Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/20/2014
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

How To Become A CISO, Part 1

Think you're ready for the top job? Here's part 1 of a series to help you land that prime chief information security officer position.

So you want to be a CISO, huh? Think you're ready to lead a small band of white knights into battle against a countless, hidden enemy? Ready to play both savior and scapegoat, depending on what the day brings? Ready to beg, borrow, and steal for the resources you need to protect your company?

Yes? OK, then, you're ready to do the job... but can you get the job? For the next several weeks, we're dedicating Mondays to helping you find the path to the big job, which won't be easy to define.

"There's not a standard path [to the CISO job] like so many other professions," says Mark Aiello, president of the Boston cyber security staffing firm Cyber360 Solutions. "We can't even agree on how to spell cyber security." (Cybersecurity? Cyber-security?)

Even the words "engineer" and "administrator" don't mean the same thing from company to company. The bad news, then, is that it is hard to know what career steps to take next.

The good news, though, is that the ladder you're already climbing could lead you to the CISO seat.

Despite the variety of routes to the top, Aiello does identify a few consistent trends:

Most CISOs are hired from outside the company.
Following the perplexing logic that somebody you don't know must be smarter than somebody you do know, "the vast majority" of organizations look outside their walls for a CISO, Aiello says. However, they will be more likely to hire an insider for the CISO job if it's a newly created position.

So being in the right place at the right time may help you get that newly minted CISO gig, but beware...

A company's first CISO has less power than its subsequent CISOs.
"That first CISO tends to not have as many teeth as the second one," Aiello says. They're likely to be a step below the true C-suite and report to the chief information officer.

Aiello thinks the CISO should be separate from the rest of the IT organization, because security not only impacts technology. "Security organizations are still relatively small [in size], in comparison to the IT department, but huge in terms of importance."

Most companies want to hire a CISO who's already a CISO somewhere else.
This raises a question: How do you get that first CISO job if you can only get one if you already have one? Aiello says you may convince a new employer to take you on if you've reached the highest security position at your current company -- like director or vice president of security -- as long as you have experience within the appropriate industry vertical: finance, healthcare, etc.

CISOs are more likely to come from a technical background.
Though there are people who rise to the security job from outside the IT department -- we'll hear some of their stories in the course of this series -- Aiello says that most of today's CISOs began their careers in an information techology job of some ilk. As the field matures and more IT functions are outsourced, that may change.

A CISSP certification isn't necessarily required for a CISO.
In order to have climbed the infosecurity ladder high enough to be eligible for the "chief" title, you probably will have needed a CISSP already. However, if you've made it this far without one, you probably won't need one now, says Aiello. A four-year college degree, however, is something a prospective employer will want.

[Is there a cyber security skills shortage? Hear what Mark Aiello and Julie Peeler of ISC(2) said on Dark Reading Radio.]

As the CISO job grows bigger and more important, Aiello says, the key is proactively gathering all the knowledge and experience you can.

"Raise your hand. Volunteer," he says. If you've spent most of your career outside of the nitty-gritty, hard-core IT security world, spend more time learning about the tactical side -- the day-to-day tasks of securing a business. If you are from a heavy technical background, learn as much as you can about the business side.

"Understand the problems your technology is there to solve," he says. "Understand what [the company is] securing and why they're securing it."

In the coming weeks, we'll spin out the origin stories of men and women currently holding the CISO position at a variety of organizations. Come back to Dark Reading next Monday for the first "how I became a CISO" tale.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 3 / 3
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/21/2014 | 10:32:23 AM
Re: How to Become a CISO
@GonzSTL  I'd imagine that most companies put the CISO under the CIO, because they still see security as a part of IT, and only IT. I understand why -- most of the security efforts rely on IT in one way or another. It does seem a bit silly to name anybody "chief" and have them report to anyone but the CEO, but I imagine that some companies just add the position to add a new tier to the payment structure and give the top security person a raise.... it amazes me just how often that sort of thing happens in big corporations
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/21/2014 | 10:27:37 AM
Re: How to Become a CISO
@GonzSTL  This is a good idea:  "It would be interesting to hear from CEOs of organizations where CISOs report to CIOs, to see what their rationale was for allowing that reporting structure."  Maybe we can do a story or two on that in the near future. 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/21/2014 | 9:13:20 AM
How to Become a CISO
This is a great article, and I can't wait for the rest of the series. Mark Aiello makes some excellent points, especially regarding companies where the CISO is a newly formed role. What I would like to know is why a company that creates the new CISO role would have that person report to the CIO. That creates a potential conflict of interest, and violates a sacred rule of integrity – the separation of duties (SoD). SoD is a fundamental principle of regulations like SOX and GLBA, yet organizations do not see that it also applies to security, where it is just as critical as it is to the financial aspects of the organization. But how do you communicate that to an organization where the CIO is firmly entrenched, and has great influence with the rest of the C-suite? It would be interesting to hear from CEOs of organizations where CISOs report to CIOs, to see what their rationale was for allowing that reporting structure.
<<   <   Page 3 / 3
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.