There's more to filling a CISO's shoes than deeply understanding information security.
The number and kind of "C-level executives," as the people who report to the chief executive officer (CEO) in large corporations are called as a group, seems to be growing of late. A chief information security officer, or CISO, is a C-level executive who is responsible for information security for an entire business or organization.
Understanding the CISO role
There's more to filling a CISO's shoes than simply possessing a deep understanding of information security. In the executive suite, performing those C-level jobs means relating specific aspects of business or technology to the overall vision that guides and drives any well-run organization. That means a CISO must also understand the overarching enterprise vision and strategy for the organization, and then take all steps necessary to see that its information assets and technologies are properly protected.
The CISO's job thus spans numerous vital domains of knowledge, which he or she must see enacted in an enterprise. These include the following elements:
- Risk assessment, mitigation and avoidance ‒ This means making a thorough survey and inventory of information assets, intellectual property, and other digital holdings of value, understanding the threats they face and deciding what steps to take to protect those assets from damage, loss or harm. Ultimately, this also feeds into the enterprise security policy, which defines what levels of protection and response should be associated with information assets and digital holdings.
- Legal and regulatory compliance ‒ This entails understanding how an enterprise's information assets and digital holdings fall within the scope of applicable laws and regulations, and complying with related requirements, such as assessments, audits, reporting, privacy, confidentiality, and more. It also means being both willing and able to shoulder the burden of dealing with a security breach, and assessing and dealing with any potential legal, business, and financial consequences of said breach.
- Enterprise and security architecture ‒ As a formal discipline within IT, architecture seeks to make sure that technology acquisition and use enables and reinforces an organization's ability to meet business goals, achieve performance and growth objectives, and remain competitive in its chosen marketplace(s). Enterprise architecture takes this view from the standpoint of the entire infrastructure, whereas security architecture does it from a more narrow focus on the tools and technologies needed to deliver the kinds and levels of protection that risk assessments and compliance requirements dictate.
The simplest way of understanding all this is recognizing that the CISO's job is to ensure that the organization's security posture and policy align with the business vision; provide the protection and support necessary for its successful implementation; and to spearhead efforts to mitigate and recover from security breaches, privacy or regulatory lapses, or security policy failures that sometimes occur.
CISO Educational background
Anyone aiming at a C-level job must earn a bachelor's degree, at a minimum, and is likely to earn one or more master's degrees as well. Most C-level execs combine a deep understanding of general business principles and practices along with whatever area their specialties may reside. Thus, a CISO is quite likely to have earned an MBA (Master of Business Administration), as well as a more specialized security-oriented master's degree in computer science or some related discipline.
The master's degrees included under the aegis of the National Centers of Academic Excellence, a collaboration between the Department of Homeland Security (DHS) and the National Security Agency (NSA) intended to foster the development of qualified cybersecurity professionals, provide a good set of potential examples for such programs.
There are many information security certifications likely to be of both value and use to aspiring CISOs. Look for more senior information security (infosec) credentials, such as:
- Certified Information Security Manager (CISM)
- Offensive Security Certified Professional (OSCP)
- Certified Information Systems Security Professional (CISSP)
In addition, we strongly recommend that aspiring CISOs earn the ISACA Certified in the Governance of Enterprise IT (CGEIT) credential. That's because this credential focuses on an individual's understanding and application of enterprise IT governance principles and practices. Such focus is an essential component of making sure that the enterprise is aware of and in compliance with all applicable laws and regulations, specifically as they relate to information security.
The C-level executive world focuses on business and some other technical areas. For a CISO, that's information security. Most aspiring CISOs come out of an enterprise information security operations role, typically one that includes stints both as a technical expert or individual contributor, as well as a variety of progressively responsible management positions (manager, director, vice president and so forth). The important thing about this work experience is that it shows a deep and abiding interest and expertise in the subject matter of information security in combination with a real understanding of how to design, implement, maintain, and enforce security policies in a business context.
The important thing about prior experience in reaching for the stars (or a C-level job, anyway) is that it be relevant and hands-on. That means you'll want to put some time into one or more positions where you must enact or implement, then formulate, security policies.
Likewise, it's important to have some experience with incident-response strategies and security remediation in the wake of a breach, break-in or some other kind of "hack attack." Working through multiple regulatory and/or legal compliance exercises, including security audits, investigations and even legal actions will also help you understand the nitty-gritty details of this part of the job.
Given the increasing number of threats and exploits in today's security landscape, it's important to cultivate a "not if, but when" attitude toward future security incidents. If you're ready to deal with such challenges, you're much more likely to demonstrate to upper management that you can do the CISO job with skill, élan and dispatch.
For any C-level executive, strong oral and written communications skills are a must. Such executives must be comfortable and skilled at addressing their peer executives but also speaking with large numbers of employees, shareholders or investors, or security professionals (perhaps in the context of a company exposition or an industry trade event of some kind).
As senior-level managers, C-level executives must understand the ebbs and flows of people and ideas in a political dimension, and know how to persuade stakeholders and fellow executives to adopt or understand particular points of view, or specific implementation techniques needed to realize enterprise or security architecture goals.
Training to become a Chief Information Security Officer involves preparing for numerous certifications and gaining years of relevant experience, not to mention having the right educational background. Some of the best places to obtain infosec knowledge include the SANS Institute, ISACA, (ISC)2, the Infosec Institute and the EC-Council.
Among these infosec-focused sites, you will find plenty of training opportunities for those who seek them, including instructor-led training, computer-based videos, books, labs and other materials, in addition to onsite, in-person training.
Just as other IT professionals must pursue continuing education to keep abreast of new ideas and strategies, the CISO must keep up with technology trends and be constantly learning to keep ahead of the technology curve.
A CISO must continually split his or her attention between the current state of infosec technology in his or her enterprise and emerging or leading-edge developments in the infosec field. It's a delicate balancing act, because maintaining an appropriate security posture is increasingly a necessity for business success, but adopting new platforms and technologies also remains a viable method for maintaining or increasing an organization's competitive advantage. This dichotomy inevitably pits security concerns about new or untried tools or technologies against the competitive advantage they could convey. The CISO is the person who must ultimately decide if the risks outweigh the potential rewards involved, or vice versa.
Thus, a CISO has to know current security tools and technologies cold, but he or she must also constantly monitor new developments in the field, and be ready to evaluate interesting infosec strategies and products, and then implement those solutions that provide either necessary or advantageous capabilities in the security realm.