How To Become a CISO: Top Tips
A look at the best career advice for aspiring CISOs from people who've reached the top.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltf3ca81696a4b01de/64f0dcb576acef325433e03b/2980934557_e705e0086f_z.jpg?width=700&auto=webp&quality=80&disable=upscale)
Over the past seven weeks, we've examined how to reach that lofty position of chief information security officer (CISO). We got a peek into what employers are looking for in a CISO from Mark Aiello, president of the Boston cyber security staffing firm Cyber360 Solutions. We heard the professional origin stories of five CISOs: Jonathan Trull of Qualys, Quinn Shamblin of Boston University, Jennings Aske of Nuance Communications, Mark Potter of Danya International, and Janet Levesque of RSA.
We'll continue the conversation on the message boards here and on the next episode of Dark Reading Radio, Wednesday, Dec. 17, at 1:00 p.m. EST (10:00 a.m. PST). You'll have the opportunity to chat with some of our CISOs and pick the brain of Lee Kushner, president of LJ Kushner & Associates, who's been helping information security professionals get hired for years.
Until then, here are some of the key lessons we've learned so far.
The so-called "top job" is not necessarily the best job. When something goes drastically wrong, it may be the CISO's job to carry the organization through a crisis... then get fired. The word "scapegoat" might be right there in your job description.
And don't assume that, as CISO, you'll have the power to do things your way. Because despite the "C" in your title, you may report to a CIO, CRO, or CFO who can overrule your expert opinion. Corporate politics and public relations are just as important to the job as what security technology you buy. If that doesn't sound appealing to you, then you might not be right for the job, and the job may not be right for you.
All five of the CISOs interviewed for this series said the same thing: They didn't plan on having a career in information security. Landing in the infosec world was a happy accident, not an intentional goal.
Though many of them were were tech tinkerers in their spare time, they didn't go to school for computer science. Levesque was a liberal arts major, Shamblin a nuclear physicist, Aske a lawyer, Potter an apprentice auto mechanic, and Trull was in prison... working as a correctional officer.
"Ladder Over a Children's Workspace," by Vegan Feast Catering
You don't need to start with a computer science degree, but -- unlike CIOs, who may come into the job without any experience in IT -- most CISOs need to have some proven technical expertise somewhere on their resume. You might not need years of experience in network architecture and software engineering and penetration testing, etc., but you need to know enough to manage your staff, your risks, and your budget.
As CISO, "I don't have to be a subject matter expert in everything," said Aske, but "I've seen some security leaders who are so divided from technology that they aren't able to lead the operational staff."
Communication is key to success, whether it's asking the right questions, listening carefully to the answers, or keeping your PowerPoint slide to only three bullet points.
Knowing how to build strong, amicable relationships is becoming even more important as more IT and security are outsourced. Levesque said that RSA was most interested in hiring her for her relationship-building skills.
And, of course, you need to remember that you are there to help your organization, not secure it to death.
"As a CISO, it's more important to understand risk and the business than to understand technology," said Shamblin. "Understand that, if I do X, I won't have a business."
"Being a CISO in any company is much more than technology," said Trull. "You should have a very good breadth of the business you're in, because security touches everything."
"Security doesn't seem to [invest as much] in training as other parts of IT," said Aske. "You really have to invest in yourself and your knowledge."
Whether it's college, conferences, certifications, or just asking plenty of questions, you'll need to develop a broad knowledge of issues in security, management, and your industry sector. The difficulty with that, of course, is that it means you might have to shell out cash from your own pocket... but it might not cost as much as you think.
Aiello is a big proponent of webinars (which are usually free) and makes sure that he and his staff commit at least one hour per week to attending webinars. There are also often free half-day events that won't require your money or keep you away from the office for too long.
However you do it, Potter says it quite clearly: "Never stop learning."
Sometimes the key is just being in the right place at the right time. Security is still a relatively young and quickly growing field, so there are always new kinds of job titles popping up. If you want to build up a variety of skills, keep your eyes out for developing trends, and jump on them when you can.
Aske got into security by catching the regulatory compliance wave. During the dot-com boom, Levesque got her hands-on experience creating new security program... and after the dot-com bust, she got experience securely shutting down a company, right through to shutting the lights off for the last time.
Pay attention to your industry's ebbs and flows, and you'll get where you want to go quicker.
When you need to find those trends, develop the right skills, and identify those personal weaknesses of yours that need fixing, nothing is more valuable than having a professional mentor. Someone to shadow and learn from. Someone who might even introduce you to your next employer.
"You need to have people believe in you," said Shamblin. "Someone has to look at your work and say, yeah, wow, there's value here."
Shamblin's professional mentor didn't just see value in him. He actually passed over an offer to become Boston University's CISO, and recommended Shamblin for the position instead.
Most CISOs are hired from outside the organization, said Aiello. So if you're waiting for a promotion from within your company, you might be waiting a long time -- unless it is creating a brand new CISO position, in which case, you might be a shoo-in for the job.
However, don't be so focused taking another step up the ladder that you undervalue the experience of making a lateral move -- either within or outside your company. That may be the best way to build your resume, demonstrate your worth to potential employers, and prepare yourself to be, not just any CISO, but a great CISO.
Want more tips? Join us next Wednesday, Dec. 17 at 1:00 p.m. EST (10:00 a.m. EST) for the next episode of Dark Reading Radio, where we'll continue the discussion and take your questions. What else have you learned from Dark Reading's How To Become A CISO series? Let us know in the comments below.
You cannot escape this basic truth: "It's not what you know, it's who you know."
Even if you're naturally introverted, you still have to get yourself out there. Conferences and cocktail parties are the traditional route, of course. Aiello also recommends hitting up one of the regular meetings of your local ISC(2) chapter. You also may be surprised by the valuable connections you make online at LinkedIn or Twitter (or Dark Reading).
And don't forget to be nice. You'll never know who might be helpful to your career later.
"There's a lot to be said for not burning bridges," said Potter.
You cannot escape this basic truth: "It's not what you know, it's who you know."
Even if you're naturally introverted, you still have to get yourself out there. Conferences and cocktail parties are the traditional route, of course. Aiello also recommends hitting up one of the regular meetings of your local ISC(2) chapter. You also may be surprised by the valuable connections you make online at LinkedIn or Twitter (or Dark Reading).
And don't forget to be nice. You'll never know who might be helpful to your career later.
"There's a lot to be said for not burning bridges," said Potter.
Over the past seven weeks, we've examined how to reach that lofty position of chief information security officer (CISO). We got a peek into what employers are looking for in a CISO from Mark Aiello, president of the Boston cyber security staffing firm Cyber360 Solutions. We heard the professional origin stories of five CISOs: Jonathan Trull of Qualys, Quinn Shamblin of Boston University, Jennings Aske of Nuance Communications, Mark Potter of Danya International, and Janet Levesque of RSA.
We'll continue the conversation on the message boards here and on the next episode of Dark Reading Radio, Wednesday, Dec. 17, at 1:00 p.m. EST (10:00 a.m. PST). You'll have the opportunity to chat with some of our CISOs and pick the brain of Lee Kushner, president of LJ Kushner & Associates, who's been helping information security professionals get hired for years.
Until then, here are some of the key lessons we've learned so far.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024