I talk to so many in this industry who ask me how to become a CISO. My first response, is always "Why do you want to be one?" It seems we have goofed up somewhere along the way and created this myth that "CISO" is the pinnacle and that everyone should aspire to it. I say goofed up because we've set ourselves up for failure if that is the case.
CISOing is a negative experience for most who embrace it. Yes, most. Because, no punches pulled here, most aren't qualified for the role. Achieving a role you're not qualified for is 360 degrees of suck with the worst of it being right in the center.
The demands on that role vs. the preparation we receive for that role are radically out of alignment in our field's natural progressions towards higher and higher leadership roles. Unless you travel a weird path, or go out of your way to shore up the deficiencies that our career field introduces, you will fail at CISOing. Full stop.
In no particular order:
- Technical skills (we have that usually)
- GRC skills (we pretend we have that usually, and kinda mostly do. For those who come from this background, the same 'pretend' applies to the technical skills. It seems to be a pick-one-or-the-other proposition.)
- Business skills (we mostly suck here)
- Communication skills (lots of suck here too)
- Risk management skills (yes, it's it own discipline far bigger than cyber)
- Accounting/finance skills (we mostly suck here too. COGS? P&L vs. G&L? G&A? CAC?)
- Leadership skills (motivating people is not achieved even vaguely by the same skillset that can make technology solutions bend to one's will)
- Ownership/Authority/Accountability skills (we "grow up" hearing that we're advisors, adjunct to the business, rather than being owners of the business)
- Self-education skills (we do well here on technical stuff usually, but not so well elsewhere. we brag about how we adjust to a constantly changing technical landscape while failing to adjust to the business we're a part of)
- Consulting skills (even though we own vs. advise, we still have to learn how to encourage and advise on a peer-to-peer basis if nowhere else)
- Sales skills (sell the problem, sell the solution)
- People skills (this goes without saying, and yet many of us are lacking here)
- "Soft" skills (which are actually hard for most of us, and yet are the skills that make the world go 'round. oh, the irony)
- Marketing skills (yup, this is required too)
- Project management skills (most of us aren't taught formal process here either)
- Managing up skills (enough said)
That's not a full list either. If you don't care to embrace all of that, and more, don't aspire to be a CISO.
I have met security architects, chiefs of staff, vendors, sales people, project managers, deputies, GRC directors, BISOs, etc. ALL of whom were both contributing and happy.
Be careful what you aspire towards and be prepared for what it takes.
#informationsecurity #cybersecurity #infosec #ciso
Chief Information Security Officer I Driving Cybersecurity Excellence for Global Businesses
2wThanks for the insights Michael Piacente, Jason Starr, CISSP, and Jevon Wooden, MBA, ACC💡. It was very helpful to hear how the CISO role is evolving, the trends driving it, and how to manage the change.