Careers & People

11/26/2018
10:30 AM
Todd Fitzgerald
Todd Fitzgerald
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Transforming into a CISO Security Leader

Are you thinking of changing your career route from techie to CISO? Are you making the right choice? Only you know for sure.

Remember that dreaded question on your first job interview? No, not the "What are your weaknesses?" question, but the other one, equally as challenging: "What do you want to be doing in five years?"

How do we even attempt to answer that question when the only tools in our toolbox at that point is a college degree, some work experience at a minimum wage job, and, if we were lucky, an internship in our field? Is it even reasonable that we would say, "I would like to lead the security operations team — and within three years after that, I would like to be the chief information security officer (CISO) for a small to medium-sized firm"?

Not likely. We muddle through the question and make up some lofty leadership-type role to show the employer that we are thinking of the big picture and want to continuously develop ourselves. The prospective employer is satisfied with the answer and slots us into work it needs done. We progress through our careers gaining technical or audit process experience, until, one day, we are faced with the question of whether we should continue becoming the best technical expert or choose the leadership/management track, to advance monetarily. Easy, right?

Let's pause here. What is the right choice? Only you know what is best for you. The answer lies in examining the functions for which these roles are responsible and the skill sets required to accomplish them. More importantly, will you be happy performing this new leadership role while the technical competencies start to fade away?

In this world of rapidly advancing technology, leaders in an organization need to be well-versed on emerging technologies and trends, but it is unrealistic to think that the leader will continue to retain the same depth in the technology as when they were focusing on the technology directly for the bulk of the workweek. So, are you willing to no longer be regarded as the expert in the technology you worked with every day? Are you comfortable with leading or managing the individuals that understand the technology more than you do? Are you comfortable with leveraging and relying on their insights and ideas for enhancing business practices? Are you willing to spend time learning in addition to the "day job" to keep up with the technologies?

The CISO role has evolved over the past 25 years from primarily technical beginnings in many organizations to a role requiring more leadership, business savvy, and data-awareness. CISOs are managing risk, reporting to the board, managing security incident communications, planning strategies, and implementing multiyear plans to increase the maturity level within their organizations. As indicated in recent culture of cybersecurity research from ISACA and CMMI Institute, 41% of company boards of directors appoint an executive to own the cybersecurity culture and 38% schedule one or more discussions about it each year. Additionally, 55% of respondents place the cybersecurity culture ownership responsibility on the CISO, compared with 43% on the CIO and 24% on the CEO.

These numbers clearly demonstrate the security leader is "on the hook" and needs to be able to influence executive management to secure adequate funding to make a difference in the cybersecurity culture. This results in preparation of many presentations translating the business needs related to security requirements, and explaining, and re-explaining, why the investments need to be made. Business relationships must be made across the organization with an understanding of the stakeholder needs. CISOs must embrace ambiguity and uncertainty as they navigate the organization, with each department head vying for the same pot of critical investment funds.

The technical role is in stark contrast to the security leader role. Technical staffs are typically rewarded for the mastery of the technical skill, application of those skills to an initiative, and implementation within the project schedule and budget. The result is often a concrete, non-ambiguous solution — it works, or it doesn't, and feedback of success is more immediate. High levels of individual contribution are rewarded. Technical positions are obtained more easily, as the evaluation of technical skill sets is less abstract than evaluating subjective leadership qualities.

The technical background may be a basic requirement for many organizations hiring their first CISO, as they may only be hiring one or two individuals to start building out the program. However, once the team has been built, the technical skills will not be enough for the individual to remain in the role. Security professionals must decide where they would like to spend most of their day and must be honest about the answer. That is the only path to true career happiness.

(This evolution to CISO and the impact on skill requirements are detailed in the author's upcoming book, CISO Compass: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers.)

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Todd Fitzgerald has built and led information Fortune 500/large company security programs for 20 years. He was named 2016–17 Chicago CISO of the Year, ranked Top 50 Information Security Executive, authored four books  —   CISO Compass: Navigating ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DrkR34dM4g
50%
50%
DrkR34dM4g,
User Rank: Apprentice
12/4/2018 | 6:44:09 PM
CISO Finesse
Great points. Technical skills will not be enough for CISOs to thrive in their roles over time. I especially agree with need for CISOs (and those who aspire to become CISOs) to influence executive management and build business relationships across the organization. The ability to read the situation and stakeholders in them is essential so that CISOs can handle tricky situations with finesse.

Ryan K. Lahti, Ph.D., author of "The Finesse Factor" and managing principal of OrgLeader
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.