Business savvy and strategic skills are crucial for this linchpin security role
The global cybersecurity industry is growing rapidly. Market researchers at IDC believe spending in the sector will reach almost $134 billion by 2022.
The industry also employs just short of a million people in the US alone, according to Cyberseek. There are currently around 500,000 unfilled jobs in the sector.
At the head of that vast – and growing – army of specialists in many large organizations is the chief information security officer, or CISO.
But growing numbers of smaller organizations are appointing CISOs, too. CISOs are also increasingly likely to report directly to the board, or to sit on the board themselves. And he or she is the guardian of one of the business’s most important assets: data.
After speaking to several industry experts, our guide on how to become a CISO shows that business savvy and strategic skills are crucial for this security role. However, these are just two of an almost never ending list of requirements.
What is a CISO?
A CISO is typically the most senior person responsible for IT security in an organization. They usually – though not always – run the IT security department.
However, the role is about much more than blocking cyber-attacks and preventing data breaches.
“Traditionally, a chief information security officer serves as the senior-most executive responsible for the strategy, design, development, and performance of the people, processes, and technologies that constitute the protection and defense of a company’s digital ecosystem,” Jenai Marinkovic, vCTO/CISO for Tiro Security, told The Daily Swig.
“In short, a CISO protects and defends that which is most important.”
Larger organizations might have more than one CISO, to cover separate territories, or functions. This might be within IT, but CISOs can also be located in security or risk management, or business operations teams.
“Generally, a CISO is not in an operational role so they are rarely concerned with overseeing the day-to-day activities of staff and departments,” explained Mark Ward, analyst at the Information Security Forum (ISF), to The Daily Swig.
“Instead, they define the boundaries of the secure environment in which a business and its staff operates.”
The CISO is a senior leader job, responsible for setting policy and direction as much as, if not more than, the nuts and bolts of security. And increasingly the focus is on risk. Information and automation are so important to businesses now that an IT security failure is a threat to the survival of the business.
“The CISO’s role is all about risk – helping an organisation understand how it is putting itself in the way of harm and advising it how to avoid those problems,” Ward explained.
“It’s about spotting potential losses and then putting in place policies, and enforcing them, to minimise the loss if and when it occurs.”
How many companies have a CISO?
Not all companies have a CISO, but the number is growing. A survey carried out in 2019 by Bitglass found that 62% of Fortune 500 companies now have a CISO.
However, the global picture shows that CISOs are elsewhere an uncommon breed. Security researcher and journalist Brian Krebs found that just 5% of the 100 biggest companies list either a CISO or chief security officer in their roster.
Most CISOs work in medium to larger businesses, but this is changing. PA Consulting, an advisory firm, says that CISOs are most likely to work in companies with 250 or more workers.
“As a result of the digital economy, CISOs are found more widely across all sectors, both private and public,” Luke Vile, cybersecurity expert at PA, told The Daily Swig.
CISOs are also more common in highly regulated industries, including finance and the utilities, as well as tech-focused start-ups.
A survey conducted last year found that 62% of Fortune 500 companies now have a CISO
Key responsibilities and duties for a CISO
The CISO’s responsibilities will depend on the type of business, as well as its reporting structure.
“Key responsibilities vary greatly, from IT security reporting into the CIO to influencing company strategy and broader security strategy to support the company vision. And every variation in between,” Thom Langford of TL(2) Security and former CISO at Publicis Groupe told The Daily Swig.
The primary mission is to secure the business in the cyber domain, but the role goes far beyond that. The line between data privacy and data security is one CISOs often have to straddle.
They might form part of the business’ compliance team as well as being an adviser on risk. They might also head up business continuity and disaster recovery.
And the CISO has to play the role of futurist. He or she needs to look forward – at potential threats but also at new technologies and how they can be secured. Artificial intelligence and the Internet of Things (IoT) are just two areas where CISOs are starting to focus more attention.
What qualifications do you need to become a CISO?
Perhaps surprisingly, there are no formal qualifications on the ladder to becoming a CISO. Some CISOs do have a technical background, either in data security operations, such as being a threat analyst, or more broadly in IT. But being able to code is certainly not a requirement.
Other CISOs have a background in management consultancy, or in the military. A broad base of experience, and leadership skills, often count for more than technical know-how.
CISOs, though, are likely to have a degree, potentially a security accreditation, such as CIISP or CISM, and increasingly a formal management qualification, such as an MBA. An MBA certainly helps a CISO ‘sell’ cybersecurity to other senior managers.
“The most common misconception is that a CISO should come from a highly technical – for example software and coding – background,” said PA Consulting’s Vile.
“Many CISOs’ primary responsibility is to deliver a strategic security programme across their organisation. Although a breadth of security and technical insight and knowledge is required to deliver a security programme, a deep-rooted background and individual expertise in software security is not necessary.”
