How to Become a CISO

As many of you probably already know, today’s organizations cannot take the risk of a data breach but, as yet another system hack tops headlines, we’re drawn back to the same questions of how did it happen and who is at fault? But maybe the better questions are, what are those companies not making headlines doing to secure their data and who is responsible for overseeing that part of their business?Our answer to the latter would be the CISO.That said, The Cybrary Cyber Security Job Trends survey from 2015, which polled 435 senior-level technology professionals from October to December of that year, found that only about half or 49 percent of respondents say their companies employ a CSO/CISO who's solely responsible for security.As for where that statistic currently lies, unfortunately, we’re not sure. But with all the responsibilities a dedicated CISO has, the thought of any executive at any company sharing their duties with cyber security is truly concerning.On a given day, CISOs are responsible for overseeing the security initiatives across the business including operations, strategy, and budget. This can even include working with law enforcement regarding security matters and incident investigations.

What does a CISO do?

The Chief Information Security Officer (CISO) is a senior level executive responsible for implementing a complete information security program that encompasses policies, procedures, and technology meant to protect an organization from internal and external threats.  In order to accomplish this, they must establish a culture of security at any company they work for, promoting the fact that security is a collaborative effort and ensuring the correct training efforts for employees are in place.That being said, a CISO must also be able to effectively communicate to other C level executives and board members the importance of cyber security so that it becomes a part of their quarterly agenda and receives the necessary financial backing.“Specific responsibilities of the CISO depend on the size and type of organization. They could be involved in anything from monitoring vulnerabilities to the network and systems to supervising security procedures and standards. They also work with management to implement IT security practices and reviews, as well as be responsible for handling security incidents and doing proper investigation into them. A CISO is also responsible for educating the employees at a company around best security practices and awareness through developing programs,” writes Zetta.com.Each day varies for a CISO, but many are constantly tuned in to the latest cyber security news, researching new technologies and emerging threats, and learning new skills. A good CISO not only has a technical background but, a strong business acumen as well.

Why do organizations need a CISO?

Every company, regardless of industry, needs someone whose first priority is security. Chances are, adversaries are trying to compromise a business’ systems almost daily, so aside from having individuals on the front line ‘defending the fort,’ those individuals need a leader focused on strategy who can verify the proper actions are being taken and the correct technology is being used.In the case that a breach does happen, that organization needs someone who can oversee the incident response plan from start to finish, interacting with law enforcement when needed and making required fixes to the system.Perhaps stated best by securityintelligence.com, “The key value provided by a CISO is in the role of business leadership, as the CISO must drive the information technology and security education of the workforce. In so doing, the efficacy of the various information security policies becomes clear, and the journey toward moving the workforce into a collaborative engagement with respect to information security begins. This collaborative effort goes beyond putting technological solutions on an employee’s client device(s) or network nodes. It must also include comprehensive training and awareness efforts. These efforts will go well beyond the “one-and-done” nature of new employee security orientation, or placing posters and coasters around the workplace.”As businesses continue to evolve the way they operate, those organizations will rely on a CISO to keep them compliant and secure, evolving the security policies and processes when needed.

What skills does a good CISO have?

CISOs must possess the perfect mix of technical and business knowledge. Most have a background working hands-on as an analyst or engineer, moving their way up to a managerial position where they began to take more of a business approach. A good CISO will work collaboratively with many other stakeholders and is an effective communicator and presenter.Someone in this role must have a deep understanding of security measurement, cyber risk management, enterprise security governance and planning, incident response, and information security law. Essentially, they’re familiar with every facet of security and how it affects stakeholders.In addition to their technical and risk expertise, that person is also concerned with strategy, finance, and auditing. They love data and demonstrate strong project management skills. Most of all, they understand how their decisions affect others in the organizations and don’t compromise on security.According to career expert Lee J. Kushner, "This breadth of knowledge will be a key component in the maintenance of their credibility and establishment of trust with the leadership of core technical functions—including software development, infrastructure, engineering and operations."

How can I become a CISO?

Obviously, the career path of a CISO is not one that happens overnight. For those interested in pursuing that role or one similar, you should expect to work in IT and security for 7-12 years beforehand, with about half of that time spent managing security teams.You will need to have a wide breadth of knowledge and skills, as indicated above, so developing a close relationship with a superior who can act as your mentor is very helpful. A future CISO will have a genuine interest in technology and problem solving, keeping up to date on the latest industry news and constantly honing their leadership skills.The mindset of a constant learner is one that embodies a CISO. With this position especially, there is no direct playbook to follow- as new threats emerge and technology changes, that individual must easily adapt and quickly learn whatever is required to keep their organization secure.For those who are further along in their career path and want to define themselves as a cybersecurity leader, you can take the FREE Cybrary CISO course to kickstart your journey.

How can the Cybrary CISO Course help me?

The Cybrary CISO course is ideal course for those with basic hard skills in COBIT, ITIL, CISSP, PCI, NIST & HIPAA, knowledge of network security, experience with security auditing and management (CISA and CISM) and a minimum of 2 years working in an IT or IT Security environment working with security operations.In this online CISO training course, you will learn what other CISO’s are focusing their time and attention on. Among the key topics, you’ll learn how to implement the proven best practices that make for successful cyber security leadership. The content covers a variety of topics including Governance, Management, Auditing, Projects, Technologies, Operations, Strategy, and Financing.Cybrary’s CISO training is useful for IT professionals looking to move up in their organization as well as current CISOs who would like to renew their certification and/or stay on top of the latest trends within the industry. Gain a better understanding of what is expected from a CISO without spending thousands on a training course. Demonstrate to your employer that you are actively learning new management skills by presenting them with the certificate of completion, which also yields CEU credit.Olivia Lynch (@Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the field of cyber security. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.