Careers & People

11/26/2018
10:30 AM
Todd Fitzgerald
Todd Fitzgerald
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Transforming into a CISO Security Leader

Are you thinking of changing your career route from techie to CISO? Are you making the right choice? Only you know for sure.

Remember that dreaded question on your first job interview? No, not the "What are your weaknesses?" question, but the other one, equally as challenging: "What do you want to be doing in five years?"

How do we even attempt to answer that question when the only tools in our toolbox at that point is a college degree, some work experience at a minimum wage job, and, if we were lucky, an internship in our field? Is it even reasonable that we would say, "I would like to lead the security operations team — and within three years after that, I would like to be the chief information security officer (CISO) for a small to medium-sized firm"?

Not likely. We muddle through the question and make up some lofty leadership-type role to show the employer that we are thinking of the big picture and want to continuously develop ourselves. The prospective employer is satisfied with the answer and slots us into work it needs done. We progress through our careers gaining technical or audit process experience, until, one day, we are faced with the question of whether we should continue becoming the best technical expert or choose the leadership/management track, to advance monetarily. Easy, right?

Let's pause here. What is the right choice? Only you know what is best for you. The answer lies in examining the functions for which these roles are responsible and the skill sets required to accomplish them. More importantly, will you be happy performing this new leadership role while the technical competencies start to fade away?

In this world of rapidly advancing technology, leaders in an organization need to be well-versed on emerging technologies and trends, but it is unrealistic to think that the leader will continue to retain the same depth in the technology as when they were focusing on the technology directly for the bulk of the workweek. So, are you willing to no longer be regarded as the expert in the technology you worked with every day? Are you comfortable with leading or managing the individuals that understand the technology more than you do? Are you comfortable with leveraging and relying on their insights and ideas for enhancing business practices? Are you willing to spend time learning in addition to the "day job" to keep up with the technologies?

The CISO role has evolved over the past 25 years from primarily technical beginnings in many organizations to a role requiring more leadership, business savvy, and data-awareness. CISOs are managing risk, reporting to the board, managing security incident communications, planning strategies, and implementing multiyear plans to increase the maturity level within their organizations. As indicated in recent culture of cybersecurity research from ISACA and CMMI Institute, 41% of company boards of directors appoint an executive to own the cybersecurity culture and 38% schedule one or more discussions about it each year. Additionally, 55% of respondents place the cybersecurity culture ownership responsibility on the CISO, compared with 43% on the CIO and 24% on the CEO.

These numbers clearly demonstrate the security leader is "on the hook" and needs to be able to influence executive management to secure adequate funding to make a difference in the cybersecurity culture. This results in preparation of many presentations translating the business needs related to security requirements, and explaining, and re-explaining, why the investments need to be made. Business relationships must be made across the organization with an understanding of the stakeholder needs. CISOs must embrace ambiguity and uncertainty as they navigate the organization, with each department head vying for the same pot of critical investment funds.

The technical role is in stark contrast to the security leader role. Technical staffs are typically rewarded for the mastery of the technical skill, application of those skills to an initiative, and implementation within the project schedule and budget. The result is often a concrete, non-ambiguous solution — it works, or it doesn't, and feedback of success is more immediate. High levels of individual contribution are rewarded. Technical positions are obtained more easily, as the evaluation of technical skill sets is less abstract than evaluating subjective leadership qualities.

The technical background may be a basic requirement for many organizations hiring their first CISO, as they may only be hiring one or two individuals to start building out the program. However, once the team has been built, the technical skills will not be enough for the individual to remain in the role. Security professionals must decide where they would like to spend most of their day and must be honest about the answer. That is the only path to true career happiness.

(This evolution to CISO and the impact on skill requirements are detailed in the author's upcoming book, CISO Compass: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers.)

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Todd Fitzgerald has built and led information Fortune 500/large company security programs for 20 years. He was named 2016–17 Chicago CISO of the Year, ranked Top 50 Information Security Executive, authored four books  —   CISO Compass: Navigating ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DrkR34dM4g
50%
50%
DrkR34dM4g,
User Rank: Apprentice
12/4/2018 | 6:44:09 PM
CISO Finesse
Great points. Technical skills will not be enough for CISOs to thrive in their roles over time. I especially agree with need for CISOs (and those who aspire to become CISOs) to influence executive management and build business relationships across the organization. The ability to read the situation and stakeholders in them is essential so that CISOs can handle tricky situations with finesse.

Ryan K. Lahti, Ph.D., author of "The Finesse Factor" and managing principal of OrgLeader
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19790
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...
CVE-2018-19829
PUBLISHED: 2018-12-18
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
CVE-2018-16884
PUBLISHED: 2018-12-18
A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...
CVE-2018-17777
PUBLISHED: 2018-12-18
An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have acc...
CVE-2018-18921
PUBLISHED: 2018-12-18
PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action.