The role of CISO (Chief Information Security Officer) is becoming increasingly valued in the business world. This is largely due to the ever-present, and ever-changing, range of security threats that make CEOs keener to have robust defences in place.
While the road to a CISO role is not necessarily an easy one, there are certain career moves you can make and courses of study you can take that will increase your chances of getting one of these coveted IT security jobs.
There is no single path leading to a CISO role, but here are some suggestions.
From the time you are school-age, an interest in IT supported by GCSEs, A-Levels, or BTEC qualifications is, almost by definition, a healthy start. The next step could be a university course that focuses on cyber security. (Historically this has not been a prerequisite due to the lack of relevant niche security education options, but it should nevertheless serve you well.) For instance, you might want to consider the BSc and/or MSc courses offered by Royal Holloway, which are held within high esteem across the industry. The role of a CISO is really as much of a sales and stakeholder management role as it is about security, and so MBAs have historically proven popular at this level ,too.
Whether you opt for the academic route or not, your first professional job might well be in the area of IT support, with a view to progressing to a network administrator role. The stamp of Sysadmin on your CV confirms that you really do possess the deep technical knowledge that is the bedrock of any CISO role. A CISO though usually finds his/herself remaining hands-off with technology, acting as the organisation’s “security champion” rather than getting too close to the gritty processes involved in defending a technological infrastructure.
At this stage, a move in to something more ‘corporate’ might fit the bill, such as becoming an IT Risk Manager. In such roles there’s more direct engagement at the board level, and you would gain crucial experience in negotiating security budgets. Such a role might prove a good final stepping stone to that long-anticipated CISO application. Equally, consultancy might allow you to gain greater commercial exposure, managing engagement with client stakeholders and internal technical teams.
However, whilst experience in various security-related roles is vital, accreditation is also important, including one of the most well-known, The CISSP (Certified Information Systems Security Professional) certificate. A CISSP is a comprehensive professional qualification and is viewed as a validation of experience and expertise. You need at least five years’ experience in IT security even to apply for the course, as well as an endorsement from a qualified information professional. Your studies culminate in an exacting six-hour exam with a 70 per cent pass rate. Moreover, your CISSP must be regularly renewed by re-taking the exam or submitting CPE (Continuing Professional Education) credits. All in all, the CISSP is a pretty attractive presence on any CV and is the certification Acumin sees requested by clients more than any other.
Finally, there are two further attributes that make for a well-rounded CISO – commercial experience, and strong people skills. Having a background in team management, perhaps working in procurement, presales, consultancy, or product management for a time, will show the board that you are not ‘just a techie’ and that you are not afraid to talk about the bottom line. Strong people skills also come in to play; the ability to communicate straightforwardly and persuasively, carrying people with you through challenging times, is a quality not easily taught but much cherished, especially in large, complex organisations.
Acumin is an international Information Security and Risk Management recruitment and executive search specialist. We specialise in the professions of Information Security & Risk Management, Governance & Compliance, Penetration Testing, Forensics, Intrusion Analysis, Technical Security, Business Continuity Management, Sales Engineering, Sales & Marketing, Public Sector Security and Executive Management.
Acumin provide a range of services which include contingency Permanent Recruitment, Contract Recruitment and retained Executive Search. For SMB and Enterprise End User clients Acumin facilitate the development of internal Information Security and Risk Management teams across the UK, Europe and United States.