I'm currently managing a more technical portion of the information security program of a Fortune 500 company. I'd like to know how to become a CISO, perhaps for a smaller company, in the next five years. How should I go about progressing up the career ladder? What long- and short-term goals should I set for myself?
Ask the expert!
Got a vexing question about enterprise information security management issues for Joseph Granneman? Ask your enterprise-specific questions today! (All questions are anonymous.)
The list of skills required to be a chief information security officer (CISO) is vast and varied. A CISO must be able to speak the language of business with the executive team just as well as understand the latest security threats when working with the technical security team. This combination of skill sets is a big change for managers coming from a tech-centric world.
Managers considering this career path should ask themselves some honest questions about their interests and motivations for moving up the career ladder. Are you interested in the business side of security? Are you a people person? Will you be happy if you're not knee-deep in technology? A CISO communicates with all levels of the business and may not have time to configure the latest and greatest security technology. He or she spends a lot more time "selling" the security culture and developing strategic plans than working on technical projects.
Your short-term goal should be to understand the company from a business perspective. Security managers are often involved in planning application deployments with business units. Working with business managers and executives during these deployments can provide valuable opportunities for interaction. In these instances, it is important to listen for what the business units see as their priorities and learn their languages, so to speak. You may even be able to find a mentor who is willing to coach you on how the business functions. This will start you toward the CISO goal, with the short-term benefit of making you more effective in your current role by including you in business initiatives earlier.
In the long term, managers who wish to advance their careers should enroll in an advanced degree program in business, such as an MBA. Choose a program that incorporates working with study groups where you will be exposed to managers from many different industries. A CISO needs to understand how business operates just as much as they understand technology. An MBA program will help future CISOs understand how IT risk mitigation and business risk mitigation interrelate. It will also impart skills for building budgets and understanding one's fiduciary responsibly to the company, which can be applied immediately in your current position.
This was first published in May 2013