Ready to Start Your Career?

By: rcubed
February 14, 2017
So you want to be my CISO?

By: rcubed
February 14, 2017

...is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected.If you’ve taken any of the courses here on Cybrary.it dealing with Risk Management, then you’ll know that at its core, it’s about establishing policies and procedures. This responsibility falls squarely on the shoulders of the CISO. But things don’t stop there. Ever take a cert course on Incident Response? The buck stops with the CISO for all computer security incidents. How about one of the fantastic courses on computer forensics offered by Cybrary.it? Yep, the CISO directs all activities related to forensics from evidence gathering to helping present it at trial.And any CISO worth his or her salt better be paying attention to the digital assets of the organization that employs him or her. A major component of Risk Management is Risk Mitigation. This takes many forms, some of which are determining the value of those assets, the cost of protecting them in the way of data insurance, network infrastructure, and security policies. Disaster recovery and business continuity are also major components of Risk Mitigation and guess who’s responsible for managing the complex logistics behind that? Yep, the CISO. It should then come as little surprise why the role is an executive-level position and commands a premium salary.If that weren’t enough responsibility to pile on any one individual, there is also the area of maintaining compliance with a host of data security standards. This was the primary responsibility of the CISO when the position first emerged during the 1990s. It’s since evolved away from compliance to one more focused on the operational aspects of information security.Education, Experience, and CERTsThe educational requirements for a CISO are a B.S. degree at a minimum with more professionals coming into the role with a Master’s degree. Undergraduate studies are usually in a STEM area such as Computer Science or Math. Graduate studies are broader with some students focusing on computer security while others take more of a business-focused tact by entering MBA and finance programs. Having a solid grounding in business, especially in the industry you will enter as a CISO, is a solid plus.If you’re angling to land a CISO position someday, coming up through the ranks as an IT professional certainly won’t hurt your chances. When it comes to the value of data security certs, there appears to be two schools of thought: they definitely help and they don’t really matter if you already have experience under your belt. I was surprised to learn this, but I think you know where we stand here at Cybrary.it. Most will agree that the CISSP certification is one cert that all CISOs should have on their resume and I think you also know where you can get some excellent free training to prepare for the CISSP exam.In addition to all the technical and business training and experience required of a CISO, there are also considerable soft skills you must have. After all, a CISO manages people, often quite a few of them, so having good people and leadership skills are a must. A CISO must also be comfortable managing both up and down the management chain. This often involves making presentations to other executives as well as the board and investors. It also doesn’t hurt to have sharp negotiating skills. These come in handy when negotiating contracts with vendors and other suppliers. I forget, did I mention that you need to be a workaholic to be an effective CISO?Becoming a CISO is a marathon, not a sprintWith all the skills and experience demanded of a CISO, it’s certainly not an entry-level job. The typical age range for a CISO is 40 to 60. Like a fine wine, good CISOs are well-aged. It should also be noted that there's also a glaring lack of gender diversity among CISOs. But don’t despair. It comes down to long-range thinking and planning and it begins by getting your foot in the IT door. Most CISOs come up the ranks through IT admin and then steadily work their way up the ladder into management roles with greater responsibilities until reaching a VP position. It’s not too unlike scaling Mr. Everest. You make your assault on the summit (CISO position) from the base of a VP position.It’s even possible to work your way up without a college degree. If you have the drive and innate talent for technology, you can still go a long ways just from on-the-job experience combined with a solid portfolio of certs. You can then obtain a B.S. degree in a technology field on a part-time basis while still working full-time. It takes a lot of grit and determination, but it can make things a lot more affordable by keeping student loan debt to a minimum and will challenge you like never before. It’s the kind of stuff real CISOs are made of!