You don’t necessarily need any formal qualifications to become a CISO
How many years’ experience is required to become a CISO?
Again, there is no fixed rule, but a CISO’s experience is likely to align with the maturity of the organization and the scope of the role.
“Purely technical CISOs would have many years in the IT field, while strategic CISOs may have broad experience across many fields, most importantly in ‘business’ [functions],” argued former CISO Thom Langford.
“That said, a CISO with less that 10 years’ work experience may struggle in any sizeable business due to the complexities of an enterprise.”
What is a typical CISO salary?
A basic CISO salary starts at around £70,000 in the UK or $80,000 in the US. UK job site Glassdoor puts the average UK CISO salary at around £117,000 ($162,000), while US equivalent PayScale puts the figure across the Atlantic at about $166,000.
CISOs in large, complex, or at-risk businesses could earn more, perhaps as much as $1 million.
CISO careers, however, can be short and intense: a 2020 report (PDF) from domain name registry Nominet put the average tenure at just 26 months, in part due to stress and burnout.
Tips on how to become a CISO
Expert advice from current and former chief information security officers:
Thom Langford – TL(2) Security
- Understand the business first, not security first.
- Think of your security program in terms of the company vision and goals, not security vision and goals.
- Broaden your skillset. In a technical role? Learn to understand risk management for instance, and vice versa.
- Hone and polish your management and leadership skills; the higher you climb the more these are important.
- Learn to compromise, constantly. Recognize when losing a battle is advantageous to winning the long-term war.
Mark Ward – Information Security Forum
- Have a solid technical background in operations or system admin to help develop an understanding of how organizations function.
- Build up team management, networking, and development skills.
- Keep up to date and familiar with regulation and compliance requirements.
- Learn how to build consensus and other ways to bring about cultural change in large organisations.
- Practice good communication skills.
- Do an MBA.
Jenai Marinkovic – vCTO/CISO, Tiro Security
- Be very familiar with the components of an end-to-end security program.
- Spend time understanding how to build a security organization, and how a high-performance security organization looks and is measured.
- Become very familiar with how to monitor and manage enterprise risk.
- Build skills in operating and running innovation and creative technology teams.
- Be willing to invest in becoming a high-performance leader. CISOs are high performers who are fearless in the face of failure.
Where does the CISO sit in a business?
The traditional path was for the CISO to report to the chief information officer (CIO). That is changing, with more CISOs reporting directly to board or the CEO. Others report to the chief risk officer, the head of operations, or potentially the chief security officer.
In some firms, the role of the chief security officer and the CISO are converging, with physical and human security increasingly overlapping with the security of data and applications.
“Ultimately, it depends on how security is perceived in an organisation and how well that CISO evangelizes what they do,” suggested the ISF’s Ward.
The CISO will also be a manager, running myriad security functions, including threat analysis, incident response, and forensics. These working as CISOs are also likely to manage contract staff and suppliers.
“However, the CISO should not manage anyone involved in operational IT activities to ensure zero conflict of interest,” said Langford. This is because the CISO is ultimately responsible to the board for security testing and compliance with security policies.
At times this arrangement can make for a sometimes stormy relationship between the CISO, chief technology officer (CTO), and CIO. The CIO wants and needs to keep the lights on. The CTO wants to develop new tools and technologies to drive efficiencies, develop new products or enter new markets. Security might not be their top priority.
The CISO has to walk the line between helping the business to meet its commercial goals and avoiding existential threats. Often, it is a very fine line indeed.
The role of the CISO may be changing, but threat analysis and risk mitigation remain a prime concern
What are the top concerns and challenges for CISOs in 2020?
At the time of writing, the CISO’s overriding priority is simply survival. Ensuring that the business can function and endure, with a base level of security, is a challenge in itself during a time of global pandemic.
The coronavirus crisis has driven a mass migration to home and remote working, as well as placing immense pressure on supply chains and digital service delivery.
The CISO will be fighting to keep the business working, but with one eye on the future: systems and policies put in place now may well need to be revised and changed, and quickly, when circumstances return to normal.
Further out, the CIO has to justify a growing budget, and ensure that the money spent on digital security is well spent. And all CISOs face a challenge to recruit and retain the right people. The information security skills gap remains wide.
Then there is the next wave of technology. Marinkovic, who is also a technology and information security consultant at Beyond, and ISACA cybersecurity expert, cautions that emerging technologies such as AI bring their own security challenges. PA Consulting’s Luke Vile, meanwhile, points to ongoing regulatory pressures.
With many people searching for how to become a CISO, this is no doubt a difficult career to break into. And while those with experience in the industry are in agreement that the role will never be easy, one thing is clear: the position is valuable and can be highly rewarding.