To become a CISO, you need a wide range of skills. Some are obvious – technology and organizational skills, for example – but others might be a surprise. Getting the right balance is essential.
There is no one path to take to become a CISO. Rather than looking at this as a role to target, think about building your experience with a range of different teams, companies and situations. It’s also a role that is not for everyone. However, the role can be immensely rewarding for those with the right mindset and skills.
Keeping Up
The first skill and bedrock for a CISO is technical breadth. This should include a passion for new and emerging technologies as well as the older platforms that exist internally. This ability to look at what is developing is essential for forward planning and ensuring that security remains in place over time. Similarly, understanding existing legacy or operational technology platforms will be essential for CISOs in companies that have had assets in place for decades.
It’s impossible to know everything about technology, as the market is so broad. However, being interested in new developments is essential.
If you don’t work across old and new, you leave decisions to teams that don’t have security at the front of their minds. It’s much harder to add security onto new technology purchases after the fact, so ensure you understand the potential risks beforehand. This helps you steer your organization towards new approaches that deliver great results without compromising information security.
Know Your Business
The second skill for CISOs is not technical – instead, it’s about understanding exactly how the organization works in practice and how this compares to other companies in the same sector. For example, if you work for an airline, you should know about your fleet of planes, how things operate to keep those flights going and what success looks like.
Knowing the company in such a way is a challenge. It encompasses different teams, working procedures, locations, languages and time zones. However, it’s impossible to keep up with what should be taking place around information security across the business without this. It’s also more difficult to spot those situations that are potentially not normal for the organization on a day-to-day basis.
You can develop this skill by working with operational teams to see what their goals are, how they think through their processes and how they collaborate with other departments. This helps you improve your overall approach to security planning and effectiveness.
Selling Yourself and Your Program
One essential skill to develop is potentially the hardest for many in IT to acquire. It is evangelism for the work you lead and that your team delivers.
The idea of being a salesperson for your work is anathema for many in IT. We approach situations based on facts, data and benchmarks. However, security falls into the category of risk prevention, which can be difficult to get support for.
If we don’t sell the concepts that we champion effectively, no one else will. Without that ability to evangelize around the value of security, it is much harder to get the support we need. If we don’t shout about the successes – or the risks avoided through careful planning – then we miss out on sharing the good results that we achieve.
This also makes it harder to embed yourself into the strategic areas of the business and keep up with the decisions being made. It is too easy for security to get overlooked, which leads to more problems and higher risks over time.
For anyone thinking about a leadership position around security, focusing on technology is not enough. You have to explain security concepts and value to those that are not technically minded and showcase the great work that your team delivers.
Find Mentors Inside and Outside Your Organization
It is also worth finding people who can help you develop your experience and breadth of knowledge. They can help fill potential gaps in your awareness, from technology experience to physical security and access control. It also provides opportunities to develop other skills like people management and communications.
Seek out leaders in your company who demonstrate the mindset you would like to develop. Network with your peers and find help from them to develop over time as well. This can help you understand the requirements around the CISO role and work on the business, technology and evangelism skills needed.