Careers & People

11/26/2018
10:30 AM
Todd Fitzgerald
Todd Fitzgerald
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Transforming into a CISO Security Leader

Are you thinking of changing your career route from techie to CISO? Are you making the right choice? Only you know for sure.

Remember that dreaded question on your first job interview? No, not the "What are your weaknesses?" question, but the other one, equally as challenging: "What do you want to be doing in five years?"

How do we even attempt to answer that question when the only tools in our toolbox at that point is a college degree, some work experience at a minimum wage job, and, if we were lucky, an internship in our field? Is it even reasonable that we would say, "I would like to lead the security operations team — and within three years after that, I would like to be the chief information security officer (CISO) for a small to medium-sized firm"?

Not likely. We muddle through the question and make up some lofty leadership-type role to show the employer that we are thinking of the big picture and want to continuously develop ourselves. The prospective employer is satisfied with the answer and slots us into work it needs done. We progress through our careers gaining technical or audit process experience, until, one day, we are faced with the question of whether we should continue becoming the best technical expert or choose the leadership/management track, to advance monetarily. Easy, right?

Let's pause here. What is the right choice? Only you know what is best for you. The answer lies in examining the functions for which these roles are responsible and the skill sets required to accomplish them. More importantly, will you be happy performing this new leadership role while the technical competencies start to fade away?

In this world of rapidly advancing technology, leaders in an organization need to be well-versed on emerging technologies and trends, but it is unrealistic to think that the leader will continue to retain the same depth in the technology as when they were focusing on the technology directly for the bulk of the workweek. So, are you willing to no longer be regarded as the expert in the technology you worked with every day? Are you comfortable with leading or managing the individuals that understand the technology more than you do? Are you comfortable with leveraging and relying on their insights and ideas for enhancing business practices? Are you willing to spend time learning in addition to the "day job" to keep up with the technologies?

The CISO role has evolved over the past 25 years from primarily technical beginnings in many organizations to a role requiring more leadership, business savvy, and data-awareness. CISOs are managing risk, reporting to the board, managing security incident communications, planning strategies, and implementing multiyear plans to increase the maturity level within their organizations. As indicated in recent culture of cybersecurity research from ISACA and CMMI Institute, 41% of company boards of directors appoint an executive to own the cybersecurity culture and 38% schedule one or more discussions about it each year. Additionally, 55% of respondents place the cybersecurity culture ownership responsibility on the CISO, compared with 43% on the CIO and 24% on the CEO.

These numbers clearly demonstrate the security leader is "on the hook" and needs to be able to influence executive management to secure adequate funding to make a difference in the cybersecurity culture. This results in preparation of many presentations translating the business needs related to security requirements, and explaining, and re-explaining, why the investments need to be made. Business relationships must be made across the organization with an understanding of the stakeholder needs. CISOs must embrace ambiguity and uncertainty as they navigate the organization, with each department head vying for the same pot of critical investment funds.

The technical role is in stark contrast to the security leader role. Technical staffs are typically rewarded for the mastery of the technical skill, application of those skills to an initiative, and implementation within the project schedule and budget. The result is often a concrete, non-ambiguous solution — it works, or it doesn't, and feedback of success is more immediate. High levels of individual contribution are rewarded. Technical positions are obtained more easily, as the evaluation of technical skill sets is less abstract than evaluating subjective leadership qualities.

The technical background may be a basic requirement for many organizations hiring their first CISO, as they may only be hiring one or two individuals to start building out the program. However, once the team has been built, the technical skills will not be enough for the individual to remain in the role. Security professionals must decide where they would like to spend most of their day and must be honest about the answer. That is the only path to true career happiness.

(This evolution to CISO and the impact on skill requirements are detailed in the author's upcoming book, CISO Compass: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers.)

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Todd Fitzgerald has built and led information Fortune 500/large company security programs for 20 years. He was named 2016–17 Chicago CISO of the Year, ranked Top 50 Information Security Executive, authored four books  —   CISO Compass: Navigating ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DrkR34dM4g
50%
50%
DrkR34dM4g,
User Rank: Apprentice
12/4/2018 | 6:44:09 PM
CISO Finesse
Great points. Technical skills will not be enough for CISOs to thrive in their roles over time. I especially agree with need for CISOs (and those who aspire to become CISOs) to influence executive management and build business relationships across the organization. The ability to read the situation and stakeholders in them is essential so that CISOs can handle tricky situations with finesse.

Ryan K. Lahti, Ph.D., author of "The Finesse Factor" and managing principal of OrgLeader
Julian Assange Arrested in London
Dark Reading Staff 4/11/2019
8 'SOC-as-a-Service' Offerings
Steve Zurier, Freelance Writer,  4/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1840
PUBLISHED: 2019-04-18
A vulnerability in the DHCPv6 input packet processor of Cisco Prime Network Registrar could allow an unauthenticated, remote attacker to restart the server and cause a denial of service (DoS) condition on the affected system. The vulnerability is due to incomplete user-supplied input validation when...
CVE-2019-1841
PUBLISHED: 2019-04-18
A vulnerability in the Software Image Management feature of Cisco DNA Center could allow an authenticated, remote attacker to access to internal services without additional authentication. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vuln...
CVE-2019-1826
PUBLISHED: 2019-04-18
A vulnerability in the quality of service (QoS) feature of Cisco Aironet Series Access Points (APs) could allow an authenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper input validation on QoS fields within Wi-Fi fra...
CVE-2019-1829
PUBLISHED: 2019-04-18
A vulnerability in the CLI of Cisco Aironet Series Access Points (APs) could allow an authenticated, local attacker to gain access to the underlying Linux operating system (OS) without the proper authentication. The attacker would need valid administrator device credentials. The vulnerability is due...
CVE-2019-1830
PUBLISHED: 2019-04-18
A vulnerability in Locally Significant Certificate (LSC) management for the Cisco Wireless LAN Controller (WLC) could allow an authenticated, remote attacker to cause the device to unexpectedly restart, which causes a denial of service (DoS) condition. The attacker would need to have valid administr...