The CISO job is one of those positions that's much easier to get once you have a proven track record. However, companies are seeking first-time CISOs and finding candidates externally, and in rarer instances, from within their ranks.
How can CISO job candidates establish that they have security leadership abilities?
Many companies will require certifications, like CISSP, which demonstrate that the job seeker understands the lingo and rules and regulations. But certifications and degrees are never a substitute for on-the-job experience.
The business information security analyst -- an analyst who works with business units when they want to roll out new processes or services -- is a role increasingly found in top-level security programs. "That is often becoming a great role for people to grow into CISOs because they are learning how the business operates," says John Pescatore, director of emerging security trends at the SANS Institute, which trains a lot of first-time CISOs. "At the same time, they are growing their experience in security."
"Traditionally, our cyber leaders and experts had an IT background, and those skill sets are incredibly valuable," says Suzanne Hall, managing director of PwC's cybersecurity practice. "What we have seen and what we are recommending is that a more diverse cyber skill set is beneficial for organizations." And by diversity, Hall means more than closing the gap for women in security. Companies should augment technical staff with good communicators, people who can talk about cybersecurity in business terms. "That will help organizations feel more comfortable about where they are in terms of cyber capability and also put the right defenses in place to be able to react and respond to cyber instances going forward," Hall says.
Women in security may have a harder climb into leadership roles, including the CISO job. The importance of diversity of thought and team is critical for the security organization. In "The 2017 Global Information Security Workforce Study: Women in Cybersecurity," cosponsored by PwC, researchers found that women in leadership roles had higher levels of education -- a master's degree versus a bachelor's degree -- and women were earning a lower salary in these roles at the executive level, an average of $4,500 less than men in the same role. "We certainly are finding that the gap continues to be pretty pervasive and intractable," Hall says.
In this special issue, we look at cybersecurity careers from different angles, from the CISO job to threat hunting to diversity of skill sets in security. Whatever career path you are on, there is a lot of opportunity in the information security industry.
How to communicate better with your security staff
Learn which CISO certifications are most valuable
Virtual pets, virtual assistants … and virtual CISOs?