The good chief information security officer obsesses about what can go wrong, has sound technical knowledge and can communicate to fellow execs the business implications of security risks. It is a niche, but important job.
The acronym for chief information security officer, CISO, is occasionally spelled out as ‘career is so over’ by those who move in the security circles. In the esoteric world of cyber security, the top job used to be seen as so specialised and maverick that once you had it, there was nowhere else to go.
However, this profile is changing and the modern CISO should have business acumen as well as technical brilliance. The old school security chief who regarded the network proprietarily is on the way out and is being replaced by a technically gifted executive, comfortable with consensus-style of working. Certain attributes remain, however, and among these are an ability to think methodically, an attention to detail and a healthy paranoia.
While the new age CISO needs to be business savvy, they can never leave technology behind and indeed delegation may be a dangerous thing. "General managers make poor CISOs," confides one expert, not least because their staff do not respect anyone who doesn’t know their stuff. The general manager of non-security expert also has insufficient experience in security risk decisions and trade-offs.
The inventor of the proxy firewall, Marcus Ranum, describes the necessary mindset as a ‘special kind of brilliant kind of pessimism’. “At the opposite of the software engineer who constantly asks ‘what could go right?’, the perpetual task of the CISO is to ask ‘what could go wrong?’”
What type of person should you be?
A security specialist has to be hugely inquisitive with an insatiable thirst for knowledge. Things are always changing and always different as the attacker never stands still and the security person has to stay ahead. The good security person often has a low boredom threshold. People good in this role are also attracted by processes and are creative and communicative.
There’s a crucial difference, too, between being a security talent and a CISO. The former may be happy to stick at nice ‘crunchy’ pieces of work such as configuring a new router or testing the firewall. The CISO has to be always thinking of the business implications of security breaches and to have the ability to communicate these to fellow executives in a vocabulary they understand.
Panellist’s view: The thirst for knowledge and the desire to continually learn is of mark of the CISO. A CISO I know stays up late ‘til 3am decompiling malware. He does it to stay on top - and because it’s fun.
What are the first and second jobs; what’s the career path?
Security touches on all aspects of the IT infrastructure and a good CISO knows a little about a tremendous amount of things. Security analyst is a good first post, either in a technical or a risk route, and the technical route can be consolidated by a role in infrastructure. However, there’s no wrong first job, but the choice of second and third jobs do become more important.
Pioneering information security sleuths tended to be brilliant minds that stumbled upon the niche. Second generation were likeminded individuals who consolidated technical know-how learnt on the job through formal training. A new generation of security staff is being cultivated in enterprises, which recruit bright and shiny computer science graduates who will do a stint in security. If they display an aptitude, it’s likely they’ll be retained there to acquire deeper skills.
There’s a new school of thought that advocates aspiring CISO go and get business experience before honing technical skills. This could be anywhere in business that helps develop a ‘nose for risk’. Once viewed as a prized security techie, it may be hard to be released in order to acquire the business experience necessary for the modern CISO.
Panellist’s view I’ve been everything from coder to sales support. The important thing in this role is not to be fooled by anyone.
What professional qualifications should you acquire and organisations should you join?
Proper team development is important nowadays as it’s impossible to learn everything on the job. The first generation learnt everything about security sequentially in a way that’s not possible now. If you join a team and rely purely on the apprenticeship learning mode, there’s a chance that missing knowledge could be exposed in a way that is dangerous to the business.
Security knowledge can be gained from on-the-job experience but more consistently from university degrees in information security and training leading to qualifications such as CISSP and CISM. Accreditation is crucial in order to acquire the necessary breadth and as a recognisable standard. Because the use of outsourcing is so prolific, the ability to recognise a fellow professional is really important.
Accreditation is also a process whereby skills are evaluated and measured by peers. The assessment for full membership of the Institute of Information Security Professionals is an accreditation that measures this, and awards the qualification M.Inst.ISP.
Panellist’s view: The wisdom to apply knowledge in order to make risk judgments comes with experience that can be measures and ratified with accreditation. Simple knowledge is insufficient.
What’s the job market?
The market for this role is relatively new although the function has been around for some time. CISO can be seen as a ‘contemporisation’ of other roles such as computer audit. Given the newness of the role, there are fewer jobs around to apply for - for every ten CIOs recruited, one CISO is recruited by tech head hunters Odgers Berndtson.
Sectors that are regulated and adhere to complex compliance rules, such as Sarbanes Oxley, have a greater need for CISOs as do those which require a high degree of risk management. Similarly, companies where the actual data is an asset that has to be rigorously protected are more likely to recruits CISOs. Again, this points to financial services as a source of good opportunities for the CISO.
What is the career progression?
Once at the top of such a deep discipline, many CISOs tend to stay, moving onto a larger playing field. This may be in commerce in an area where risk management is growing in importance, such as finance. Security is one of the few areas where government employees can trump their commercial counterparts in terms of heavyweight roles. The ultimate goal for any CISO is to protect assets from cyber attack and with government assets at the pinnacle, a top CISO may head for GCHQ, the government’s security agency.
Alternative career options are on the table, however, chiefly by virtue of the CISO’s ‘super connector’ role. Because security is so pervasive, the CISO needs an intimate knowledge of finance, sales and operations and this joined-up knowledge may be transferable. The COO’s seat may be one possible destination. Roles moved to by our former CISO panellists include business entrepreneur, Another revolving door for someone who stays technically sharp is to be CTO with a technology vendor.
Panellist’s view: There are places for the CISO to go but deep down, security calls you back because of the intellectual challenge.
Our security panel
Adrian Davies: senior research consultant, Information Security Forum
Prof. Paul Dorey: chairman, The Institute of Information Security Professionals, former CISO at Barclays and BP
Alan Mumby: partner and head of CIO/CTO Practice, Odgers Berndtson
Marcus Ranum: chief security officer of Tenable Network Security, inventor of the proxy firewall, consultant and holder of the ISSA Lifetime Achievement Award.