Chief Information Security Officer (CISO) is a coveted position in many IT organizations. The high demand for qualified CISOs leads to tremendous competition for capable candidates and correspondingly high salaries. But what’s the real deal behind the scenes? Do you have what it takes to serve in a CISO role? If not, what qualifications do you need before you can join the information security big leagues?
Sitting in an organization’s senior-most security chair requires a unique mixture of professional experience and educational background. The CISO position is a career capstone for some and a way station to the CIO chair for others. Either way, arriving at this destination requires careful career planning. Most CISOs don’t get there by accident.
Life as a CISO
Before deciding that you want to serve as a CISO, you should have a good understanding of what the role actually means. If you’ve risen up through the security ranks, you likely have a fairly good idea of this from observing CISOs in action.
In most organizations, the CISO is primarily an IT leader and only secondarily a technologist. As a CISO, you may have a seat at the IT organization’s leadership table. When you’re sitting there, you must wear two hats — one as the leader of the security team and another as an IT leader of the organization.
One of the biggest career missteps made by new CISOs is becoming “Mr. No” and failing to recognize the balance between security controls and legitimate business needs. CISOs must develop collegial partnerships with other IT leaders and enable the organization to get the job done.
The day-to-day life of a CISO often seems to consist of long periods of quiet punctuated by brief eruptions of chaos. As with the rest of the information security profession, much of our daily work is behind the scenes. CISOs perform all of the routine work involved in managing their teams and handling the daily routine of security operations.
The CISO should also find himself or herself spending a significant portion of time on strategic activities, helping plan the future of both the security team and the broader IT organization. Keeping your head above the weeds is one of the biggest challenges facing new CISOs, especially those who rise up from the ranks of technologists who are comfortable spending their time in the weeds!
CISOs must also take on management responsibility for their direct reports and all of the joys and burdens this entails. If you enjoy inspiring and leading a team, the CISO chair just might be the place for you. If the idea of managing others makes you break out in hives, you might want to rethink your decision to pursue this path.
From a practical perspective, this means that your calendar will quickly fill with one-on-one meetings with your staff, performance reviews, strategic planning sessions and the like. Embrace these opportunities to provide leadership for your organization and the information security profession!
After all that, if the CISO position still appeals to you as professionally rewarding, you’ll find that the financial rewards are also attractive. Recent salary research reveals that, in 2014, CISOs earned the second-highest compensation of any IT professionals, second only to the CIO. CISOs in the survey earned an average base salary of $139,948 and had total average compensation of $160,738.
Building a Professional Background
How do you land in the CISO chair? It probably goes without saying that you need some information security experience. I do know of a few CISOs who moved into the position from other IT disciplines, but they are few and far between. Almost every CISO spent at least a few years directly working in a security function. The security field is quite unique and it would be hard to gain credibility as a security leader without having spent some time in the infosec trenches.
That said, having some technical breadth certainly rounds out a resume nicely. The CISO must interact with every other IT discipline and experience in those areas provides evidence that you will be able to cross outside of security boundaries. If you’ve been in security your entire career and have not been successful landing a CISO position, you may wish to consider taking an assignment out of the field as a career broadening experience.
While it would be nice for every CISO to have prior management experience, the fact is that many organizations hire CISOs with no prior leadership role. There simply aren’t enough qualified candidates out there. That said, if you bring leadership experience to the hiring table, that’s a definite plus!
If you haven’t served as a formal manager, be sure to highlight leadership experiences on your resume and during the interview process. You might share experiences you’ve had serving as a project manager, technical lead, mentor and/or informal coach for your team.
Education and Certification
Organizations tend to be picky about educational and certification backgrounds when hiring IT leaders and the CISO role is no exception. This is particularly true for candidates who may lack the solid security experience, leadership role and/or technical breadth described earlier. Most roles require an undergraduate degree in computer science, information security, IT management or a related field. Graduate degrees are often encouraged. Combining a technical undergraduate degree with an MBA is a knockout punch!
The Certified Information Systems Security Professional (CISSP) credential is a must-have for anyone seeking to land a CISO position. The CISSP is to information security what the CPA is to accounting. While job descriptions might not state a formal requirement for the credential, candidates lacking the certification face an uphill battle.
Earning the CISSP requires that candidates pass a written examination of 250 questions and demonstrate that they hold at least five years of experience in the security profession. Candidates may substitute a related academic degree or professional certification for one of those five years of information security experience.
CompTIA’s Security+ cert is one of the best entry-level certifications in the field and, in addition to demonstrating a basic knowledge of security, fulfills one year of the CISSP experience requirement. If you’re in a hurry to bolster your resume and the CISSP remains out of reach, Security+ is a potential substitute.
Earning the Security+ certification requires passing a 90-question computer-based examination that covers a wide range of topics. Given the entry-level nature of this exam, expect to find questions that are deep in the technical weeds.
ISACA’s Certified Information Security Manager (CISM) certification objectives align nicely with the roles and responsibilities of a CISO. Topics on the 200-question exam include security governance, risk management and compliance, security program development and management, and security incident management.
The CISM is definitely a feather in the cap of CISO candidates but it is certainly not required. I know many CISOs who landed their first position without the CISM credential and now have the strongest credential possible for future CISO positions — experience sitting in the CISO chair!
The Chief Information Security Officer role provides security professionals with a challenging and rewarding opportunity to lead a team of technologists dedicated to protecting the confidentiality, integrity and availability of enterprise assets. Candidates with the right mix of experience, education and leadership talent will find themselves well-rewarded: personally, professionally and financially. It’s a fun job!