Career Advice Tuesday – “Aspiring CISO”

January 19, 2010

Dear Infosecleaders:

I have gone through your blog, its fascinating advice you have given to others queries.

Am seeking your opinion and help on getting where i really want to go…

My Aim: To be a CISO / CIO.
My Professional Background: Was into BCP / DRP kind of projects most of the time. Little exposure to Information Security.
Education: Commerce, MBA, CISA, now pursing CISM.
Strengths: Creative, Learning, Fascinated towards security loopholes, judgemental, and a good devils advocate.
Weaknesses: Not a tech pro, but can grasp and understand. No exposure to practical side of networks, applications, admin, etc.

With the given details, could you guide me and help me as to how I can achieve my goal. Without practical exposure to tech side, how feasible is to get such role, if not feasible, then what are the area of improvement and other workarounds if any… :)


The Aspirant

Dear “Aspiring CISO”:

Before we get into the meat of your question, I want to start out by saying that you have the ability to  accomplish any goal that you can set your mind to, if you are willing to put in the hard work in order to achieve it.

It is great that you aspire to be a CISO, if you have goals, they should be big ones.  In addition, I think that it is very important that you have identified your strengths and your weaknesses.   The main weakness that you state is the “lack of exposure to the practical side of technology,” which can be a huge obstacle.    There are some CISO positions that will deemphasize your degree of technical skill, but I would say that having some technical competency will be required to successfully interact with the Senior technical stakeholders and inspire confidence in your leadership from your technically focused direct reports.

The best thing about accurately defining your weakness is that you have the ability to do something about it.   This can be done either formally (through education/training) or informally (through reading, webinars, conferences, etc).   I would begin this process by identifying a few key areas that both interest you and that are considered important to the role of CISO.   Set a goal to learn as much as you can about these topics in first a six month period, then a year.   As you learn more about these topics, begin to volunteer your insight to security related projects in your current position, where you feel comfortable and confident that your opinion would have meaning and potential impact.  If you can do this, you will find that you will be developing some practical experience, outside your regular responsibilities.   Due to the background that you have (MBA, CISA, expected CISM) and your “fascination towards security loopholes,”  I believe that you will be convincing enough to create this opportunity for yourself.

If you are able to pull this off, you should be able to create some good momentum for yourself when you have the chance to interview for a CISO role.

When you do eventually begin to search for this type of opportunity I would provide the following guidance.  The first would be to find an organization that will emphasize your non technical strengths as more key component of their CISO position.  The second would be to make sure that you can effectively compete with anyone else who possesses similar skills.   The reasoning for this is that if you find an organization that relies on technology for their CISO role,  you will be quickly dismissed based upon your degree of technical experience.  In addition, when you are competing for your CISO role (and believe me there will be a great deal of competition), you want to make sure that you come out on top in any candidate comparison, when it comes to your less technical security skills ( policy, compliance, governance, risk, management, etc.) or the intangible skills that you would define as your strengths.    In closing, in addition to developing your weakness, make sure that you spend additional time enhancing your competencies.

Beauty is in the eye of the beholder, and there are many skills that comprise effective CISO’s.  You just need to find someone who thinks that your are beautiful – and the right person for their CISO role.

Keep following your dreams and pursuing your goal!

Hope this helps,

Lee and Mike

Posted by lee | Filed Under Uncategorized 


Comments are closed.