Being CISO is not a job. It’s a vocation that requires the mindset of a professional like a policeman or a firefighter. And despite the statistics, it’s a long-term career.
The average seniority of a CISO is 18 months. It’s about CISOs who create or fix a company’s security program, achieve a steady state of operation, and move on. But the idea of reaching a final “state of security” is misplaced. Instead, it’s about making the operating environment more secure over time. Succeed and you make a measurable and tangible difference in the world.
If that sounds appealing — and you enjoy variety — the cybersecurity profession, and being a leader in it, is incredibly rewarding because you never encounter the same day twice.
CISO career: Every day is different
I work for a managed security service provider, and the biggest risk to our business is that bad people compromise us in ways that:
- Exposes our customers (i.e. we become a third-party vector)
- Makes us unable to deliver for our customers
I constantly hunt down those who could potentially compromise us in this way. Every day, we review the technology, policies, procedures and processes in place to address material risks and assess whether they are working.
[Also read Analytics director: A day in the life. ]
I also advise our clients in many different sectors. I could talk to a manufacturer, retailer or healthcare provider one day, and our leadership team about a new business initiative another. These solicitations, in my view, speak volumes about the progress our profession has made – we have come a long way from being the second or third voice of business leaders.
When we were a small part of IT, we had to fight for the security budget. Now that cybersecurity is in the headlines and everyone from the front desk to the office corner understands its importance, we no longer need to advocate for funding like we once did (although we have to demonstrate results and efficiency).
CISOs must continually adapt
Hackers have kept pace with technology and social trends over the years. Some are publicly funded cyber experts – a far cry from the lone computer nerd sitting in a dark basement apartment.
Along with that, I have to keep up to date with new strategies, technologies, and regulations that are popping up to stop – or at least slow down – those with bad intentions. On the heels of stories of credit card number breaches and ransom demands, cybersecurity professionals must navigate a series of regulations. This includes everything from HIPAA and Gramm-Leach-Bliley to CCPA, GDPR and many more.
How to prepare for a CISO role
That said, it’s a myth that security managers need all the answers. Instead, they succeed by changing context and considering new perspectives. People who are curious about lifelong learning and want to use technology to protect others are a great fit for this role.
People who are curious about lifelong learning and want to use technology to protect others are a great fit for this role.
Knowing a little about a lot is invaluable in our business. I’ve been a penetration tester, led a security sales team, worked in compliance, and been a consultant and product manager, all as a cybersecurity practitioner.
Part of the value of a good security manager is understanding how all areas of the business work. We constantly adapt to the threat landscape by putting ourselves in the bad guy’s shoes to answer the question, “How could someone attack and compromise us?”
Due to the specialization in our field, everyone focuses on their area of expertise. But someone needs to see the big picture, and that’s the CISO. Technology helps. But technology comes and goes. To run a security program effectively, you need to look at the data and filter out the noise – whatever technology you’re using – to determine if your program is performing as expected.
It’s all about the business
All of this underscores the need for cybersecurity professionals to work closely with their business counterparts. Although engineering and technical disciplines are at the heart of our profession, we must communicate effectively with executives and boards of directors to keep our businesses, customers and partners safe. We need to communicate the latest threats and regulations in the business context. Understanding potential business risks is key to prioritizing cybersecurity – and all risks – accordingly.
During my years as a cybersecurity consultant for a food company, I highlighted the risk associated with credit card theft. One executive asked how that compared to the risk the company faced if it suffered an outbreak of salmonella and a customer died from food poisoning. At the time, I didn’t have a good answer to this question.
This example highlights our role as business facilitators. Cybersecurity professionals are responsible for enabling our colleagues to seize opportunities and innovate. As guardians and protectors of our business, we do best by embracing this philosophy within business operations, with an ever-focused eye on risk management.
The cybersecurity profession needs more good people
When I started my career, I could hold the security industry in the palm of my hand, so to speak: we had firewalls, vulnerability management and anti-virus software – it was pretty much everything. Today, someone can build a career around a single area of cybersecurity, such as identity and access management or incident response. And we can’t wait for more people to do it.
[ Related read IT hiring: Tackling the cybersecurity skills shortage ]
We are missing more than two million people in the profession. We need people from other industries and from all walks of life, whether they’re just starting their careers or more advanced and looking to try something new.
If you aspire to get into cybersecurity, the world is yours. All you need is curiosity about how things work and a passion for problem solving.
[ What is a ‘day in the life’ like in your role? If you’d like to participate in this series, reach out here! ]