Thursday, June 06, 2013

Do You Think You are CISO Material Now or in the Future? Don't Skip this Security Recruiter Blog

What Makes CISOs and CSOs Successful?

For several months, I've been fortunate to share with you what many current CISOs and CSOs think contributes to their success.  During this process of reporting on information I've been fortunate to gather, I've learned a lot and I hope you have too.  

The Benchmark of Success in a Profession

When I'm interested in creating benchmarks for success around a profession, it makes the most sense to me to survey the customers of a profession to find out what they think success is in the profession that is serving them rather than to get a group of CISOs or CSOs in a room for example and then ask them what they think success is for a CISO or CSO. 

I've approached the idea of CISO and CSO success from the angle of asking CISOs and CSOs what they think and I've also and perhaps more importantly surveyed the business to find out what the business wants, needs, expects and hopes to receive in terms of service from the security profession.

Today's CISO Insights Come From a Highly Regarded Global Security Expert

In the spirit of this thought process, today I'm fortunate to bring to you insights from a global security industry expert whom I've been fortunate to know for several years.  He at one point was a CISO and is now on the outside of the CISO office looking in from the business' point of view. 

My source wishes to remain anonymous as do most individuals who give me the best information to pass on to the security profession.  I sincerely hope you'll consider the advice you're about to read and that you'll pass this information around to your peers.

When I read this individual's contribution, I did so on the heels of studying a significant amount of data surrounding the Chief Risk Officer profession and the topic of Cyber Insurance. I'll explain in future blogs how these topics connect and why these topics are important to current or aspiring CISOs and CSOs.  

Because I know who this person is and I know the depth and breadth of his position in the security industry and the security profession, I couldn't wait to share with my audience. 

Good to Know, Bad to Hear (or read in this case) 

Warning, if you don't possess some of the skills, traits and attributes mentioned below, your first reaction might be to dismiss this blog.  I strongly suggest that you don't dismiss this blog.  I call this "Good to Know, Bad to Hear" information if it makes you uncomfortable.

Security Career Coach  and Security Executive Coach

One last thought. My Security Career Coach and Security Executive Coach efforts have been built to help aspiring and current CISOs and CSOs seal the gap between where they are currently performing and where the business demands that a 21st century security leader needs to perform.

If you have what it takes to be a CISO of the future but you're not quite sure how to get there, I can help.

Business Intelligence Is The Key CISO Career Skill

The CISO career is quite a challenging choice these days, and it’s getting tougher.

As an ex-CISO who now works in a supportive role to many Fortune 500 CISO’s, I’m noticing a trend that is strongly prioritizing business-savvy over and above technical skills. This leads to situations where the traditional career path to the top security role is crumbling; security staff who have dutifully worked for an organization for years are overlooked when the incumbent CISO leaves and a new person is parachuted in with minimal technology skills and, quite often, zero infosec skills.
This can be heart-breaking for the aspiring security staff, but it's important that we learn a lesson from this current trend. Business leaders have at last come to realise that information security and risk management is vital to the health and sustainability of their organization – and now they want to be able to talk about and deal with the topic in their terms.
Anyone who aspires to be a CISO, or who wants to retain their CISO position over the next 5 years, must start to focus on this business transition.  You may not need an MBA, but recognise that you are likely to be competing for roles with candidates who have them. If you can keep up with these staff on the business side then you can leverage your security skills to make yourself the ideal candidate.
So consider:
  • Can you read and explain your company’s annual financial report?

  • Can you recall your company’s strategic goals over the next 3 years, and describe how your security strategy supports these targets?

  • Can you pull together a business case that is both strategically, and financially compelling?

  • Can you point to a track record of delivering programs of change to time and to budget?
Whatever we think today, it’s likely that that these type of skills are going to become more in demand for the top security roles as we progress. Security operations can be exciting and fulfilling, however, if you aspire to climb the security ladder it’s vital that you support your technical insight with real business intelligence.'s Security Recruiter Blog