How to navigate the often challenging CISO career path
There's no clear-cut path to becoming a CISO. However, the right security certifications, an ever-questioning attitude and a strong network of CISO peers can help prepare you for the journey.
Becoming a CISO is the dream of many young security professionals -- I was one of them once. However, there's a major challenge with this career vision: How do you prepare to be a CISO? There are no CISO academies; no CISO degrees are available from universities.
There are, however, a number of ways to groom your skills and expand your network to become an effective CISO.
The role of a CISO
No CISO has a normal working environment -- each day is different due to new attackers, new threats and new vulnerabilities discovered by researchers and professional black and gray hats. As such, the duties of a CISO may be nicely defined in a job description, but your first day on the job may have you face-to-face with a ransomware attack or major data breach.
A CISO's job is dynamic -- not one where you sit behind your desk for a 9-to-5 shift. Therefore, the CISO career path requires candidates to ensure skills are not only sustained, but also enhanced over time. Achieving this requires having a CISO mindset.
When you enter into a CISO role, there will be multiple opportunities for you daily. First and foremost, understand the business. Meet with the executives for each division, especially production, operations and procurement. Each executive can affect your day when it comes to cybersecurity. And don't forget the IT department, which will help you maintain the necessary diligence to daily threats and defenses. The IT team can also add to your list of problems if it's not doing its job relative to the classic issues of maintaining proper access controls and patching systems in a timely manner.
I describe the role of the CISO as someone who needs to keep every hole of a kitchen sieve covered with one hand tied behind his back and while wearing welders' gloves. It's an impossible task -- especially because attackers only need one hole of the sieve open or unblocked to make their mark.
One philosophy I have -- and find useful for boardroom conversations -- is that I describe the role of the CISO as someone who needs to keep every hole of a kitchen sieve covered with one hand tied behind his back and while wearing welders' gloves. It's an impossible task -- especially because attackers only need one hole of the sieve open or unblocked to make their mark.
Preparing to be a CISO
What are the first steps to becoming a CISO? There isn't a simple, one-size-fits-all answer. If you want to become a CFO, for example, it would be advisable to begin with a degree in accounting or finance, followed by a Master of Business Administration (MBA) degree. This way, your tool set will be well established and you will be groomed for the CFO role by getting experience in accounting, finance and procurement offices.
Unfortunately, the CISO role doesn't have such a simple path. While you can get a degree in computer science, it doesn't teach you softer skills, such as thinking out of the box, critical thinking or battlefield command. As it stands, I'm not aware of any universities offering CISO degrees.
Today's ideal CISO has experience as a security analyst and security manager in areas such as network security, software development and physical security. She should also possess a degree in computer science, an MBA and maybe even a degree in criminology or forensics.
Preparatory certifications
Certifications are another critical step to navigating a CISO career path. Top CISO certifications include:
Certified Information Systems Security Professional (CISSP), offered by ISC2, is an absolute must for any CISO.
Certified Information System Manager (CISM), from ISACA, is usually a complementary certification to the CISSP.
Certified Information System Auditor (CISA), also offered by ISACA, is appropriate for CISOs in auditing roles.
Certified Ethical Hacker (CEH), from EC-Council, is a certification for network security and pen testing. I obtained this certification early in my CISO career and found it invaluable in providing awareness of technical aspects of cybersecurity and attacks. It also taught me a lot about attacker methodology, often referred to as the cyber kill chain.
Certified Protection Professional (CPP), offered by ASIS, covers cybersecurity, as well as physical security, investigations, security principles and crisis management.
The EC-Council Certified CISO (CCISO) is a relatively new offering. I've never met any CISOs with the CCISO certification and have not taken the examination myself. Therefore, I don't have any background or experience on whether or not this is a valuable certification; however, the domains appear to compliment the roles and duties of a CISO, and EC-Council claims to have certified more than 220,000 security professionals.
Remember, regardless of the number of certifications you carry or the number of degrees you hold, this doesn't mean you'll be a successful CISO. Like a banner I saw at a restaurant once: "Attitude is everything." As a CISO, you need to have a consistently questioning attitude and always ask why an event or symptom is in play. Don't forget: Attackers may not necessarily do a hack and steal -- they may simply penetrate your network and stealthily wait for the right opportunity to steal data or intellectual property.
Be a networking CISO
A CISO's world isn't operated entirely within the boundaries of his company. There are plenty of important people to rely on outside the chain-link fence of the enterprise -- be sure to spend resources to stay connected.
First, get to know your peers. Reach out to CISOs in your industry. There are some organizations -- such as CISO Forum sponsored by the EC-Council, Information Systems Security Association's Executive CISO Forum or the Texas CISO Council -- where you can meet and exchange ideas with other CISOs. Also be sure to take advantage of the Information Sharing and Analysis Center (ISAC) associated with your industry. For example, there are ISACs for the water industry, financial services industry and research and education sector.
Participating in networking and information organizations isn't free; however, it is time and money well spent in order to stay abreast of the threats and vulnerabilities affecting your industry and local companies.
Don't forget to also meet with CISOs in companies across the street, in your city or on your network neighborhood. (Think of your network neighborhood as the entities immediately adjacent to your company's internet protocol address range.) Also, consider meeting with local FBI, U.S. Secret Service and Fusion Center leadership. I've even found meetings with the state attorneys general offices worthwhile. A handshake and cup of coffee could go a long way before a crisis hits your company.
Start your CISO journey
There is no typical CISO career path. In my case, I became CISO the day after 9/11 when my company president asked me to take over company security. In other cases, people climb the ranks from network engineers to security analyst to security manager to CISO.
There isn't a tried-and-true checklist to becoming a CISO, but three pieces of advice:
Constantly learn and get certifications;
Take on security-related jobs that you enjoy and understand; and
Spend time talking to other CISOs to learn how they got their roles and assignments.
Being a CISO is one of the hardest jobs on the planet. You'll never suffer from boredom -- each day, if not each hour, is different.
Many thanks to my friend and colleague Kirk Bailey, CISO of the University of Washington and my security mentor, for some of his ideas and thoughts I captured in this article.
