So you want to be my CISO?

What would you say about a job where the primary attributes were only accepting workaholics, where your successes received little notice but your slip ups most likely would cost you your job or worse, get worldwide media attention and you could never let your guard down? Sounds like the job description for an NHL goalie. Actually, it’s the job description for a Chief Information Security Officer (CISO).  And where an NHL goalie is forgiven a boatload of “slip ups” in the way of goals allowed and can still be considered an all-star, a CISO can be quickly unemployed with just one major security lapse. No CEO wants his company to join the “Security Breach Hall of Fame” with such luminaries as Target, Sony, and Home Depot. Despite such enormous job pressures, the position of CISO is the pinnacle of most IT careers – just behind, or more commonly, right alongside, the Chief Information Officer (CIO).The salary range for the CISO position is $88,937 to $203,740 annually in January 2016, with a median salary of $145,319. Not too shabby! The icing on the cake is demand for CISOs only continues to increase in concert with growing data security threats. Virtually all large organizations now have a CISO position and even smaller ones are beginning identify the need for having a CISO on staff. And as with most cybersecurity positions, demand has already outpaced supply. In fact, President Obama created the first National CISO position along with a one for a White House CISO. Of course, the White House CISO was recently canned by the new administration. It always helps to have your resume as well as your LinkedIn profile up to date.CISO Job ResponsibilitiesThe CISO position is an executive-level position, i.e. a “C-level” position and typically reports to the CEO of an organization. In some cases, the CISO is a direct report to the CIO, but this has some inherent conflicts of interest. The trend is to have the CISO report directly the CEO or even the board of directors and be a completely independent department.The responsibilities of a CISO are vast. In fact, they can appear downright staggering. The definition from Wikipedia.org is rather broad and seems mundane until you stop to consider everything that’s involved with the role:

...is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected.

If you’ve taken any of the courses here on Cybrary.it dealing with Risk Management, then you’ll know that at its core, it’s about establishing policies and procedures. This responsibility falls squarely on the shoulders of the CISO. But things don’t stop there. Ever take a cert course on Incident Response? The buck stops with the CISO for all computer security incidents. How about one of the fantastic courses on computer forensics offered by Cybrary.it? Yep, the CISO directs all activities related to forensics from evidence gathering to helping present it at trial.And any CISO worth his or her salt better be paying attention to the digital assets of the organization that employs him or her. A major component of Risk Management is Risk Mitigation. This takes many forms, some of which are determining the value of those assets, the cost of protecting them in the way of data insurance, network infrastructure, and security policies. Disaster recovery and business continuity are also major components of Risk Mitigation and guess who’s responsible for managing the complex logistics behind that? Yep, the CISO. It should then come as little surprise why the role is an executive-level position and commands a premium salary.If that weren’t enough responsibility to pile on any one individual, there is also the area of maintaining compliance with a host of data security standards. This was the primary responsibility of the CISO when the position first emerged during the 1990s. It’s since evolved away from compliance to one more focused on the operational aspects of information security.Education, Experience, and CERTsThe educational requirements for a CISO are a B.S. degree at a minimum with more professionals coming into the role with a Master’s degree. Undergraduate studies are usually in a STEM area such as Computer Science or Math. Graduate studies are broader with some students focusing on computer security while others take more of a business-focused tact by entering MBA and finance programs. Having a solid grounding in business, especially in the industry you will enter as a CISO, is a solid plus.If you’re angling to land a CISO position someday, coming up through the ranks as an IT professional certainly won’t hurt your chances. When it comes to the value of data security certs, there appears to be two schools of thought: they definitely help and they don’t really matter if you already have experience under your belt. I was surprised to learn this, but I think you know where we stand here at Cybrary.it. Most will agree that the CISSP certification is one cert that all CISOs should have on their resume and I think you also know where you can get some excellent free training to prepare for the CISSP exam.In addition to all the technical and business training and experience required of a CISO, there are also considerable soft skills you must have. After all, a CISO manages people, often quite a few of them, so having good people and leadership skills are a must. A CISO must also be comfortable managing both up and down the management chain. This often involves making presentations to other executives as well as the board and investors. It also doesn’t hurt to have sharp negotiating skills. These come in handy when negotiating contracts with vendors and other suppliers. I forget, did I mention that you need to be a workaholic to be an effective CISO?Becoming a CISO is a marathon, not a sprintWith all the skills and experience demanded of a CISO, it’s certainly not an entry-level job. The typical age range for a CISO is 40 to 60. Like a fine wine, good CISOs are well-aged. It should also be noted that there's also a glaring lack of gender diversity among CISOs. But don’t despair. It comes down to long-range thinking and planning and it begins by getting your foot in the IT door. Most CISOs come up the ranks through IT admin and then steadily work their way up the ladder into management roles with greater responsibilities until reaching a VP position. It’s not too unlike scaling Mr. Everest. You make your assault on the summit (CISO position) from the base of a VP position.It’s even possible to work your way up without a college degree. If you have the drive and innate talent for technology, you can still go a long ways just from on-the-job experience combined with a solid portfolio of certs. You can then obtain a B.S. degree in a technology field on a part-time basis while still working full-time. It takes a lot of grit and determination, but it can make things a lot more affordable by keeping student loan debt to a minimum and will challenge you like never before. It’s the kind of stuff real CISOs are made of!