Remember that dreaded question on your first job interview? No, not the "What are your weaknesses?" question, but the other one, equally as challenging: "What do you want to be doing in five years?"
How do we even attempt to answer that question when the only tools in our toolbox at that point is a college degree, some work experience at a minimum wage job, and, if we were lucky, an internship in our field? Is it even reasonable that we would say, "I would like to lead the security operations team — and within three years after that, I would like to be the chief information security officer (CISO) for a small to medium-sized firm"?
Not likely. We muddle through the question and make up some lofty leadership-type role to show the employer that we are thinking of the big picture and want to continuously develop ourselves. The prospective employer is satisfied with the answer and slots us into work it needs done. We progress through our careers gaining technical or audit process experience, until, one day, we are faced with the question of whether we should continue becoming the best technical expert or choose the leadership/management track, to advance monetarily. Easy, right?
Let's pause here. What is the right choice? Only you know what is best for you. The answer lies in examining the functions for which these roles are responsible and the skill sets required to accomplish them. More importantly, will you be happy performing this new leadership role while the technical competencies start to fade away?
In this world of rapidly advancing technology, leaders in an organization need to be well-versed on emerging technologies and trends, but it is unrealistic to think that the leader will continue to retain the same depth in the technology as when they were focusing on the technology directly for the bulk of the workweek. So, are you willing to no longer be regarded as the expert in the technology you worked with every day? Are you comfortable with leading or managing the individuals that understand the technology more than you do? Are you comfortable with leveraging and relying on their insights and ideas for enhancing business practices? Are you willing to spend time learning in addition to the "day job" to keep up with the technologies?
The CISO role has evolved over the past 25 years from primarily technical beginnings in many organizations to a role requiring more leadership, business savvy, and data-awareness. CISOs are managing risk, reporting to the board, managing security incident communications, planning strategies, and implementing multiyear plans to increase the maturity level within their organizations. As indicated in recent culture of cybersecurity research from ISACA and CMMI Institute, 41% of company boards of directors appoint an executive to own the cybersecurity culture and 38% schedule one or more discussions about it each year. Additionally, 55% of respondents place the cybersecurity culture ownership responsibility on the CISO, compared with 43% on the CIO and 24% on the CEO.
These numbers clearly demonstrate the security leader is "on the hook" and needs to be able to influence executive management to secure adequate funding to make a difference in the cybersecurity culture. This results in preparation of many presentations translating the business needs related to security requirements, and explaining, and re-explaining, why the investments need to be made. Business relationships must be made across the organization with an understanding of the stakeholder needs. CISOs must embrace ambiguity and uncertainty as they navigate the organization, with each department head vying for the same pot of critical investment funds.
The technical role is in stark contrast to the security leader role. Technical staffs are typically rewarded for the mastery of the technical skill, application of those skills to an initiative, and implementation within the project schedule and budget. The result is often a concrete, non-ambiguous solution — it works, or it doesn't, and feedback of success is more immediate. High levels of individual contribution are rewarded. Technical positions are obtained more easily, as the evaluation of technical skill sets is less abstract than evaluating subjective leadership qualities.
The technical background may be a basic requirement for many organizations hiring their first CISO, as they may only be hiring one or two individuals to start building out the program. However, once the team has been built, the technical skills will not be enough for the individual to remain in the role. Security professionals must decide where they would like to spend most of their day and must be honest about the answer. That is the only path to true career happiness.
(This evolution to CISO and the impact on skill requirements are detailed in the author's upcoming book, CISO Compass: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers.)
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.Todd Fitzgerald has built and led information Fortune 500/large company security programs for 20 years. He was named 2016–17 Chicago CISO of the Year, ranked Top 50 Information Security Executive, authored four books — CISO Compass: Navigating ... View Full Bio