How to become a CISO
What is a CISO?
CISO stands for Chief Information Security Officer. The CISO is part of a company’s C-suite, or senior-level executive board. CISOs are expected to focus on the maturity level of the security team and its infrastructure, raise awareness and communicate to both the team level and the executive level. Needless to say, Chief Information Security Officers need both an in-depth understanding of information security and an organization’s environments, as well as the soft-skills required to be an effective communicator and make business cases for better security protocols. They’re also responsible for strategizing and leading protocols, incident response plans and security related initiatives.
What is the Average Salary?
According to Payscale.com, the lowest salary for a CISO lands at $105,788 and the highest is at $251,207, making the median around $153,147.
What are a CISO’s Responsibilities?
A Chief Information Security Officer has a multitude of responsibilities spanning from leadership responsibilities to basic cyber security responsibilities to making company-wide programs and protocols. Responsibilities also vary greatly from company to company. Below is an assorted list of responsibilities picked up from various job listings currently on indeed.com:
- Provide strategic risk guidance for business, client and internal IT projects
- Perform evaluations and provide recommendations for technical controls and solutions
- Oversee application and management of information security policies, standards and practices
- Manage multiple departments within IT
- Review and establish strategies to meet long-term IT and business needs and objectives
- Regularly report and present to executives
- Foster and promote continuous process improvement initiatives across IT
- Manage and mentor less experienced IT leaders
- Manage quality control
- Provide guidance and advocacy regarding prioritization of LOB (line of business) investments impacting information security
- Participate in the development, implementation and maintenance of information security for LOB
- Collaborate with risk partners on information security critical priorities
- Build strong partner relationships with peer technology groups
- Participate in key CIO operating routines to drive InfoSec risk strategy
- Maintain an up-to-date understanding of the security threat landscape
- Lead the design and seek funding approval of security systems
- Ensure that disaster recovery and business continuity plans are in place and tested
- Oversee identity and access management
- Schedule periodic audits
- Ensure all security policies and procedures are communicated to all related personnel
- Ensure all contractor managed items are configured to store and archive all system, device, application and security event logs and comply with security policies
- Support and provide necessary information during forensic analysis and investigations
What Educational Background is required?
This is yet another role where there are some differences in what companies expect. Many of the listings I viewed called for a Bachelors in computer science, information security or a related field, while others simply called for experience and CISSP certification. Experience and soft-skills are much more important here.
For the first time, in this series, ALL listings agree that a CISO applicant must have 10+ years of information security experience, 5+ years of risk management experience and at least some leadership/management experience. Some listings called for experience in leading multiple teams or departments. Any applicant will need to have sufficient knowledge of the given company’s IT environments.
All listings call for “strong intrapersonal skills” with an emphasis on written and verbal communication skills and the willingness and ability to learn. Some listings require previous CISO experience as well.
What Certifications should I take?
Where should I start?
Given the array of education required for this job, I’ll refer you to the educational background section for that information. What is important for a security expert to gain, when looking to further their career to the CISO level, is business understanding and experience. This is where mentors are critical to have to gain the necessary insight you’ll need for entering the board room with confidence. You could also seek some business-related certifications (assuming you have the crucial security certifications already) such as CFA (Chartered Financial Analyst) to exhibit an understanding of financial analysis and to prove an ability to effectively use financial analysis to make business cases. There are also college programs that focus on tech leadership such as certification in Technology Entrepreneurship, although many of these types of programs require a Bachelor’s Degree prior to admission. Lastly, attend conferences. Try to get some speaking gigs. Become a thought leader. Proving your expertise and the value in your opinion is a great way to get ahead of your application cycle, when applying for CISO positions.
Not quite ready to take the leap to CISO? Learn How to become an Information Security Analyst here!
CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting edge cyber security training. Our training provides the most in demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cyber security education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand LMS platform has white-label capabilities ideal for internal training purposes.