Career Progression: How to become a CISO

I am often asked about this--to the degree that this is now a frequently asked question. Sorry, there is no magic formula.

There are two parts to the answer: How to 'get' the job and How to be 'good at it' that are intermixed.

My first CISO job was through applying directly. I was a director at a financial industry giant, and became the first CISO at a 500-million-dollar financial services company.

My next CISO gig was for a company with about $1B in revenue, and I was recruited by a retained search firm.

Here is the summary of my experience:

1. Relevant industry sector experience: going from financial services to healthcare (or vice versa is very rare)
2. CISO/CSOs are typically director or above positions. If you already have a director or VP title, that helps
3. If you are already a CISO, that also helps. A lot.
4. If you are not being promoted from within, having a bachelors degree is absolutely required.
5. Soft skills like communication is absolutely important. So is a demonstrated business skills, budgeting, people management, etc.
6. If a CISO job description says you need hands-on experience configuring firewalls (or some other specific technology), tread carefully. Either the job description is wrong, or it is not a CISO job. There are exceptions, of course, but this is a good indicator.
7. If other C-level officers are not in the interview team, you are not getting a 'real' CISO job, regardless of what the title is
8. As a CISO, your job will be to make people who you have no direct influence over do things for you.
9. You have to have direct reports and budget experience
10. At the interview, you have to make them understand that [a] security will help business and [b] you understand and care about the business--you are not just a security-nazi.

If you can show most or all of the above in your resume and during the interview, that would be a huge help.

Networking definitely helps, but we all can't know the CEO, so working with recruiters is the next best thing. If it is a retained search, that is great. If it is a contingency, that is fine, too--but before you send a resume, talk to the recruiter and make sure they don't submit you before asking your permission first.

How about certifications? It is expected that the CISO will have at least one major certification. If the CISO position is asking for just A+ or Security+ certifications, see number 6 above. ISACA designed the CISM for the CISO-level professionals, but not many employers are making this the primary certification requirement. CISSP is still the certification to have for any senior security job, although it really does not cover the management of an information security program. The CISA is not directly needed, but helpful because as a true CISO you will have to deal with internal and external auditors. It is my opinion that the certifications do not indicate how good a candidate will be as a strategic leader, but they certainly show relevant job skills. On the other hand, it is easy to establish your business-friendliness if you have an MBA.

Good luck.