Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How To Become A CISO, Part 1
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
russellnomerconsulting
russellnomerconsulting,
User Rank: Apprentice
6/29/2015 | 5:33:47 PM
Re: How to Become a CISO
The article also speaks to needing to beg, borrow, and steal resources when taking on the role of CISO.  I propose in many instances this constraint is largely self imposed as a direct result of not appropriately managing expectations and building the required trusting relationships at the beginning.   Furthermore, do we really want to position the CISO as a professional scapegoat?  Or does it make more sense to position the CISO as someone with the professional integrity and intestinal fortitude needed to hold their ground while leveraging soft skills for effectively building and managing a balanced security program?
ekwisca
ekwisca,
User Rank: Apprentice
10/24/2014 | 5:21:08 PM
Re: extremely excited
@ODA155, I completely understand. Thank you for the advice. I am currently studying for my CISA to add it to my credentials. There's no end point to me studying. I continuously try to plug myself into different things in my profession for the exposure and experience. I'm looking to do all I can to have a wholly understanding of information security. Just for the benefit of being able to talk the talk of security to a wide range of business professionals. Becoming a C level executive is end my goal, me learning is a forever journey. Thanks again for the advice. Another thing to think about to help me through these tough studying times. Good thing I live in Chicago and it's almost winter. The temperature here is bound to keep me in the house with nothing to do but study.
ODA155
ODA155,
User Rank: Ninja
10/24/2014 | 4:31:21 PM
Re: extremely excited
@ekwisca, Why is it "the end goal"... may I also recommend getting your CISA. In my opinion, the second most helpful trait of a successful security professional after a very good technical foundation is understanding IT audit, its language, the people who conduct them and navigating and using the audit report to you advantage. What you'll find, especially in smaller organizations is that you, the security pro will most likely be standing between management, admin\tech and auditors, juggling everyones needs and requirements against your own. And that is where the third most useful trait comes in... effective communication skills.
ekwisca
ekwisca,
User Rank: Apprentice
10/24/2014 | 10:01:26 AM
extremely excited
I couldn't be more excited about this new series of articles on becoming a CISO. As a young professional in the security world, the CISO position is my end goal. Currently holding my CISSP and CCNA I hope I am on the right track for learning business as well as the technical side of the IT World. Looking forward to next Monday.
Sara Peters
Sara Peters,
User Rank: Author
10/23/2014 | 4:23:16 PM
Re: How to Become a CISO
@ArthurK439  I agree with this: Information protection is crucial to the operations and success of the business, and to have it subordiante to a role that is primarily operational is a recipe for disaster.  But I also just spoke to a CISO who reports to a CIO, and he said that it isn't a problem with this CIO, because they understand and respect security. I wonder if, ultimately, it all depends upon the specific people, not their titles or organizational structure.
savoiadilucania
savoiadilucania,
User Rank: Moderator
10/23/2014 | 11:13:14 AM
Re: Disagree, surprise there
@Sara Peters

The issue is the varying interpretations of what comprises someone that is "technical". For some, it's a candidate that can conceptually walk through technical subjects and enumerate the relevant risks. For others, it's someone that can furnish a detailed explanation of the end-to-end packet delivery process and enumerate the attack vectors along that path. I tend to favor those with a more robust command of security as a discipline, as they can make informed decisions. They are otherwise reliant upon delegation, which isn't the best strategy during times of crisis...
ArthurK439
ArthurK439,
User Rank: Apprentice
10/22/2014 | 2:01:33 PM
Re: How to Become a CISO
I think we have seen the risks where having the CISO reporting to the CIO (Target comes to mind). As long as the CISO is viewed as being IT centric, and not about risk management, there will be an inclination to pidgeonhole it in the former category. At a minimum, it should be reporting to the CFO, and ideally to the CEO. Information protection is crucial to the operations and success of the business, and to have it subordiante to a role that is primarily operational is a recipe for disaster.

As for certifications, having a CISSP as a requirement to being a CISO is not mandatory. That being said, there are significant benefits in possessing it. Primarily, it ensures a common baseline, standardization of knowledge and common language. Secondly, it (and complimentary certifications such as the CISM, CISA and CRISC) is as close as currently we have as profesional designations. Both the ISC2 and ISACA have an ethics requirement, and with privacy and information being so tightly coupled these days, ethical and professional conduct considerations are crucial for a business leader. Just as I woul expect the CFO to be a CPA/CA, a Chief Counsel being a lawyer/JD, I would expect a CISO to be a CISSP/CISM/CISA/CRISC.

The fact is, the CISO role is hibrid in nature, requring both business acumen, technical knowledge, legal/regulatory, etc. Although I do not expect a CISO to configure a firewall, they should understand what it provides as a security control, after all.

 
SDiver
SDiver,
User Rank: Strategist
10/21/2014 | 4:39:59 PM
Certificates and reporting to the CIO
Regarding certificates, I think that they do more than demonstrate competence.  After getting two certs myself I found them invaluable in separating the security 'fact' from 'fiction.'  Any good skill set requires an understanding of a foundations and I believe that the CISSP achieves that requirement.   I would agree with the 'no-cert' requirement if you can independently verify your skill set if you served in the military or law enforcement.


As for reporting to the CIO, the only logical reason I would agree is if you're the CISO of a data center.  I would be wary if the CISO reported to the CIO either in a regulated business such as health or financial.  Implementing the separation of duties concept in reasonable scenarios is the preferred method in a regulated environment.
GonzSTL
GonzSTL,
User Rank: Ninja
10/21/2014 | 2:11:47 PM
Re: Disagree, surprise there
@ODA155 You probably find yourself preaching to the choir as much as I do. Don't you wish you could have a captive audience composed of exactly the right people who need to hear the message?
Marc Eggers
Marc Eggers,
User Rank: Strategist
10/21/2014 | 2:01:55 PM
Re: Disagree, surprise there
@Marilyn Cohodas, I can say after having a number of discussions with HR personell in different industries that is a primary reason for it.  

I do not advocate certifications for certification sake, and I do understand how they are one measure of demonstrating competence prior to obtaining the position.  I used to be one of those who said "if they give me half a chance, I can prove that I can do that", but as time has gone on, I began to understand the position of "I need something to base this chance on other than the person says they can do it".  The certification is an independent mile marker that the person has at least put in the time and effort to learn that much about that subject(s).  
Page 1 / 3   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-41340
PUBLISHED: 2022-09-24
The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery.
CVE-2022-23463
PUBLISHED: 2022-09-24
Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes suc...
CVE-2022-23464
PUBLISHED: 2022-09-24
Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to a potential Server-Side Request Forgery (SSRF). RouterResourceImpl uses RestTemplate’s getForEntity to retrieve the contents of a URL containing user-controlled input, potentially resulting in Information...
CVE-2022-23461
PUBLISHED: 2022-09-24
Jodit Editor is a WYSIWYG editor written in pure TypeScript without the use of additional libraries. Jodit Editor is vulnerable to XSS attacks when pasting specially constructed input. This issue has not been fully patched. There are no known workarounds.
CVE-2022-36025
PUBLISHED: 2022-09-24
Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incor...