C-suites are making room for chief information security officers.
This security-focused executive position is gaining ground as enterprises look for ways to safeguard networks and services without compromising their bottom line. As noted by CBR
, the role is evolving to include more responsibility and greater expectations, even as public and stakeholder focus puts CISOs in the spotlight. Simply put? It’s not an easy job — but for the right IT expert in the right organization, it can be the ideal combination of risk and reward.Considering a shift to the executive track of CISO? Here’s what you need to know.
Get the Training
Want a C-suite job? You need the experience — think 7-10 years in IT with consistent movement toward managerial positions. You also need certifications. Even with a growing IT skills gap, enterprises must be diligent in vetting their CISO candidates, especially considering the degree of autonomy given and the level of aptitude expected. This means you’ll need basic qualifications such as CompTIA A+ and Security+ along with more advanced credentials such as Certified Information Security Manager (CISM), Offensive Security Certified Professional (OSCP) and Certified Information Systems Security Professional (CISSP).In addition, most CISOs possess a Master of Business Administration (MBA) from a reputable school. Why this expectation? Because the chief information security officer isn’t just responsible for crafting great security policy but designing business-focused deployment that helps drive revenue and limits potential losses. As a result, business acumen is considered on-par with IT skill.Finally, you’ll need the CISO course
and exam certification to demonstrate that you have the necessary skills to provide project leadership and develop business-first initiatives.
Know the Role
On the surface, the role of CISO seems simple: Design information security measures that defend corporate data without hampering day-to-day business efforts. But that’s just the beginning. As noted by Business News Daily
, CISOs are now called up to develop company-wide risk assessment strategies, ensure data handling and use policies to meet emerging compliance regulations and develop a security architecture that enables business growth.It’s a role that encompasses all aspects of information security and governance, from leveraging IAM solutions that limit application and network risk to educating employees about the dangers of phishing scams
, malware attacks and the need to separate corporate and personal IT use.
Understand the Expectations
It’s also critical to understand the evolving expectations placed on CISOs. As noted by Bank Info Security
, CISOs now have a mandate “to be a Jack or Jill of all trades”, capable of handling any security issue as it emerges and designing strategies that reduce the risk of future security failures.
CISOs must also be prepared to embrace new technologies and adapt to the future of risk.”
According to Information Age
, meanwhile, the shift to C-suite combined with increasing stakeholder and public expectations have resulted in “astronomical” pressure on CISOs to deliver security strategies that both boost bottom lines and defend critical data.The result? It’s important for potential CISO candidates to both know what they’re getting into — this isn’t a job for the faint of heart or anyone that doesn’t have a passion for cybersecurity — and know their own value. New board members must be prepared to advocate for their independence and autonomy; a seat at the table must mean exactly that, not a booster seat or high chair that’s ultimately tied to another executive’s sphere of influence.This won’t always be an easy sell but it’s a fair trade: For CISOs to make the kind of sweeping policy changes necessary and ensure all staff members — including C-suite executives — are following the rules, autonomy and independence are critical. Here, experience and certification drive confidence and expectation. Organizations demand a great deal of CISOs, but this is a two-way street.
Prepare for the Future
CISOs must also be prepared to embrace new technologies and adapt to the future of risk. On the infosec side, this means deploying new solutions such as artificial intelligence (AI) where applicable to help take the burden off human IT pros and find potential threats before they breach corporate networks. Automated tools powered by machine learning are also on the horizon: In the right environment, these tools have the potential to streamline incident detection and reporting. There’s also a need to stay ahead of the game when it comes to new attack vectors. For example, cybercriminals are now deploying in-memory attacks which contain virtually none of the hallmarks associated with traditional malware vectors, and they’re also ramping up background coin-mining attacks that are hard to detect and fully eliminate. Tried-and-true techniques such as phishing and macro attacks are still seeing substantial use to leverage social engineering
and bypass user skepticism. Many emails now appear to come from legitimate sources and demand immediate action — this puts the responsibility on CISOs to both deploy technology solutions and creates a security-focused culture that prioritizes safety over speed.Want to become a CISO and take on the challenge of executive-level infosec? Obtain the right certifications, know the job, understand the expectations and get prepared for the future of corporate security.[clear]