Being a CISO is not a job. It’s a calling that requires the mindset of a professional like a police officer or firefighter. And despite the statistics, it’s a career for the long haul.
The average tenure of a CISO is 18 months. That speaks to CISOs who create or fix a company’s security program, reach a stable operating state, and move on. But the idea of achieving a final “secure state” is misplaced. Instead, it’s about making the operating environment more secure over time. Succeed, and you make a measurable, tangible difference in the world.
If that sounds appealing – and you embrace variety – the cybersecurity profession, and being a leader in it, is incredibly fulfilling because you never experience the same day twice.
CISO career: Every day is different
I work for a managed security services provider, and our company’s most considerable risk is that bad guys compromise us in a way that:
- Exposes our customers (i.e., we become a third-party vector)
- Renders us unable to deliver for our customers
I constantly track those who could potentially compromise us in this way. Every day, we consider the technology, policies, procedures, and processes in place to deal with significant risks and assess whether they work.
[Also read Analytics director: A day in the life. ]
I also advise our customers in many different industries. I might talk to a manufacturer, retailer, or healthcare provider one day, and our executive team about a new business initiative on another. These solicitations, from my perspective, speak volumes to the strides our profession has made – we’ve come a long way from being the second or third-string voice to business leaders.
When we were a small part of information technology, we had to fight for the security budget. Now that cybersecurity is front-page news and everyone from the front desk to the corner office understands its importance, we no longer need to plead for funding to the degree we once did (although we have to demonstrate results and effectiveness).
CISOs must continually adjust
Hackers have kept pace with technology and social trends over the years. Some are nation-state-funded cyber experts – a far cry from the lonely computer nerd sitting in a dark basement apartment.
Hand-in-hand with this, I need to stay abreast of the new strategies, technologies, and regulations cropping up to stop – or at least slow – those with ill intent. On the heels of stories about credit card number breaches and ransom demands, cybersecurity professionals must navigate a range of regulations. This includes everything from HIPAA and the Gramm-Leach-Bliley Act to CCPA, GDPR, and lots in between.
How to prepare for a CISO role
That said, it’s a myth that security leaders need all the answers. Instead, they succeed by switching contexts and considering new perspectives. People who are curious lifelong learners and are interested in using technology to protect others are an excellent fit for this role.
Knowing a little about a lot is invaluable in our profession. I’ve been a penetration tester, led a security sales team, worked in compliance, and been a consultant and a product manager – all as a cybersecurity practitioner.
Part of the value of a good security leader is understanding how all areas of the business work. We are constantly adapting to the threatscape by putting ourselves in the shoes of the bad guy to answer the question: “How would someone attack and compromise us?”
Because of specialization in our field, everyone is focused on their area of expertise. But someone needs to see the big picture, and it’s the CISO. Technology helps. But technology comes and goes. To run a security program effectively, you need to review the data and filter out the noise – no matter what technology you’re using – to determine whether your program is working as intended.
It all comes back to the business
All this underscores the need for cybersecurity pros to work closely with their business counterparts. While engineering and technical disciplines are at the core of our profession, we must effectively communicate with executives and boards of directors to keep our companies, customers, and partners safe. We must communicate the latest threats and regulations in the business context. Understanding potential business risks are essential to prioritizing cybersecurity – and all – risks accordingly.
During my time as a cybersecurity consultant for a food company, I highlighted the risk associated with credit card theft. One executive asked how that compared to the risk the company faced if it experienced a salmonella outbreak and a customer died of food poisoning. At the time, I had no good answer to this question.
This example shines a light on our role as business enablers. Cybersecurity professionals are tasked with enabling our colleagues to pursue opportunities and innovation. As guardians and protectors of our business, we perform best by embracing that ethos within business operations, with an eye always focused on risk management.
The cybersecurity profession needs more good people
When I started my career, I could hold the security industry in the palm of my hand, so to speak: We had firewalls, vulnerability management, and antivirus software – that was about it. Today someone can build a career around just one area of cybersecurity, such as identity and access management or incident response. And we are eager for more people to do so.
[ Related read IT hiring: Tackling the cybersecurity skills shortage ]
We’re more than two million people short in the profession. We need people from other industries and all walks of life, whether they are just starting their careers or further along and looking to try something new.
If you aspire to get into cybersecurity, the world is your oyster. You only need curiosity about how things work and a passion for solving problems.
[ What is a ‘day in the life’ like in your role? If you’d like to participate in this series, reach out here! ]