Cybersecurity issues continue to pervade all areas of business, which means having a great security organization -- and a capable CISO to lead it -- is essential for almost every company. But it takes a certain kind of person, with a special set of capabilities, to thrive in the demanding, tense environments in which CISOs often find themselves.
Must-have CISO traits
Consider the following qualities that make a great chief information security officer (CISO).
Clear thinking under pressure
The single most important attribute in security's top role is the ability to think clearly under pressure. Unlike most professionals, the CISO must be prepared to handle significant business issues at the drop of a hat, in any area of the enterprise.
For this reason, the CISO, above all, cannot be a person who panics. In a security incident, this is the one person who must always be present, understand the dynamics of the situation and act calmly in the face of incomplete information -- even under pressure from executive management to offer immediate answers where they may not exist. Calmness in the face of catastrophe establishes a mood in which everyone can perform better under pressure.
Ability to prioritize
CISOs need to be able to strategically prioritize among myriad necessary actions during a crisis. Competing priorities in a security event might include isolating the system, segregating the network and informing diverse stakeholders -- from management and employees to clients and law enforcement. A security leader must be able to set priorities that most effectively and efficiently minimize the risk to the business in any given situation.
Love of learning and new challenges
The cybersecurity environment will continue to evolve much faster than institutions can develop security policies or vendors can develop mitigating technologies. New threats emerge almost daily, and staff must constantly adapt to this changing environment. A good CISO anticipates these shifts. A great CISO looks forward to and embraces the opportunity to increase the company's security effectiveness in the face of these never-ending challenges.
Great communication skills
A CISO must be an exceptional communicator. Security touches every cross-section of an enterprise, from application development and testing to operations and customer service. The CISO must therefore be able to reach managers across all areas of the business and discuss security issues in language they understand.
CISO education backgrounds
The typical CISO career journey starts with an undergraduate education, and many security leaders also have master's degrees. Historically, CISOs don't necessarily have educational backgrounds in computer science or information technology, although that has proven controversial.
Some institutions today have cybersecurity programs, but a background in engineering or science fundamentals will arguably better serve an aspiring CISO.
The problem with getting an undergrad degree in cybersecurity is that much of the technology under discussion in class may no longer be relevant 10 years after graduation. A broad understanding of engineering principles and the scientific method, on the other hand, will position one to keep learning, questioning and problem-solving as technology evolves.
For graduate studies, a cybersecurity degree may be useful. But one could get just as much, if not more, value from an MBA, which can offer a better education in the business effects of technical decisions.
Remember, for a CISO, broadly understanding many technical domains and how they tie into business needs is more valuable than detailed expertise in configuring firewalls and setting up multifactor authentication. Ideally, those technical experts work for security leaders.
Certifications have their place in cybersecurity career development, but they are not a fundamental requirement for being a CISO. Cybersecurity certifications are most useful for establishing one's professional credibility and getting a foot in the door at a new company.
The certification that seems to enjoy the widest recognition today is the CISSP, which has optional concentrations in architecture, engineering and management. This (ISC)2 certification has broad applicability in the development of security policies and procedures.
Other reputable certifications include the EC-Council's Certified Ethical Hacker designation and ISACA's Certified Information Security Manager. While these and other security designations are helpful to build professional credibility, certifications alone are not sufficient to guarantee a CISO position.
How to become a CISO
Consider the following six tips for becoming a CISO:
1. Develop hard skills
While the CISO is the ultimate cybersecurity generalist, a security professional is unlikely to be a serious contender for the position if they don't bring technical expertise to the table. Anyone aspiring to the CISO role should therefore build mastery in a specific domain, demonstrating their professional aptitude and readiness for more responsibility.
It's less important which subdomain of security one specializes in -- management of firewalls, the design and operation of SIEM systems, etc. What matters is the ability to position oneself as a credible expert in the subsystem or systems where one has invested significant time and energy.
2. Develop soft skills
As security leaders progress in their careers, soft skills become increasingly important. These include the ability to be a team player, understand the big picture and accept responsibility when something goes wrong. A great CISO also cultivates a culture of transparency and openness, readily sharing information with executive leadership, peers and junior managers.
CISOs must also understand how cybersecurity fits into risk management and be able to make strategic decisions accordingly.
3. Anticipate future security requirements
Cybersecurity, like technology, is constantly changing. A CISO must be able to credibly run a security organization today, while also anticipating how it will need to evolve tomorrow.
As an aspiring CISO, learn to identify, understand and embrace future challenges -- and demonstrate that forward-thinking mindset to management. The top security job will often go to the person with one eye on the horizon.
4. Work to improve areas of weakness
It is naturally tempting to play to one's strengths and avoid using underdeveloped skills. But while CISOs don't need to be experts in all things, they should be well-rounded. Everyone has shortcomings, and up-and-coming security leaders should acknowledge theirs and work to overcome them.
5. Keep learning
The best CISOs have a passion for learning and view continuing education as an integral part of their ongoing professional development. This includes attending security conferences, where participants can learn about emerging technologies and connect with their peers.
6. Prepare to be expendable
Some people achieve job security by obscurity. Their thinking is, "If I'm the only person who understands this hardware, software, system, procedure, etc., then I'm too important to replace." But, on the other side of the coin, that person's indispensableness could also keep them from getting promoted.
Be expendable. Train subordinates how to do your job, so you can get promoted out of it -- while also helping others get promotions and winning their loyalty.
The CISO is a big job, full of risks. It is also an exciting job, and more necessary now than ever. While CISOs can seem superhuman, they are human beings who got to where they are with dedication, training, planning and passion.