How to prepare for a CISO position

Security professionals must know the business to rise through the ranks.

Results from the second annual Global Information Security Workforce Study show information security professionals are moving up in the corporate ranks.

Chief information security officers and the important work they do increasingly are being recognized in the C suite. Results from the second annual Global Information Security Workforce Study, conducted by global analyst firm IDC and sponsored by the International Information Systems Security Certification Consortium, show information security professionals are moving up in the corporate ranks.

Security staffing is growing ...

The study notes that accountability for information security has risen up the management hierarchy and now rests with the board of directors and CEO, CISO or CSO. Nearly 21% of study respondents said their CEO is now ultimately responsible for information security (nearly double the 12% of respondents holding this opinion in 2004), and 73% said this trend will continue.

Complex security solutions, regulatory requirements, threat-technology advances and costly security breaches make it essential that organizations be proactive in guarding their digital assets. As a result, the CISO position focuses on risk management and is becoming more integrated with business functions. Security professionals must hone their technical and business skills to prepare for this role.

Independent validation of competency and experience, together with a commitment to the information security profession, are door-openers for those who aspire to move into the CISO position. Information-security practitioners should consider the value of obtaining certifications from a professional security association to help further their careers. According to the GISWS, 90% of respondents involved in hiring view certifications as somewhat or very important when they're making hiring decisions. And more than 60% indicated they intend to acquire at least one information security certification within the next 12 months.

There are two categories of information-security certifications: vendor-neutral and vendor-specific. Both are helpful for career development. Vendor-specific credentials (such as from Cisco and Microsoft) are important ways to gain necessary skills. They need to be accompanied by certifications that demonstrate a broad foundation of knowledge and experience. The Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA) certifications are sound choices.

When developing your career plan, look for help from associations offering career-building services and ongoing education, opportunities to demonstrate subject matter expertise, avenues for peer networking, access to industry research and volunteer opportunities.

A great resource for finding information security-focused educational institutions and organizations, professional associations, conferences and trade shows, online resources, and publications is the ISC2's 2006 Resource Guide for Today's Information Security Professional, Global Edition. This free guide is available online.

Security certification and experience will do you little good on their own, however. To rise through the technical ranks and become a CISO, you also must be able to communicate in business terms. You can do this by combining your technical expertise with expertise at communicating business value. You should be able to explain the benefits of security in terms of ROI, its value in improving the organization's ability to conduct business and the practical solutions it provides to problems - all interwoven with the organization's appetite for risk.

While you enhance your security and business skills, you can work within your own organization to prepare for a career transition. Here are some ideas from a panel discussion at the 2006 RSA North America conference about becoming a CISO:

Learn to collaborate with other departments to integrate and appreciate other roles. According to an Auburn University study, "Managerial Dimensions in Information Security: A Theoretical Model of Organizational Effectiveness," implementing information security programs requires exceptionally high levels of "task interdependence": Respondents said 62% of their daily tasks depended on the exchange of information or cooperation with others.

Take the value-added approach by learning how to align your responsibilities and accountability with each department's business goals. Look at the big picture - the goals and focus of the organization. Think in terms of the overall business, and know the impact you have on it and how what you do creates value for the organization. Communicating the value of information security will help in building a spirit of cooperation throughout the organization.

Develop your own circle of trust within your organization with representatives from each department to help promote mutual understanding, appreciation and teamwork. When more people agree with you, you gain credibility. Eventually, executives will learn about your group and recognize the value in consulting you.

Engage executives in conversation so they can get to know you and learn to trust you. These conversations should be succinct but meaningful, using business terms, not "geek speak" or acronyms. Determine how you can add value to their goals, then make your case as to why you should be consulted or included in a meeting.

Offer executive and user security-awareness training on security threats affecting home offices and present prevention techniques. Executives will see the difference you make to their home computers or networks, and that builds their trust in your ability to make recommendations for the business' networks.

Learn to balance opportunity risks. Many executives perceive security staff as inflexible, so they don't want to invite them to strategy meetings. Be flexible in balancing security risks with business processes that help the organization meet its goals.

So, would you like to be a CISO? Are you willing to step away from some of the technical aspects of information security? If the answer is yes, keep up-to-date with your technical knowledge and certifications, and learn business language and softer communication and presentation skills. Develop relationships with executives so they are aware of your knowledge and skills, will begin to trust you and will see you as a good choice for a C-level position.

Moulton is a CISSP-ISSMP, president and interim CEO of ISC2. He can be reached at

Copyright © 2006 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022