How to become a Chief Information Security Officer (CISO)
As the cost of cybercrime rises, so does the sense of urgency most organizations have for cybersecurity programs. Operationalizing that understanding often translates to the hiring of a chief information security officer, or CISO.
The total amount of data created, captured, copied and consumed globally is projected to grow to more than 180 zettabytes by 2025. While data grows in volume, it also grows in importance. Organizations rely on it to communicate and transact with customers, make better decisions, and develop smarter products. On the other hand, cybercriminals also seek to exploit it. In the middle of this data tsunami sits the CISO, whose job is to develop and implement strategies that safeguard an organization’s information.
With more and more data to protect, an ever-expanding threat landscape to cover and a seemingly unending supply of savvy cybercriminals to block, CISOs have a big job, says Joshua Knight, a cybersecurity professional at Dimension Data. Throughout his 30 years of experience in the security field, he has learned that a CISO holds significant responsibilities within an organization — and it’s much broader than technology implementation.
What does a CISO do?
While the role of a CISO (or chief security officer, CSO, as some may call it) will likely look somewhat different from one organization to the next, most CISOs spend their days overseeing the strategic and operational aspects needed to protect data. They outline technology approaches, define policies and procedures and then implement them across all business areas. “Many of them will work up and through IT,” Knight says.
CISO’s have distinct areas of data to secure, including applications, infrastructure, databases and digital, which often consists of a mixture of cloud, IoT, AI and the analytics engine. However, the key to success for CISOs isn’t exclusive to the technical knowledge needed for securing these areas. Consideration must also be given to data governance, compliance and physical touchpoints, like users.
“There is bleed among all of that, but spelling it out across distinct towers shows how a security professional really thinks and how they address the new world.”
In short, it comes down to effectively mitigating risk while also enabling business. Designing the technology approaches that best secure data are critically important, but so is the ability to work with other members of management. The CISO must continually advocate for security while also aligning protection approaches with business needs. Everyone is ultimately in the business of generating revenue, Knight says.
Some CISOs choose to center their team structure on this goal by adding business information security officers (BISOs) to their org charts. These are security leaders within each business unit or division, usually for a large enterprise. (For more, read: What does a business information security officer (BISO) do?)
“The CISO needs to be able to work with their management peers to develop a long-term security roadmap and how that aligns with the business. At the same time, they should treat their organization as a center of excellence and ensure they are easy to do business with,” Knight said.
What does it take to be a CISO?
CISOs are senior executives that typically report to a chief information officer (CIO) or chief technology officer (CTO). Their expertise must span a wide range of areas, and therefore the individual should have formal education and years of experience. A computer science degree of some type is usually preferred though not required, as is a number of years spent working with security technologies.
For professionals early in their cybersecurity career who aspire to the CISO role, certain certifications are also helpful and offer a way to demonstrate their security chops. Some to consider working towards include:
- (ISC)² Certified Information Systems Security Professional (CISSP) is one of the most in-demand manager-level certifications. It validates both a broad understanding of cybersecurity and requires five years of work in the field.
- ISACA offers several certifications related to business risk, governance and cybersecurity management, such as Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC) and Certified in the Governance of Enterprise IT (CGEIT).
- CompTIA offers several certifications to help progress your career path from basic security (Security+) to more specific skills such as cybersecurity analysis (CySA+), penetration testing (PenTest+) and other advanced technical skills (CASP+).
And, because compliance is also a significant part of security, knowledge of data privacy regulations including GDPR, HIPAA if you’re in healthcare, PCI, SOX and a host of others will also be of benefit. Many of these areas are covered in various IAPP certifications.
Business proficiency and leadership skills is another component necessary for doing the job well. According to Knight, effective communication, security advocacy and a willingness to work as a team ultimately make CISOs successful.
“This is their primary focus. Are we easy to do business with? Do we ensure the state of security? And at the same time, do we drive revenue by enabling the business,” Knight says.
As the value of data continues to grow and change, the professional outlook for CISOs is bright, regardless of industry or geography. “Be a thought leader,” Knight advises. “Be forward-thinking and drive change. If you dig your heels into the ground, you’re going to become a dinosaur.”
To learn more about becoming a CISO, watch the Cyber Work Podcast, How to become a chief information security officer, with Joshua Knight.