, because security not only impacts technology. "Security organizations are still relatively small [in size], in comparison to the IT department, but huge in terms of importance."

Most companies want to hire a CISO who's already a CISO somewhere else.
This raises a question: How do you get that first CISO job if you can only get one if you already have one? Aiello says you may convince a new employer to take you on if you've reached the highest security position at your current company -- like director or vice president of security -- as long as you have experience within the appropriate industry vertical: finance, healthcare, etc.

CISOs are more likely to come from a technical background.
Though there are people who rise to the security job from outside the IT department -- we'll hear some of their stories in the course of this series -- Aiello says that most of today's CISOs began their careers in an information techology job of some ilk. As the field matures and more IT functions are outsourced, that may change.

A CISSP certification isn't necessarily required for a CISO.
In order to have climbed the infosecurity ladder high enough to be eligible for the "chief" title, you probably will have needed a CISSP already. However, if you've made it this far without one, you probably won't need one now, says Aiello. A four-year college degree, however, is something a prospective employer will want.

[Is there a cyber security skills shortage? Hear what Mark Aiello and Julie Peeler of ISC(2) said on Dark Reading Radio.]

As the CISO job grows bigger and more important, Aiello says, the key is proactively gathering all the knowledge and experience you can.

"Raise your hand. Volunteer," he says. If you've spent most of your career outside of the nitty-gritty, hard-core IT security world, spend more time learning about the tactical side -- the day-to-day tasks of securing a business. If you are from a heavy technical background, learn as much as you can about the business side.

"Understand the problems your technology is there to solve," he says. "Understand what [the company is] securing and why they're securing it."

In the coming weeks, we'll spin out the origin stories of men and women currently holding the CISO position at a variety of organizations. Come back to Dark Reading next Monday for the first "how I became a CISO" tale.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 1:45:24 PM
Re: Disagree, surprise there
@GonzSTL... then please consider my comments reinforcement... and you can never have enough of that!
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/21/2014 | 1:10:16 PM
Re: Disagree, surprise there
@ODA155 I'm not sure that we disagree on much. I am by no means advocating that a CISO must have a CISSP. I mentioned the CISSP to detail what the certification encompassed. Additionally, I brought the certification topic as the tie breaker when everything else appears equal with respect to business and technical experience. Incidentally, chasing down CPEs to maintain a cert is almost trivial with respect to time and resources. I agree with you that training resources are vital to security professionals.

You mentioned the power of persuasion, which I wholeheartedly agree with. In fact, I mentioned it when I broached the subject of communicating laterally, upward and downward in the corporate ladder. I think that the single biggest obstacle to a security program is the failure to effectively communicate the security message to the C-suite primarily for budgetary and priority concerns, and to the rest of the organization for implementation and acceptance.
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 12:29:30 PM
Re: Disagree, surprise there
@GonzSTL,... also... if I'm hiring a CISO, I don't what him out there chasing down CPE's trying to maintain a cert, but I do want him to understand what it was like when he had to do that... then he'll understand why security professions working for him will need every training dollar that he can get.
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 12:26:17 PM
Re: Disagree, surprise there
@GonzSTL,

CISO, like most other positions of leadership is just that, leading and setting the tone. I can see why you'd want you security wonks, which I am, to have their CISSP. I shows that they have proven that they are capable of learning a framework to learn concepts that will guide and further their careers, but I can also see why it really doesn't matter if the CISO has one or not... you're not hiring a CISO because they have a CISSP, you're hiring them because you believe they have proven through prior experience, responsibilities and positions that they are the right person for the job, cert or not.

The one thing that any CISO needs that cannot be quntified is the power of persuation, he\she needs to be able to take the information for subordinate leaders and craft into a message that is powerful enough so that the people who really do make the decisions understand what is required to hold back\fight the threat(s) and what those threats are.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/21/2014 | 11:27:28 AM
Re: Disagree, surprise there
The CISSP exam covers the 10 domains of the (ISC)² CBK, a collection of topics relevant to information security professionals. I admit that the CBK is broad and doesn't necessarily mean that the CISSP has advanced or in depth knowledge in any or all of those domains, but the important thing to note is that it shows that the individual is knowledgeable in those areas critical to IT security. In addition to the exam, maintaining the certification involves successful completion of CPEs not just in the CBK but also in soft skills as defined in their "Group B" professional development activities. (ISC)² recognizes the importance of those skills and the criticality of communication laterally, upward, and downward in the corporate structure. Some of the Group B topics are management courses, interpersonal communications skills, team development skills, etc. The ideal CISO must be able to bridge the gap between the geeks and the suits, and convey the security message adequately and effectively. I get the argument that certifications can be obtained by paying lots of money to a "certificate mill", but you have to start or end somewhere. If businesses and technical experiences are equal, wouldn't you want a certificate to be a tie breaker, especially one that doesn't involve just geeky stuff? One of my favorite sayings to my students: organizations want to hire geeks to protect their IT assets, but they don't want to hire a geek with the personality of a door knob.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/21/2014 | 11:16:30 AM
Re: Disagree, surprise there
@savoiadilucania  That's interesting that your experience would differ so much from what Mark sees in his work match-making CISOs and companies. I wonder if it differs by region (Mark's in the northeast) or industry sector? Most of the CISOs I know also come from IT backgrounds, but I think that's changing.
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/21/2014 | 11:10:17 AM
Re: How to Become a CISO
@Sara, I think that most CISO are assigned under the CIO is because most companies do not realize how effective a CISO can be if he\she were under, say the CFO. In all of the companies I've worked for the CFO was a very big deal and had power, thus that gave the CISO a direct ear to someone who could make a difference, and let's face it, if you (CIO) control the CISO, you control the message.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/21/2014 | 10:55:46 AM
Re: How to Become a CISO
Sara, that would be a very interesting story. We often hear from CIOs and CISOs regarding this topic, but rarely hear from CEOs. Recently, the SEC commissioner hinted that cyber security should be a part of the board of directors' risk oversight responsibilities. That almost implies that the CISO should have a seat at the C table.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/21/2014 | 10:48:40 AM
Re: Disagree, surprise there
That's a great point about how important (and prevalent) CISSP certification actually is for someome in the CISO role. My suspicion is that it's necessary, primarily, to reassure the CISSP's that are working in the group, that the CISO knows the basics, or at least talks the same language. But how it relates to the broader policy and leadership functions of the job is definitely open for discussion...
savoiadilucania
50%
50%
savoiadilucania,
User Rank: Moderator
10/21/2014 | 10:33:15 AM
Disagree, surprise there
"A company's first CISO has less power than its subsequent CISOs". Quite honestly, CISOs are never really empowered. With few exceptions, they tend to be placed at the upper end of middle management or the lower end of upper management. Ideally they should have an equivalent level of influence as a CFO, CIO, or COO.

"CISOs are more likely to come from a technical background." God no. On paper they might appear to have significant technical breadth/depth but in reality have had a career based in policy/compliance. CISOs that are technical are a rarity in my experience.

"A CISSP certification isn't necessarily required for a CISO." It's not required in the sense that it's a worthless certification that does nothing to asset the level of security apptitude one possesses. But I am yet to see a CISO candidate opening/job posting that does not have "CISSP or equivalent" in the qualifications.
<<   <   Page 2 / 3   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.