The number and kind of "C-level executives," as the people who report to the chief executive officer (CEO) in large corporations are called as a group, seems to be growing of late. A chief information security officer, or CISO, is someone responsible for information security for an entire business or organization.
Understanding the CISO role
There's more to filling a CISO's shoes than simply possessing a deep understanding of information security. In the executive suite, doing the job means relating specific aspects of business or technology to the overall vision that guides and drives any well-run organization. That means a CISO must also understand the overarching enterprise vision and strategy for the organization, and then take all steps necessary to see that its information assets and technologies are properly protected.
The CISO's job thus spans numerous vital domains of knowledge, which he or she must see enacted in an enterprise. These include the following elements:
- Risk assessment, mitigation and avoidance: This means taking a thorough survey and inventory of information assets, intellectual property and other digital holdings of value, understanding the threats they face, and deciding what steps to take to protect those things from damage, loss or harm. Ultimately, this also feeds into security policy, which defines what levels of protection and response should be associated with information assets and digital holdings.
- Legal and regulatory compliance: This means understanding how an enterprise's information assets and digital holdings fall within the scope of applicable laws and regulations, and complying with related requirements such as assessments, audits, reporting, privacy, confidentiality and more. It also means being both willing and able to shoulder the burden of dealing with a security breach, and able to assess and deal with potential legal, business and financial consequences.
- Enterprise and security architecture: As a formal discipline within IT, architecture seeks to make sure that technology acquisition and use enables and reinforces an organization's ability to meet business goals, achieve performance and growth objectives, and remain competitive in its chosen marketplace(s). Enterprise architecture takes this view from the standpoint of the entire enterprise, whereas security architecture does it from a more narrow focus on the tools and technologies needed to deliver the kinds and levels of protection that risk assessments and compliance requirements dictate.
The simplest way of understanding all of this is to recognize that the CISO's job is to make sure that the organization's security posture and policy line up with the business vision, to provide protection and mitigation necessary for its successful implementation, and to spearhead efforts to mitigate and recover from any security breaches, or privacy or regulatory lapses or failures that sometimes occur.
Anyone aiming at a C-level job must earn a bachelor's degree at a minimum, and is likely to earn one or more master's degrees as well. Most C-level execs combine a deep understanding of general business principles and practices along with whatever area their specialties may reside. Thus, a CISO is quite likely to have earned an MBA (Master's of Business Administration), as well as a more specialized security-oriented master's degree in computer science or some related discipline.
The master's degrees included under the aegis of the National Centers of Academic Excellence, a collaboration between the Department of Homeland Security (DHS) and the National Security Agency (NSA) intended to foster development of qualified cybersecurity professionals, provide a good set of potential examples for such programs.
There are many information security certifications likely to be of both value and use to aspiring CISOs. Look to more senior infosec credentials like:
- Certified Information Security Manager (CISM)
- Offensive Security Certified Professional (OSCP)
- Certified Information Systems Security Professional (CISSP)
In addition, I would strongly recommend the ISACA Certified in the Governance of Enterprise IT (CGEIT) credential for aspiring CISOs. That's because this credential focuses on an individual's understanding and application of enterprise IT governance principles and practices. Such focus is an essential component of making sure that the enterprise is aware of and in compliance with all applicable laws and regulations, especially as they touch on information security.
The C-level executive world focuses on business and some other technical area. For a CISO that's information security. An aspiring CISO should come out of an enterprise information security operations role, preferably one that includes both stints as a technical expert or contributor as well as a variety of progressively responsible management positions (Manager, Director, VP and so forth). The important thing about this work experience is that it shows a deep and abiding interest in the subject matter of information security, and a real understanding of how to design, implement, maintain and enforce security in a business context.
The important thing about prior experience in reaching for the stars (or a C-level job, anyway) is that it be relevant and hands-on. That means you’ll want to put some time into one or more positions where you must enact or implement, then formulate, security policy. Likewise, it’s important to have some experience with incident response, and with security remediation in the wake of a breach, break-in or some other kind of "hack attack." Working through multiple regulatory and/or legal compliance exercises, including security audits, investigations and even legal actions will also help you understand the nitty-gritty details of this part of the job. Given the increasing number of threats and exploits in today’s security landscape, it’s important to cultivate a "not if, but when" attitude toward future security incidents. If you’re ready to deal with such things, you’re much more likely to demonstrate to upper management that you can do the CISO job with élan and dispatch.
For any C-level executive, strong oral and written communications skills are a must. Such people must be comfortable addressing their fellow executives, but also speaking with large numbers of employees, shareholders or investors, or security professionals (perhaps in the context of a company exposition or an industry trade event of some kind). As high-level managers, C-level executives must also understand the currents and flows of people and ideas in a political dimension and know how to persuade stakeholders and fellow executives to adopt or understand particular points of view, or specific implementations needed to realize enterprise or security architectures.
Training to become a Chief Information Security Officer involves preparing for numerous certifications and many years of experience, not to mention the right educational background. Some of the best places to obtain security knowledge include the SANS Institute, ISACA, (ISC)2 the Infosec Institute and the EC-Council. There are plenty of training opportunities for those who seek them, including instructor-led training, computer-based videos, books, labs and other materials, in addition to onsite, in-person training. Just as other IT professionals, the CISO needs to keep up with technology trends and constantly learn to stay ahead of the technology curve.
A CISO must continually split his or her attention between the current state of information security and technology in his or her enterprise and emerging or leading-edge developments in that field. It's a delicate balancing act, because maintaining an appropriate security posture is increasingly a necessity for business success, but also where adopting new platforms and technologies remains a viable method for maintaining or increasing competitive advantage. This inevitably pits security concerns about new or untried tools or technologies against the competitive advantage they could convey. The CISO is the person who must ultimately decide if the risks outweigh the potential rewards involved or vice versa.
Thus, the CISO has to know current security tools and technologies cold, but he or she must also keep a constant eye on new developments in the field, and be ready to evaluate interesting candidates, and then implement those that provide either necessary or advantageous capabilities in the security realm.