A Deep Dive into the Chief Information Security Officer (CISO) Role

Are you looking to transition into a Chief Information Security Officer (CISO) role but need help knowing where to begin? Or maybe you're not sure what a CISO does. A CISO is the leader of an organization’s security department and its team members. This is a leadership position in charge of selecting, supervising, and leading any initiatives related to an organization's overall security.

During our monthly role dive webinar series, we examine a specific role on a security team and explore what it takes to be successful and thrive in such a role. This month, we spoke with Malcolm Harkins, Chief Security & Trust Officer with Epiphany Systems, to share his experience and insights into what it's like being a Chief Information Security Officer (CISO).

How Malcolm Started his Career in Cybersecurity

Being the Chief Security & Trust Officer at Epiphany Systems, Malcolm is in charge of enabling client growth through optimal information security infrastructure, systems, policies, and processes.

But let’s rewind the clock, how did Malcolm become so successful in his current role and navigate the cybersecurity industry?

Back in the early 2000s, before becoming Intel’s first Chief Security and Privacy Officer, Malcolm worked in business and finance until he was approached by his boss to run security and business continuity. At the time, Malcolm didn't know anything about security, but he jumped in with both feet and has been in the space ever since.

"So, you know, that's how I landed in it. I was always a mission-oriented person, and when somebody said I need your help, I would jump in with both feet, and I've never left the space since."

Q: What tips do you have for someone who wants to become a CISO (whether beginner, intermediate or advanced)?

I think there’s a wide variety of things that people can do, but I think hands-on experience is best. So, let's say you're in another part of IT, you're in the help desk or your server administrator, go seek out the security team, go volunteer to be an incident commander, go start reading books, take classes, go to conferences, ping people that are in those roles and ask them to mentor you, you know? I think you have to be just like a sponge, and just willing to learn and go talk to people, and then go recognize what you don't know and go figure out how to fill that gap.

Q: For today's senior security leaders, what should they be looking at or focusing on?

Let's start with leadership. Leadership is the art of motivating others who want to struggle for shared aspirations. As a leader, you have to instill that sense of mission and purpose belonging in the team. Then there's the management aspect of it. Management is about control, right? We should all know control from a security perspective. But how do you create the projects, the programs, the measurements, and the metrics, to make sure that you're progressing in your organization? Those two key things are primary for any leadership role.

Now, bringing you into cybersecurity, there's an aspect of the skill in the organization that we need to be what I'll call z-shaped. If you think of a Z, the top line is having a breadth of business acumen, because that's your ability to converse, understand, and have a dialogue with the business. The bottom of the Z is a breadth of technical acumen, where you can converse with the technologist in the CTO office or the CIO team across the landscape of technology. And then the hash that connects the Z is your risk. Security controls, compliance, and depth, right?

So we've got to be growing on all those as individuals and as an organization. Then wrapping around all those things is a set of values. Your objectivity, independence, your willing to be courageous, and sometimes taking risks to manage risks.

Then there's the soup du jour of what vulnerabilities are happening today and how they can impact your organization. So you constantly have to take all those things into account and then apply them so that you can get the context of where there are risks in your organization and what controls need to be in place.

Q: What do people get wrong about your role as a CISO, and what do they usually get right?

One, my scope is not the Chief Information Officer (CIO) scope. It's bigger than the CIO scope. Two, if I'm on the product side, it's not the scope of the product, engineering, and CTO office.

For me, I've evolved the title to Chief Security and Trust Officer, because at the end of the day it’s about trust and integrity of the systems, data, and applications. I also look at the broad aspects of business, continuity, and corporate emergency management as a part of my scope.

Q: What is the best way to transition or train to become a CISO, and what certifications are needed?

Almost any path. So, if I was a help desk person, I would take that skill and then try and find an entry-level security operations role. If I was a network administrator, I would start transitioning into network security. If I was an application developer, I would go learn secure coding and security, development, lifecycle, and privacy by design, and then go into application security. So, I think in any spot you can do it.

Key Takeaway

Where do I go from here?

If you’re looking to upskill and transition or train to become a CISO, you can begin by enrolling in our Become a CISO career path. Taught by CISOs for CISOs, this Career Path will provide you with a structured curriculum with specialized learning activities that will give you real-world training on how to become a successful CISO in the ever-changing security field.

Or, if you’re looking to watch our on-demand webinar with Malcolm Harkins as he discusses how to become a CISO, visit https://www.cybrary.it/business/events/.