If you're interested in becoming a Chief Information Security Officer, here's what you need to know about the CISO role as well as the educational background, training, job experience and IT certifications that will help you get there.
The number and kind of "C-level executives," as the people who report to the Chief Executive Officer (CEO) in large corporations are called as a group, seems to be growing of late. A Chief Information Security Officer, or CISO, is someone who is responsible for information security for an entire business or organization.
MORE: How To Become A CIO Or CTO
MORE: How To Transition From IT Pro To Manager
Understanding The CISO Role
There's more to filling a CISO's shoes than simply possessing a deep understanding of information security. In the executive suite, doing the job means relating specific aspects of business or technology to the overall vision that guides and drives any well-run organization. That means a CISO must also understand the overarching enterprise vision and strategy for the organization, and then take all steps necessary to see that its information assets and technologies are properly protected.
The CISO's job thus spans numerous vital domains of knowledge, which he or she must see enacted in an enterprise. These include the following elements:
- Risk assessment, mitigation and avoidance: This means taking a thorough survey and inventory of information assets, intellectual property and other digital holdings of value, understanding the threats they face, and deciding what steps to take to protect those things from damage, loss or harm. Ultimately, this also feeds into security policy, which defines what levels of protection and response should be associated with information assets and digital holdings.
- Legal and regulatory compliance: This means understanding how an enterprise's information assets and digital holdings fall within the scope of applicable laws and regulations, and complying with related requirements such as assessments, audits, reporting, privacy, confidentiality and more.
- Enterprise and security architecture: As a formal discipline within IT, architecture seeks to make sure that technology acquisition and use enables and reinforces an organization's ability to meet business goals, achieve performance and growth objectives, and remain competitive in its chosen marketplace(s). Enterprise architecture takes this view from the standpoint of the entire enterprise, whereas security architecture does it from a more narrow focus on the tools and technologies needed to deliver the kinds and levels of protection that risk assessments and compliance requirements dictate.
The simplest way of understanding all of this is to recognize that the CISO's job is to make sure that the organization's security posture and policy line up with the business vision, and to provide protection and mitigation necessary for its successful implementation.
Anyone aiming at a C-level job must earn a bachelor's degree at a minimum, and is likely to earn one or more master's degrees as well. Most C-level execs combine a deep understanding of general business principles and practices with whatever area they may specialize in. Thus, a CISO is quite likely to have earned an MBA (Master's of Business Administration), as well as a more specialized security-oriented master's degree in computer science or some related discipline.
The master's degrees included under the aegis of the National Centers of Academic Excellence, a collaboration between the Department of Homeland Security (DHS) and the National Security Agency (NSA) intended to foster development of qualified cybersecurity professionals, provide a good set of potential examples for such programs.
There are many information security certifications likely to be of both value and use to aspiring CISOs. Look to more senior infosec credentials like:
- Certified Information Security Manager (CISM)
- Offensive Security Certified Professional (OSCP)
- Certified Information Systems Security Professional (CISSP)
In addition, I would strongly recommend the ISACA Certified in the Governance of Enterprise IT (CGEIT) credential for aspiring CISOs. That's because this credential focuses on an individual's understanding and application of enterprise IT governance principles and practices, which is an essential component of making sure that the enterprise is aware of and in compliance with all applicable laws and regulations, especially as they touch on information security.
The C-level executive world straddles between a business focus and some other technical focus. For a CISO that's information security. An aspiring CISO should come out of an enterprise information security operations role, preferably one that includes both stints as a technical expert or contributor as well as a variety of progressively responsible management positions (Manager, Director, VP, and so forth). The important thing about this work experience is that it shows a deep and abiding interest in the subject matter of information security, and a real understanding of how to design, implement, maintain and enforce security in a business context.
For any C-level executive, strong oral and written communications skills are a must. Such people must be comfortable addressing their fellow executives, but also speaking with large numbers of employees, shareholders or investors, or security professionals (perhaps in the context of a company exposition or an industry trade event of some kind). As high-level managers, C-level executives must also understand the currents and flows of people and ideas in a political dimension, and know how to persuade stakeholders and fellow executives to adopt or understand particular points of view, or specific implementations needed to realize enterprise or security architectures.
Training to become a Chief Information Security Officer involves preparing for numerous certifications and many years of experience, not to mention the right educational background. Some of the best places to obtain security knowledge include the SANS Institute, ISACA, ISC-squared, Infosec Institute and EC-Council. There are plenty of training opportunities for those who seek them, including instructor-led training, computer-based videos, books, labs and other materials, in addition to onsite, in person training. Just as other IT professionals, the CISO needs to keep up with technology trends and constantly learn in order to stay ahead of the technology curve.
The CISO must continually split his or her attention between the current state of information security and technology in his or her enterprise and emerging or leading-edge developments in that field. It's a delicate balancing act, because maintaining an appropriate security posture is increasingly a necessity for business success, but adopting new platforms and technologies remains a viable method for maintaining or increasing competitive advantage.
Thus, the CISO has to know current security tools and technologies cold, but he or she must also keep a constant eye on new developments in the field, and be ready to evaluate interesting candidates, and then implement those that provide either necessary or advantageous capabilities in the security realm.
It's a fascinating job, but one that requires lots of effort to attain, and constant effort to fill.
MORE: Best Information Security Training