The regulatory compliance wave of the late 90s and early 2000s carried unsuspecting people from a variety of professions into a career in information security. Jennings Aske, CISO of Nuance Communications, was one of those who caught the wave -- but not just because he had the good fortune of being in the right place at the right time.
Like many chief information security officers, Aske did not set out for a career in security or even technology.
"I really did stumble into something good for me," he says.
Aske was an English major who just happened to build PCs and crystal radio sets for fun in his spare time. Yet, his next career maneuver didn't proceed along either the English or technology tinkering paths.
Instead, Aske became an attorney. While editing law journals and working for the Chief Privacy Officer in the Massachusetts office of health and human services, Aske became intimately familiar with the hefty text of the Health Information Portability and Accountability Act. While studying HIPAA, something became clear to him.
"There was a need for people who understood law to get into data security issues," says Aske. Although he was not a technologist by education, that old interest in technology combined with his new experience made him a good fit.
Yet perhaps most importantly, he was simply curious, and willing to educate himself about the tools and techniques of the trade, whether it be business operations or Ruby on Rails development.
"It's definitely a very academic approach that I've taken," says Aske. "I liken it to a lawyer preparing for a case."
He points out that even those people who enter the information security field with a formal education in IT have to continue their studies while on the job, because in such a quickly evolving field, what you learned in school will be largely outdated a mere five or 10 years after graduation.
"Security doesn't seem to [invest as much] in training as other parts of IT," says Aske. "You really have to invest in yourself and your knowledge."
Aske rose up to become CISO for the Massachusetts Executive Office of Health and Human Services, overseeing information security for 16 state agencies. He moved on to other CISO positions within healthcare before taking the job at Nuance Communications in January.
"I don't have to be a subject matter expert in everything," says Aske. However, he cautions, "I've seen some security leaders who are so divided from technology that they aren't able to lead the operational staff."
Aske's main advice to aspiring CISOs is to always be learning -- not only from peers, but from staff and from those outside IT entirely.
"Don't come into the organization as King Security," he says. "Come in and listen. Come across as humble. Because eventually you'll need to tell people 'no' " -- they'll be more likely to cooperate with you then, if you cooperated with them first.
This is part four of Dark Reading's How To Become a CISO series. Read the previous segments to learn what employers are looking for in a CISO, and to hear how Janet Levesque, CISO of RSA, and Quinn Shamblin, CISO of Boston University made their way to the top job.