How to Go From Techie to CISO

Posted on by Tony Kontzer

It hit me like a load of bricks Monday at the RSA Conference in San Francisco: CISOs are following in the footsteps of their CIO brethren.How to Become a CISO

CIOs translated technology's rise in strategic importance to raise their profile within the enterprise. Similarly, CISOs are now taking advantage of the increased scrutiny on the organization's security to raise their profile in the business and gain entry into the C-suite. Like their IT counterparts, security leaders have stepped out of the dark into the light of the boardroom, where their perspectives have taken on new importance in a world drowning in cybercrime. 

And just like the previous generation of IT management hopefuls, it means that those aspiring to rise in the information security ranks can't simply trumpet their technical expertise and expect to rise through the ranks. The geeks no longer run the asylum.

"You have to know the business," Less Stoltenberg, CISO of the University of Texas MD Anderson Cancer Center in Houston, said during a lively panel discussion at the RSA Conference Monday.

Fellow panelist Justin Somaini, chief trust officer at Box, took that thought a step further, saying that the CISO role has become more political. And he meant it in a good way.

"How you relate to your peers in the business is much, much more important than your technical skills," said Somaini.

In other words, if you can understand what leaders throughout your business need, put those needs in the context of what the business at large needs, and then communicate effectively enough to get buy-in on the right security strategy, you may have a future as a CISO.

As was the case not long ago with CIOs, the shift in CISO job requirements from a technical emphasis to a focus on communication and leadership is a reflection of how much more critical security has become to business today. Critical enough, in fact, that it's no longer the dark and mysterious corner that it used to be.

"Outside of the security industry, there's awareness of the problem," Somaini said. "We've never had that before."

That's in large part because the "problem" — the struggle to secure data and systems — is growing faster than our ability to build forces to defend against it. This much was made clear by the statistics that panel moderator Steve Schlarman, GRC strategist at RSA, shared with the audience.

By the end of this year, Schlarman said, there will be 2 million unfilled security jobs. What's more, he said that 53 percent of companies have noted a security skills gap, and that the U.S. Bureau of Labor anticipates 22 percent growth in the information security job market over the next 5 years.

So now that we've established that the profile of the CISO is on the rise, and that there's clearly a lot of job security, how do rank-and-file security workers go about transforming themselves into CISO material?

While there may not be a fail-proof recipe for making that transition, Monday's panel provided plenty of ideas for those eyeing a move up the corporate security ladder.

For instance, whereas technical security staff spend their days immersed in a world of advanced persistent threats, distributed denial-of-service attacks and identity-based access control, CISOs must to retrain themselves to embrace a new terminology.

"When I go to the board, I have to tell them how we're increasing revenue or cutting costs," said Robert Buchheit, global head of IT GRC for Zurich Insurance Group. "You have to forget the technical jargon and speak their language."

And it’s not just that CISO hopefuls have to change what they say. They have to change their very mindsets. They have to learn to let go — of previous areas of expertise, of the notion that security can ever be "bullet-proof," and of the fear of failure.

That last one got Somaini all worked up as the session came to a close.

"Be fearless," he urged the audience. "For God's sake, you're in an industry with negative unemployment. Take a risk!"

Tony Kontzer

, RSA Conference

Business Perspectives

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community