Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

11/26/2018
10:30 AM
Todd Fitzgerald
Todd Fitzgerald
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Transforming into a CISO Security Leader

Are you thinking of changing your career route from techie to CISO? Are you making the right choice? Only you know for sure.

Remember that dreaded question on your first job interview? No, not the "What are your weaknesses?" question, but the other one, equally as challenging: "What do you want to be doing in five years?"

How do we even attempt to answer that question when the only tools in our toolbox at that point is a college degree, some work experience at a minimum wage job, and, if we were lucky, an internship in our field? Is it even reasonable that we would say, "I would like to lead the security operations team — and within three years after that, I would like to be the chief information security officer (CISO) for a small to medium-sized firm"?

Not likely. We muddle through the question and make up some lofty leadership-type role to show the employer that we are thinking of the big picture and want to continuously develop ourselves. The prospective employer is satisfied with the answer and slots us into work it needs done. We progress through our careers gaining technical or audit process experience, until, one day, we are faced with the question of whether we should continue becoming the best technical expert or choose the leadership/management track, to advance monetarily. Easy, right?

Let's pause here. What is the right choice? Only you know what is best for you. The answer lies in examining the functions for which these roles are responsible and the skill sets required to accomplish them. More importantly, will you be happy performing this new leadership role while the technical competencies start to fade away?

In this world of rapidly advancing technology, leaders in an organization need to be well-versed on emerging technologies and trends, but it is unrealistic to think that the leader will continue to retain the same depth in the technology as when they were focusing on the technology directly for the bulk of the workweek. So, are you willing to no longer be regarded as the expert in the technology you worked with every day? Are you comfortable with leading or managing the individuals that understand the technology more than you do? Are you comfortable with leveraging and relying on their insights and ideas for enhancing business practices? Are you willing to spend time learning in addition to the "day job" to keep up with the technologies?

The CISO role has evolved over the past 25 years from primarily technical beginnings in many organizations to a role requiring more leadership, business savvy, and data-awareness. CISOs are managing risk, reporting to the board, managing security incident communications, planning strategies, and implementing multiyear plans to increase the maturity level within their organizations. As indicated in recent culture of cybersecurity research from ISACA and CMMI Institute, 41% of company boards of directors appoint an executive to own the cybersecurity culture and 38% schedule one or more discussions about it each year. Additionally, 55% of respondents place the cybersecurity culture ownership responsibility on the CISO, compared with 43% on the CIO and 24% on the CEO.

These numbers clearly demonstrate the security leader is "on the hook" and needs to be able to influence executive management to secure adequate funding to make a difference in the cybersecurity culture. This results in preparation of many presentations translating the business needs related to security requirements, and explaining, and re-explaining, why the investments need to be made. Business relationships must be made across the organization with an understanding of the stakeholder needs. CISOs must embrace ambiguity and uncertainty as they navigate the organization, with each department head vying for the same pot of critical investment funds.

The technical role is in stark contrast to the security leader role. Technical staffs are typically rewarded for the mastery of the technical skill, application of those skills to an initiative, and implementation within the project schedule and budget. The result is often a concrete, non-ambiguous solution — it works, or it doesn't, and feedback of success is more immediate. High levels of individual contribution are rewarded. Technical positions are obtained more easily, as the evaluation of technical skill sets is less abstract than evaluating subjective leadership qualities.

The technical background may be a basic requirement for many organizations hiring their first CISO, as they may only be hiring one or two individuals to start building out the program. However, once the team has been built, the technical skills will not be enough for the individual to remain in the role. Security professionals must decide where they would like to spend most of their day and must be honest about the answer. That is the only path to true career happiness.

(This evolution to CISO and the impact on skill requirements are detailed in the author's upcoming book, CISO Compass: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers.)

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Todd Fitzgerald has built and led information Fortune 500/large company security programs for 20 years. He was named 2016–17 Chicago CISO of the Year, ranked Top 50 Information Security Executive, authored four books  —   CISO Compass: Navigating ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DrkR34dM4g
50%
50%
DrkR34dM4g,
User Rank: Apprentice
12/4/2018 | 6:44:09 PM
CISO Finesse
Great points. Technical skills will not be enough for CISOs to thrive in their roles over time. I especially agree with need for CISOs (and those who aspire to become CISOs) to influence executive management and build business relationships across the organization. The ability to read the situation and stakeholders in them is essential so that CISOs can handle tricky situations with finesse.

Ryan K. Lahti, Ph.D., author of "The Finesse Factor" and managing principal of OrgLeader
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16317
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
CVE-2019-16318
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
CVE-2019-16307
PUBLISHED: 2019-09-14
A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKe...
CVE-2019-16294
PUBLISHED: 2019-09-14
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
CVE-2019-16309
PUBLISHED: 2019-09-14
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.