What advice would you give aspiring CISOs who want to accelerate their career?

1.7k views5 Comments

SVP, Chief Information Security Officer in Education, 5,001 - 10,000 employees
In the public sector, you can expect that your employee base will listen to whatever you say, because that's part of the DNA when you’re in government. If a security professional or executive says, “Don't click here,” then people won't because they know there are repercussions. That dynamic doesn't exist in the private sector. In that context, when you tell people, “Don't click here,” some will quickly say, “Why not?” So you have to learn how to tactfully navigate that difference. 

But regardless of the context, having an overall balance between technical prowess and business acumen is critical. You need technical skill to perform strong, protective work and you need business acumen to deal with the C-suite and the board. If you don’t yet have that balance, you need to fill the gap so that you can be as close to the middle as possible. You can do both, but you have to put in that extra effort.

You need to have the respect of your technical team members and if you're purely business-minded, you'll never get it. They'll know that you didn't come up through the ranks. I have no problem spending a weekend writing code if that's going to help my team. Much of the cybersecurity industry has become about buying and implementing products without a technical understanding of how they operate.
Director of IT in Software, 201 - 500 employees
Subscribe to various security feeds and bulletins so you can be up to date with the latest vulnerabilities and 0-days. Knowledge of frameworks is a must. Spend good time learning/practicing NIST, ISO 27001, Mitre etc.
Good cybersecurity talent is hard to find, and you can't do it all on your own so be prepared to spend significant time and energy training and building your team. It's a lot of upfront work but worth it in the long run.
VP of Information Security in Finance (non-banking), 1,001 - 5,000 employees
Join your business management team meetings….you’ll learn where the business wishes to go and how to best assist in enabling it securely.
CISO in Software, 201 - 500 employees
(Assuming you already know the "InfoSec 101", have an existing team and tooling...)

Invest into building your relationship with the business in a way that actually brings value!
- Put a lot of time aside - being stuck in operations won't get you there. Find the ways to understand the business priorities and goals and think how are they aligned with information security at your company. Can you see any major gaps / misalignments / risks?
- Learn how to speak the language of the C-level. State your observations clearly and concisely. Have the supporting materials ready but do not try to overwhelm them. Take the things one at a time, not just risk-based but also context-based. Have a desired outcome for each encounter; be ready to suggest a specific action. Do not hesitate to say you need more time / further analysis when unsure.  
- Stay on top of the security events "out there". Your team should be able to take care of the routine, you need to be ahead of the plane. When your CEO asks about a publicised vulnerability or incident, you should be able to readily answer what is your team doing about that. What are the current trends - any inspirations or aspirations?
- Find a group of peers in other companies to exchange knowledge and experiences. Your local ISACA chapter might be a good source :) A mentor - more senior security executive - would help a lot too. 
Independent Consultant & Industry/Market Reseacher in Finance (non-banking), 1,001 - 5,000 employees
Proper cyber hygiene is of great importance for every organisation in fact, cyber security readiness is now considered at par with core business functions. Every CISO plays a very important role in ensuring robust cyber security posture with proper co-ordination with the CTO/CIO & CEO of the organisation. Further, for the Board of Directors, the CISO has to be the eyes & ears for the existing & emerging cyber security threats.

A CISO is responsible for continuous business functions/operations of the organisation in a secure environment. However, security is becoming increasingly elusive. Therefore, all aspects of people, process & technology have to be continuously assessed and all emerging cyber security loopholes plugged. Continuously monitoring process controls & continuously testing technology infrastructure are important for ensuring robust cyber security posture. However, the most important are the people in the organisation including the third party support personnel & their level of cyber security awareness.
The people in an organisation can work as the most powerful firewall, IPS & IDS and hence, must be trained in various aspects of cyber security on an ongoing basis. Instilling a sense of ownership in employees is integral in ensuring a strong cyber security culture and will aid in preventing cyber security risks of all types. In addition, ensuring participation in cyber security tests in simulated environments as frequently as possible. Cyber security risks continue to evolve in complexity & criticality and must addressed pro-actively.

The role & responsibilities of every CISO are becoming increasingly important, risky, complex & critical. As such, a CISO has to continuously update himself/herself and monitor the cyber security posture of the organisation with a dedicated & duly qualified, skilled, experienced team of officials. So long as operations go smoothly, no one will recognise the existence of a CISO. However, if the business operations get interrupted/disrupted due to security issues, the entire organisation will pounce on the CISO brutally. The CISO has to prepare himself/herself for every such eventuality.

Content you might like

Important solution for today’s way of working53%

Interesting idea to explore for 202242%

Not necessary6%


865 views1 Upvote1 Comment

Messages or documents must be encrypted/secure as they travel over the Internet51%

Messages or documents must be encrypted internally (at-rest) when stored in my organization27%

Both are equally important22%


997 views2 Upvotes